In cryptanalysis and computer security, the term password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password.
In this new era where digital is present in every moment of our daily life, we use a password to protect virtually everything that needs to be protected. We use a password to turn on our computer, to access our email accounts, to login to our bank accounts, to pay our bills and much more.
THE VULNERABILITY LIES IN THE COMPLEXITY OF PASSWORD
In general, most people will tend to set passwords that are easy to remember, such as a birthday, a first-name or a last-name, a license plate or a phone number. The problem lies in the fact that most people are not aware of the ease with which a hacker can crack a password.
A strong password must at least match the following requirements:
- Contains at least 8 characters
- A mix of letters, numbers, and special characters
- A combination of small and capital letters
There are two main categories of password cracking techniques:
- Online attacks are performed on a live machine or system by using either brute-force or word-list attack against a login form, session, or other types of authentication method used.
- Offline attacks are done for example by extracting a stolen website database to retrieve the stored password hashes and attempting to crack them using different techniques.
For such an attack, the hacker uses a predefined list of words mostly stored in a text file and called dictionary, to try and guess the password. Most of the password is weak and most the hacker will be enabled to decode it quickly.
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Before to move further, if Hydra is not yet installed on your machine, you can do it right away using one of the below installation methods. For more information about Hydra, you can visit the THC Hydra project page.
Ubuntu/Debian and other derived distributions
sudo apt -y update sudo apt -y install apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev sudo apt -y install hydra hydra-gtk
You can alternatively build Hydra directly from the source code
cd /tmp/ git clone https://github.com/vanhauser-thc/thc-hydra cd thc-hydra/ ./configure make make install
For attacking one target or a network, you can use the new "://" style: hydra [some command-line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS The old mode can be used for these too, and additionally if you want to specify your targets from a text file, you must use this one:
hydra [some command-line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]
Via the command line options, you specify which logins to try, which passwords, if SSL should be used, how many parallel tasks to use for attacking, etc.
For this article, we will use Hydra to gain access to PHPMyAdmin onto a remote server. If you need some good dictionaries list, I recommend those made available by SkullSecurity and by Daniel Miessler that you can download freely.
To try to gain access to PHPMyAdmin we will run the following command.
hydra -t 1 -L users.list -P passwords.list -f -vV 126.96.36.199 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"
Before to see the output of the above command, let have a look at every parameter.
- -t it's used to configure the number of parallel connection
- -L define the path of the file containing the logins
- -P define the path of the file containing the passwords
- -f to force the program to exit if a login/pass pair is found
- -vV to execute the command in verbose∕debug mode
- 188.8.131.52 the IP address of our pentest lab
- http-post-form the path of the form that our tool will try to gain access
As you can see on the above screenshot, after a few attempts, Hydra did found the correct combination of username and password allowing us to gain access to PHPMyAdmin.
HYBRID DICTIONARY ATTACK
Hybrid Dictionary attack uses a set of dictionary words combined with extensions. For example, we have the word "admin" and combine it with number extensions such as "admin123", "admin147", etc...
"Crunch" is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with Kali Linux. If you do not have Crunch yet installed in your machine, you can do it, following the below instructions.
- Crunch generates wordlists in both combination and permutation ways
- It can breakup output by the number of lines or file size
- Pattern supports number and symbols
- Pattern supports upper and lower case characters separately
- Adds a status report when generating multiple files
- New -l option for literal support of @,%^
- New -d option to limit duplicate characters see man file for details
Install Crunch on Ubuntu/Debian and other derived distributions
sudo apt -f install crunch
Install Crunch on Red Hat based distributions
sudo yum install crunch
Install Crunch on OpenSUSE based distributions
sudo zypper install crunch
The Crunch docs are bundled in a crunch-doc package that should be installed separately.
sudo apt-get install crunch-doc
If you want to find out more about Crunch, I suggest you visit the Sourceforge page of the project.
HOW TO USE CRUNCH
Create a word list without using any predefined string
Execute the command shown below, will generate a dictionary that contains a minimum of 2 characters and a maximum of 3, using default characters. It will start from aa and end with zzz.
crunch 2 3 -o test.txt
Here we have used the following parameters to generate our dictionary:
- Min_len: 2, for two character letters
- Max_len: 3, for three-character letters
- -o: This option indicates the path where to save the output of the text file
Create a word list without using a predefined string
Now run the command shown below to generate a dictionary that contains a minimum of 4 characters and a maximum of 5, using noob as a predefined string. As per the previous example, the dictionary will start from nnnn and end with *bbbbb**.
crunch 4 5 noob -o test.txt
Create alphanumeric word list with crunch
If we need to create an alphanumeric dictionary we can do it using the following command.
crunch 2 5 noob123 -o test.txt
Execute the above command that will generate a dictionary that contains a minimum of 2 character letters and a maximum of 5 using noob123 as the predefined string.
Once you are done with your dictionary, you can go back to the previous paragraph and use a tool such as Hydra to gain access to your target.
Brute-Force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password's length increases, the amount of time, on average, to find the correct password increases exponentially.
This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. John the Ripper is one of the powerful tools to set a brute-force attack and it comes bundled with Kali Linux and ParrotSec. If you do not have it yet installed in your machine, you can do it, following the below instructions.
Install John the Ripper on Ubuntu/Debian and other derived distributions
sudo apt -f install john
Install John the Ripper on Red Hat based distributions
sudo yum install john
Install John the Ripper on OpenSUSE based distributions
sudo zypper install john
HOW TO USE JOHN THE RIPPER
Before starting with password cracking we can launch a simple performance hardware test. In this way, we can know the speed with which the tool will test keys with different types of encryption using 100% of our CPU.
