•  3Com PalmPilot Professional with PalmOS 2.0.5 Pro and 1MB
•  IBM WorkPad (PalmIIIx) with PalmOS 3.1 and 4MB

•  3Com PalmPilot Professional with PalmOS 2.0.5 Pro and 1MB
•  3Com PalmIII with PalmOS 3 and 2MB
•  3Com PalmIIIx with PalmOS 3.1 and 4MB
•  3Com PalmV with PalmOS 3.1 and 4MB

What are the memory requirements?
The program itself takes approximately 31KB (version1.1).

As an example, a dictionary with 4000 words yields a PDB fileof 63KB, which loaded into the Pilot as a size of 101KB.

What is the performance?
The current performance* for UNIX dictionary wordlist comparisons is 25/sec.^  The current performance* for NT dictionary wordlist comparisons is 60/sec.  The performance for Cisco decryption is not considered since it doesn't perform Crack-style password breaking.

* Note, this is based on unmodified clock speed of a PalmPilot Professional.  Using the ClockMaster hack or other clock speed modifying programs will change these performance results.

^ Note, Alec Muffett says that in 1992 when working on Crack, replacing crypt() with fcrypt() yielded 25/sec on a Sun 3/60.  This makes sense because the Sun 3/60 was based on a Motorola processor!

How can I get an encrypted password string into the program?
You can get the encrypted password strings into the program via three methods:

1. Use graffiti to manually enter the encrypted password entry.
2. Enter the entry(s) into a Memo on the PC (using cut and paste from a UNIX window) and Hotsync the Memo to the Pilot.  Then use the Edit menu options for cutting and pasting an entry into the password field of the application.
3. Use the Online program from Mark/Space Softworks to connect to a serial port and have VT100 access to the target UNIX box.  Once you reach this point, you can have your sessions logged to the Memo pad, so just cat/etc/password (or /etc/shadow) and you'll have your password entry in a Memo.  Follow step two above.

Cisco Type 7 (not Type 5 MD5 hashes) password decryption support is now available.  See http://www.cisco.com/warp/public/701/64.html for more information.

How do I get an NT encrypted password?
On an NT box, run pwdump (or pwdump2 if SYSKEY is enabled) from a DOS window in order to dump the password file entry.  The pwdump command can be found in the L0phtcrack distribution found at http://www.l0pht.com/l0phtcrack/.

How does brute force checking work?
The brute force crack is very compute intensive, mainly because of the number of iterations required.  As a result, the brute force check is disabled by default.  Check the menus tour for information on enabling brute force checking.
 

Number of Iterations

Category	Base Calculation	UNIX (x=8)	NT (x=14)	NT Case Insensitive
Lower case	26^x	2 x 10^11	6 x 10^19
Lower case w/nums	36^x	3 x 10^12	6 x 10^21
Mixed case	52^x	5 x 10^13		6 x 10^19
Mixed case w/nums	62^x	2 x 10^14		6 x 10^21
All symbols	92^x	5 x 10^15		3 x 10^25

As you can see, the number of iterations is pretty huge and not really feasible for a tiny, single CPU Dragonball Pilot. As an estimate, for passwords up to 4 characters in length, it takes approximately 5 hours just to check the entire space for UNIX for only lower case characters!

   26+26^2+26^3+26^4 iterations / 25iterations/sec / 3600 secs/hr = 5.25 hours

How can I create my own custom dictionary?
A pc.pdb file can be made with a perl program called pcmwdb (PalmCrack Make Wordlist DataBase).  The only platform that pcmwdb has been tested on is Sun SPARC running Solaris 7 using Perl 5.005.  Contact Noncon for more information about developing custom wordlist dictionaries.

How do I contact Noncon, Inc?
You can contact us using the following email addresses: