Password Cracking 101
Who doesn't love complex passwords?...
Hackers!!! Let me explain, everyone knows that passwords are the most used method for user authentication. The logic behind passwords is easy for users to comprehend and they’re relatively easy for developers to implement. However, like all things in life, the good comes with the bad and in this case, passwords introduce security vulnerabilities. Did you know that there's a tool designed to take credential data stolen in a data breach or other hack and extract passwords from it? Well, it's true and it's called a Password cracker.
How does it work?
A well-designed password-based authentication system doesn’t store a user’s actual password. That would be too easy for a threat actor to gain access to all the user accounts on the system. Instead of giving away the keys to the castle, authentication systems store a password hash, which is the result of sending the password — and a random value called a salt — through a hash function. Hash functions are designed to be one-way, meaning that it is very difficult to determine the input that produces a given output. Since hash functions are also deterministic (meaning that the same input produces the same output), comparing two password hashes (the stored one and the hash of the password provided by a user) is almost as good as comparing the real passwords.
Password cracking refers to the process of extracting passwords from the associated password hash. This can be accomplished in a few different ways:
Dictionary attack:
Most people use weak and common passwords. Taking a list of words and adding a few permutations — like substituting $ for s — enables a password cracker to learn a lot of passwords very quickly.
Brute-force guessing attack:
There are only so many potential passwords of a given length. While slow, a brute-force attack (trying all possible password combinations) guarantees that an attacker will crack the password eventually.
Hybrid attack:
A hybrid attack mixes these two techniques. It starts by checking to see if a password can be cracked using a dictionary attack, then moves on to a brute-force attack if it is unsuccessful. Most password-cracking tools enable a hacker to perform any of these types of attacks.
Now that you know how some of the attacks work, I'm sure you can understand how having a long and complex password could further fortify your data, frustrate a potential hacker, as well as making the hacker put in much more time and effort into cracking your password. Which is a form of security. Why go for a hard conquest when you're surrounded by low hanging fruit? Remember that most organizations are not being as proactive as they need to be when implementing password standards and redundancies, but that's a topic for another day.
Much like many things in life, a stern defense stems from knowledge of what you’re facing. Now that we know what a password cracker is and how it works, let's dive into our top 7X password-cracking tools so that you can get familiar with them. Some of these are for targeting live online systems without having a hash and some are for cracking the hash offline via a potential brute force attack.
1. Hashcat
Hashcat is one of the most popular and widely used password crackers. It is available on every operating system and supports over 300 different types of hashes. Hashcat enables highly parallelized password cracking with the ability to crack multiple different passwords on multiple different devices at the same time and the ability to support a distributed hash-cracking system via overlays.
2. John the Ripper
John the Ripper is a free open-source password cracking tool for Linux, Unix and Mac OS X, and Windows. John the Ripper offers password cracking for a variety of different password types. It goes beyond OS passwords to include common web apps (like WordPress), compressed archives, document files (Microsoft Office files, PDFs, etc.).
3. Brutus
Brutus is one of the most popular remote online password-cracking tools. It claims to be the fastest and most flexible password cracking tool. This tool is free and is only available for Windows systems. Brutus supports several different authentication types. It is also capable of supporting multi-stage authentication protocols and can attack up to sixty different targets in parallel. It is also very user friendly as it offers the ability to pause, resume and import an attack.
4. Wfuzz
Wfuzz is a web application password-cracking tool like Brutus, as it tries to crack passwords via a brute-force guessing attack. It can also be used to find hidden resources like directories, servlets, and scripts; as well as identifying injection vulnerabilities within an application such as SQL injection, XSS injection and LDAP injection.
5. Medusa
Medusa claims to be a speedy parallel, modular and login brute-forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet. Medusa is a command-line tool, so some level of command-line knowledge is necessary to use it. Password-cracking speed depends on network connectivity. On a local system, it can test 2,000 passwords per minute. Medusa also supports parallelized attacks. In addition to a wordlist of passwords to try, it is also possible to define a list of usernames or email addresses to test during an attack.
6. THC Hydra
THC Hydra is like Medusa in the fact that it attempts to determine user credentials via brute-force password guessing attack. It is available for Windows, Linux, Free BSD, Solaris, and OS X. THC Hydra is extensible with the ability to easily install new modules. It also supports a number of network protocols, including Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
7. RainbowCrack
The backstory is that all password-cracking is subject to a time-memory tradeoff. If an attacker has precomputed a table of password/hash pairs and stored them as a “rainbow table,” then the password-cracking process is simplified to a table lookup. This threat is why passwords are now salted: adding a unique, random value to every password before hashing it means that the number of rainbow tables required is much larger. RainbowCrack is a password cracking tool designed to work using rainbow tables. It is possible to generate custom rainbow tables or take advantage of preexisting ones downloaded from the internet. RainbowCrack offers free downloads of rainbow tables for the LANMAN, NTLM, MD5 and SHA1 password systems.
Let the Password be the hero!
I really must reiterate how important it is to create a password that’s complex. The tools we reviewed above try to crack passwords utilizing different password-cracking algorithms and are available for free. So, anyone can take a crack at your password, get it, crack at your password. Despite my mediocre wordplay the point still stands. The longer the password, the harder it is to crack. Password length is the most important factor. The complexity of a brute force password guessing attack grows exponentially with the length of the password. A random seven-character password can be cracked in minutes, while a ten-character password takes hundreds of years.
Here's a few tips to avoid becoming a victim. Always use a combination of characters, numbers, and special characters to force the crackers to try a wider variety of options for each character of the password. I recommend using nonsensical sentences or phrases with “sprinkles” of capitalization, special characters, or digits. A few common password mistakes that should be avoided include using a dictionary word, personal information i.e., a pet’s name, relative’s name, birthplace, favorite color and so on. I would also suggest avoiding common patterns that humans follow such as capitalizing first letter, leet substitutions and appending special/number characters at the end. You don't want to assist in your own data breach however that is the unfortunate circumstances for a demographic of people who underestimate the prowess of hackers and the importance of implementing complex passwords, MFA authentication, and thoughtful security parameters. Another thing to consider is using variety in passwords in different applications. Credential stuffing attacks use bots to test if passwords stolen from one online account are also used for other accounts. A data breach at a tiny company could compromise a bank account if the same credentials are used. Use a long, random, and unique password for all online accounts.
Silver Linings???
There is good news. Password crackers can be used for a variety of different purposes, not all of them bad. While they’re commonly used by cybercriminals, security teams can also use them to audit the strength of their users’ passwords and assess the risk of weak passwords to the organization. Our team at SEVN-X are experts in helping organizations combat these attacks and bolster their security posture. We audit, teach, and remediate breaches. If you need any further information, or have any questions feel free to reach out to our team at https://www.sevnx.com/contact.
