Entry 1.21 Manual
Program Requirements:
- IBM-PC or compatible;
- Windows 95;
- A direct Ethernet connection to the net, or a dialup SLIP or PPP account from an Internet
service provider;
- A TCP/IP stack;
- A wordlist (optional, but recommended).
Part 1: About Entry
The explosion of the World Wide Web in recent times has led to a large
increase in the number of businesses offering proprietary
content online. The security of these "members-only" websites is often
quite poor: many of the sites' passwords may be found on a short list of
common words. Entry can find these passwords.
Part 2: Starting an attack
Username, Password Source
There are three choices:
- Retrieve words from a user-supplied wordlist (Here is an example).
- The guesser will supply every possible permutation of characters for a given
length. For example, if you chose 4 letter lowercase-only words, it would generate
"aaaa", "aaab", "aaac", and so on, until "zzzz".
- A static username or password will not be changed between login attempts. You should
choose Static if you know the username but are unsure of the password, or vice versa.
Request Method
Entry can request the secure document in one of two ways: GET or HEAD. A GET request will
attempt to retrive the entire protected document, a HEAD request will only attempt to retrieve
information about the document. Generally, you will want to use GET.
Character Sets
If you choose to have usernames and/or passwords supplied by the guesser, you must check at least
one of these boxes. The guesser will use all characters in the selected set(s) to generate words.
- Lowercase:
- 'a' to 'z'
- Uppercase:
- 'A' to 'Z'
- Numbers:
- '0' to '9'
- Punctuation:
- ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
Document URL
Type the HTTP address of the secure document in this box. Here are some examples of good URLs:
- http://members.myserver.com/secure/document.html
- http://cia.com:81/ghetto/crack/plans.doc
- http://topsecret.co.jp/
This URL must point directly to a protected document, not just to any point in a site.
Part 3: Creating a good wordlist
In the vast majority of cases, a wordlist attack will be much more effective and faster than a
guesser attack. The construction of a good wordlist, therefore, is very
important.
A effective wordlist contains keywords which are relevant to the site and/or its
probable members. For example, if you are making an attack against the "Chicago Times Online",
you should add "chicago", "times", "online", "press", "news", "extra", etc., to your
list. An good list should contain AT LEAST fifty words, and may contain hundreds or even
thousands.
Part 4: Saving your progress (Entry Pro users only)
If you are using the guesser or a large wordlist, a complete attack simulation may take hours.
An Entry status file, just like any other program document, should be saved to
disk on a regular basis.
Entry can automatically save your progress after a user-specified number of attempts (set in
the Properties box), so that you may leave it running unattended. You may occasionally
wish to save your progress manually as well. There are two ways to save manually: Normal Save,
and Lazy Save.
If you have used Windows programs before, you are already familiar with
Normal Save: Simply choose Save from the File menu (or press Ctrl-S).
A Normal Save cannot be performed while you are online, as your progress
is constantly being updated.
You can use a Lazy Save to record your progress without going offline. Unlike a
Normal Save, a Lazy Save does not save immediately. Instead, it temporarily
pauses your attack at the next convenient moment, going offline just long enough
to save, and returns online. Click the button with the sleepy disk;
when it pops back up, your progress has been saved. A Lazy Save cannot be performed while offline.
Until you have saved your file normally (and chosen a name for it), the Auto Save
and Lazy Save features will both use the name "AutoSave.eaf".
Part 5: Finding a successful username/password combination
Entry will automatically go offline if:
- A working username/password combination is found;
- All combinations have been tried;
- There is a server or connection error.
An appropriate message will be displayed in each case. If you chose the
"Open browser on success" option in the Properties box, the cracked page
will be loaded into your browser immediately.
Part 6: Tips for using Entry
- DO save your progress on a regular basis, and before you exit the program. (Entry Pro users only)
- DO use wordlists with at least fifty words.
- DO NOT change the wordlist(s) in any way while an attack is in progress.
- DO NOT use Entry to gain illegal access to any computer or information contained therein.
Part 7: Program Specifications
Protocol: Basic Authentication (HTTP/1.0)
Maximum Speed: Undefined (approximately 200 attempts per minute over a 28,800 modem connection)
Maximum Attempts: 2,147,483,646 per session (for Entry Pro; 3072 for Entry LE)