Password Cracking

Password Cracking

Password cracking is the process of recovering passwords from data that has been stored or transmitted in a system by exploiting weak password security measures. This practice is widely used in cybersecurity for both ethical hacking and malicious attacks. Tools such as Hashcat and John the Ripper are commonly employed to perform brute force, dictionary, and hybrid attacks on hashed passwords, revealing the original password in the process. Password cracking plays a critical role in penetration testing, where ethical hackers test the strength of an organization’s password policies, or during investigations in digital forensics. While password cracking serves an essential purpose in identifying vulnerabilities, it must always be performed in a legal and controlled environment with the consent of the system owner to avoid ethical and legal violations.

Installing Password Cracking Tools

To begin, we need to install popular password cracking tools such as Hashcat and John the Ripper. These tools are essential for performing password attacks in a controlled and ethical manner.

sudo apt-get install hashcat
sudo apt-get install john

Using Wordlists for Password Cracking

Password cracking tools often require wordlists to attempt multiple password combinations. The most commonly used wordlist is rockyou.txt, which can be found in /usr/share/wordlists:

cd /usr/share/wordlists/

If the wordlist is not available, you can download it manually:

sudo wget https://gitlab.com/kalilinux/packages/wordlists/-/raw/kali/master/rockyou.txt.gz -P /usr/share/wordlists/

Once downloaded, unzip the file:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Preparing Hashes for Cracking

Before using a password cracking tool, you need to have the hash of the password that you want to crack. To create a file containing a hash, use the following command:

echo "hash_value_here" > hash.txt

If you need to add multiple hashes to one file:

echo "another_hash_value" >> hash.txt

You can also use a text editor like nano to paste multiple hashes manually:

nano hash.txt

Cracking Passwords with Hashcat

Hashcat is one of the most powerful and versatile password-cracking tools available. It supports a wide range of hash types and cracking modes, allowing penetration testers and ethical hackers to break passwords using different approaches. Below, we'll go through the steps for using Hashcat, including how to prepare for a cracking session, the different attack modes, and best practices to optimize your cracking efforts.

Introduction to Hashcat

Hashcat is a command-line tool that utilizes the processing power of GPUs to crack password hashes. Hashes are cryptographic representations of passwords, and Hashcat allows users to reverse these hashes back to plain text passwords using brute force and dictionary attacks. Hashcat supports a large number of hashing algorithms, including MD5, SHA1, bcrypt, NTLM, and more.

Video Credit: NetworkChuck - Hashcat Password Cracking

Preparing for Hash Cracking

Before using Hashcat, you need a few components:

hashid -m <hash_value>

This will return a list of possible hash types and modes that Hashcat can use for cracking.

Hashcat Attack Modes

Hashcat provides different attack modes that determine how passwords are attempted. Some of the common attack modes include:

Cracking an MD5 Hash Using Hashcat

To crack a hash using Hashcat, follow these steps. In the following example, we will crack an MD5 hash using a dictionary attack:

Command to Crack an MD5 Hash

Use the following command to start cracking:

hashcat -m <hash_type> -a 0 <hash_file> /usr/share/wordlists/rockyou.txt

For example, to crack an MD5 hash (hash type -m 0), use:

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Explanation of parameters:

Different hashing algorithms:

To crack a hash, specify the appropriate hash type by using the -m flag followed by the correct mode number. For example, to crack an NTLM hash, use:

hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Be sure to consult the official Hashcat documentation for a comprehensive list of supported hash types and their corresponding mode numbers.

Example Output

hashcat (v6.2.6) starting

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: password_hash
Time.Started.....: Sun Sep 22 15:30:55 2024 (3 secs)
Time.Estimated...: Sun Sep 22 15:30:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2706.7 kH/s (0.31ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 8331264/14344385 (58.08%)
Rejected.........: 0/8331264 (0.00%)
Restore.Point....: 8325120/14344385 (58.04%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: emma2544 -> emiliap
Hardware.Mon.#1..: Util: 35%
            

The output shows that the hash has been successfully cracked and provides details about the cracking session, such as the speed, progress, and the recovered password.

