sucrack

sucrack [-s command] [-u user] [-w wordlist] [-a charset] [-b start] [-p pause] [-r] [-d] [-V] [-h]

-s command
    Specifies the command to crack. Must be either su or sudo. Defaults to su.

-u user
    Specifies the target user whose password is to be cracked. Defaults to root.

-w wordlist
    Specifies the path to a wordlist file containing passwords to try. One password per line.

-a charset
    Specifies additional characters to use in brute-force mode. For example, -a aA1! will use lowercase, uppercase, numbers, and exclamation mark. This is used when brute-forcing or if the wordlist fails.

-b start_chars
    Sets the starting characters for the brute-force attack. Useful for resuming or targeting specific password patterns.

-p seconds
    Sets a pause duration (in seconds) between each password attempt. This can help avoid triggering account lockouts or reduce system load.

-r
    Resume cracking from the last saved state. This requires a previous interrupted session.

-d
    Enables debug mode, providing more verbose output for troubleshooting.

-V
    Displays the version information of sucrack.

-h
    Displays the help message and exits.

sucrack is a command-line utility designed to perform brute-force or dictionary attacks against user passwords for the su and sudo commands on a Linux or Unix-like system. It works by repeatedly invoking either su or sudo as a specified user, attempting different passwords from a provided wordlist or by generating passwords in a brute-force manner. The tool then analyzes the output or return status of these commands to determine if a password attempt was successful or failed. It is primarily used by penetration testers and security professionals to audit the strength of passwords on systems where local access is available, helping to identify weak credentials that could be exploited. Due to its nature, sucrack is a resource-intensive tool and can generate numerous authentication failures, which may trigger account lockout policies or be logged by system monitoring tools.

sucrack requires local access to the system. It can be very slow due to the overhead of repeatedly spawning su or sudo processes. Excessive failed attempts may trigger security mechanisms like PAM's faillock or pam_tally2, leading to account lockouts or significant delays. Its use without explicit authorization on a system is illegal and unethical. All attempts will typically be logged in system authentication logs (e.g., /var/log/auth.log or /var/log/secure), making its activity easily detectable.

sucrack is a relatively older but persistent tool in the arsenal of penetration testing utilities for local privilege escalation. Its development focuses on a direct approach to password cracking for the su and sudo commands, making it distinct from offline hash crackers. While not as actively developed as some other cracking tools, its simplicity and directness in targeting specific commands have kept it relevant for specific audit scenarios.

su(1), sudo(8), john(1), hashcat(1)