As we can see, a series of tests are carried out for the performance to be measured.
CRACK LINUX USER PASSWORDS WITHOUT DICTIONARY
We will now move on to a real case. We can choose to directly load the file "
/etc/shadow" that contains the Linux passwords and crack them, however, in this example we will create a file manually with a user and a password and we will tell John to crack it. We will do this for three reasons:
- To not compromise our system
- To get the results as quickly as possible
- To have a first contact with the tool and familiarize ourselves with it
For this, we create a new text file named "password.txt", in our "
/tmp/" folder with the following content:
Once we are done, we will run the following command:
cd /tmp/ john password.txt
Our password has been cracked. To see it, we must use the "
--show" parameter as per the following command:
john --show password.txt
Our password was "example" as in the Wikipedia sample. We can now try to log in to the system with the user "user" and the password "example", or it's what we would be able to do if we had worked directly with the file "
/etc/shadow", although the cracking time would have taken much more than several minutes
CRACK LINUX USER PASSWORDS WITH DICTIONARY
We will repeat the same steps as before except that this time we will insert in our command the path to a dictionary that contains all the passwords to try.
john --wordlist=dictionary.lst shadow john --show shadow
Having a simple password and few dictionary entries the process will be virtually instantaneous. We have already cracked or decrypted, the password.
A rainbow table contains a set of predefined passwords that are hashed. It is a lookup table used especially in recovering plain passwords from a ciphertext. During the process of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables can be downloaded from Rainbowcrack project page.
Features of RainbowCrack
- Full time-memory tradeoff tool suites
- Support rainbow table of any hash algorithm
- Support rainbow table of any charset
- Support rainbow table in raw file format (.rt) and compact file format (.rtc)
- Computation on multi-core processor support
- GPU acceleration with NVIDIA GPUs (CUDA technology)
- GPU acceleration with AMD GPUs (OpenCL technology)
- GPU acceleration with multiple GPUs
- Runs on Windows operating systems
- Runs on Linux operating systems
- Unified rainbow table file format on all supported operating systems
- Command-line user interface
- Graphics user interface
RainbowCrack comes bundled with Kali Linux. If you do not have it yet in your machine, you can download a copy following the below instructions.
cd /tmp/ wget http://project-rainbowcrack.com/rainbowcrack-1.7-linux64.zip unzip rainbowcrack-1.7-linux64.zip cd rainbowcrack-1.7-linux64/ chmod +x rcrack chmod +x rt*
TOOLS INCLUDED IN THE RAINBOWCRACK PACKAGE
rcrack - Rainbow table password cracker
./rcrack RainbowCrack 1.7 Copyright 2017 RainbowCrack Project. All rights reserved. http://project-rainbowcrack.com/ usage: ./rcrack path [path] [...] -h hash ./rcrack path [path] [...] -l hash_list_file ./rcrack path [path] [...] -lm pwdump_file ./rcrack path [path] [...] -ntlm pwdump_file path: directory where rainbow tables (*.rt, *.rtc) are stored -h hash: load single hash -l hash_list_file: load hashes from a file, each hash in a line -lm pwdump_file: load lm hashes from pwdump file -ntlm pwdump_file: load ntlm hashes from pwdump file implemented hash algorithms: lm HashLen=8 PlaintextLen=0-7 ntlm HashLen=16 PlaintextLen=0-15 md5 HashLen=16 PlaintextLen=0-15 sha1 HashLen=20 PlaintextLen=0-20 sha256 HashLen=32 PlaintextLen=0-20 examples: ./rcrack . -h 5d41402abc4b2a76b9719d911017c592 ./rcrack . -l hash.txt
rt2rtc - Convert rainbow tables from .rt to .rtc
./rt2rtc RainbowCrack 1.7 Copyright 2017 RainbowCrack Project. All rights reserved. http://project-rainbowcrack.com/ usage: rt2rtc path [-s start_point_bits] [-e end_point_bits] [-c chunk_size_in_mb] [-p] 1 <= start_point_bits <= 64 1 <= end_point_bits <= 64 1 <= chunk_size_in_mb
rtc2rt - Convert rainbow tables from .rtc to .rt
./rtc2rt RainbowCrack 1.7 Copyright 2017 RainbowCrack Project. All rights reserved. http://project-rainbowcrack.com/ usage: ./rtc2rt path
rtgen - Generate rainbow tables
./rtgen RainbowCrack 1.7 Copyright 2017 RainbowCrack Project. All rights reserved. http://project-rainbowcrack.com/ usage: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index -bench hash algorithms implemented: lm HashLen=8 PlaintextLen=0-7 ntlm HashLen=16 PlaintextLen=0-15 md5 HashLen=16 PlaintextLen=0-15 sha1 HashLen=20 PlaintextLen=0-20 sha256 HashLen=32 PlaintextLen=0-20 examples: rtgen md5 loweralpha 1 7 0 1000 1000 0 rtgen md5 loweralpha 1 7 0 -bench
rtsort - Sort rainbow tables
./rtsort RainbowCrack 1.7 Copyright 2017 RainbowCrack Project. All rights reserved. http://project-rainbowcrack.com/ usage: ./rtsort path
- Don’t note down the passwords anywhere, just memorize them.
- Set strong passwords that are difficult to crack.
- Use a combination of alphabets, digits, symbols, and capital and small letters.
- Don’t set passwords that are similar to their usernames.