Monitoring and Viewing Results

While cracking is in progress, you may want to check the current status of the process. To do so, use the following command:

hashcat --status

Once the hash is cracked, you can view the cracked password using:

hashcat --show -m 0 hash.txt

Output example:

hash:password plaintext

Cracking Windows NTLM Hashes with Ophcrack

Ophcrack is an efficient tool for cracking Windows NTLM hashes. It is preinstalled with Kali Linux. First, save the NTLM hashes into a text file:

nano ntlm_hashes.txt

Next, download the XP special tables (7.5GB) to enhance the cracking process:

Open ophcrack GUI application > Select Tables > Install XP Special
/opt/ophcrack/tables/xp_special

Load the PWDUMP file and click on the CRACK button to start cracking the hashes.

Viewing Cracked Passwords

After successfully cracking passwords, save the results to a new file:

cat ntlm_cracked.txt
(output example) ::hash:password plaintext

PDF Password Cracking

To crack passwords for PDF files, we use a tool called pdf2john. Start by installing the tool:

sudo apt install pdf2john

Extract the hash from a PDF file:

pdf2john <file.pdf> > hash.txt

To avoid syntax errors, remove filenames in front of the hash:

cat hash.txt | cut -d ":" -f 2- > clean.txt

Explanation of the command:

Use Hashcat to crack the password from clean.txt:

hashcat clean.txt -m 10700 -a 0 /usr/share/wordlists/rockyou.txt

Introduction to Hydra

Hydra is a powerful password cracking tool designed to perform dictionary attacks against various protocols and services. It is widely used by penetration testers and security professionals to evaluate the strength of passwords for services such as SSH, FTP, HTTP, and many others. Hydra's ability to automate password testing makes it an essential tool in any security toolkit.

Video Credit: John Hammond - Hydra/NTLM Password Cracking

Getting Started with Hydra

Installing Hydra

To get started, you first need to install Hydra. You can do this easily on most Linux systems using the following command:

sudo apt-get install hydra

Once installed, you can check that Hydra is working by running:

hydra -h

This command will display the available options and features that Hydra supports.

Understanding Hydra

Hydra works by performing a dictionary attack against login credentials for various services. This means it tries a list of potential usernames and passwords to find valid combinations. Hydra is highly customizable and supports many different protocols, including SSH, FTP, HTTP, and more. To use Hydra effectively, it's essential to understand the syntax and options available.

Common Hydra Usage Examples

Cracking SSH Passwords

To use Hydra for cracking SSH passwords, you need a target IP address, a username (or list of usernames), and a wordlist containing potential passwords. Here is an example command:

hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

In this command:

Cracking FTP Passwords

Hydra can also be used to attack FTP services. To attempt password cracking for FTP, use the following command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.200

This command will try the admin username with each password in the specified wordlist against the target FTP server.

Cracking HTTP Login Forms

To use Hydra for cracking a password-protected web page, you need to provide information about the HTTP form. Here's an example command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.150 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"

Explanation:

Using Hydra with SSH

Hydra is capable of cracking SSH passwords, which is a common target in penetration tests. Below, we'll cover how to perform a password attack against an SSH server using Hydra:

Gather Required Information

To use Hydra against SSH, you'll need:

Execute the Hydra Command

Use the following command to run Hydra against SSH:

hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

Explanation of command components:

Review the Results

Once the attack is launched, Hydra will try all the passwords in the wordlist for the specified username. If successful, Hydra will display the cracked password.

        [22][ssh] host: 192.168.1.100   login: admin   password: 123456
            

If the password is cracked, it will be shown in the format indicating the IP address, login, and password. Always remember to stop once you have gathered sufficient information to achieve your objective during a penetration test.

Important Considerations

Hydra is a powerful tool and should only be used ethically and with proper authorization. Unauthorized access is illegal and can lead to severe consequences.