HOME HISTORY EFFECT TOUR LESSONS BIBLIOGRAPHY
Phase 1: Crack Extremely Simple Passwords
At this point, the Worm begins serious work on breaking into user accounts. This phase tries the really obvious passwords. Unfortunately, studies show that this attempt will be successful up to 30% of the time. In each case, the worm will choose a possible password, encrypt it using its own encryption algorithm, and then compare the result against the encrypted password found in the /etc/passwd file. Thus the Worm is able to test various possibilities of passwords without setting off alarms for failed login attempts.
The password possibilities Phase 1 attempts are as follows:
- The null password. (The user just hits return when asked for their password.)
- The user's username.
- The username appended to itself. In Tom's case, this would be "darbytdarbyt".
- The second value in the GECOS string found in /etc/passwd. This is often a nickname.
- The remainder of the full name after the first name in the GECOS string. This is usually the user's last name. If the first character is capitalized, this will be tried a second time in lower case.
- The "last name" reversed.
- The user name reversed.
The Worm attacks 50 accounts in the manner each time that cracksome is called until it has gone through the entire list of accounts. Every 10 times cracksome is called (every 500 accounts) the function other-sleep with 0 as its argument is called. If the Worm is able to crack a password, it calls the attack-user function which uses this acquired password to break into the target account.
If the Worm makes it through the entire list of accounts, it advances to Phase 2
Return to the main worm page.