Password cracking tools
crunch
- Generates password dictionaries.
- E.g.
crunch <min-length> <max-length> <character-pool> -o <file-name>
- Difficulty/time grows exponentially not linearly
- Takes much longer when you e.g. increase total chars in a password.
- E.g.
crunch 4 16 abcekfeafkapeo434@*.
generates thousands of petabytes.
John the Ripper
- Also known as • JtR or
john
- 📝 Auto-detects OS password based on dictionary or brute-force attacks.
- Tries different passwords and compares their hashes to OS password
- Supports Windows, Linux and macOS.
- 📝 Usage:
- Dump OS password to a file.
- E.g. on Linux, John has
unshadow
tool that can be used.:unshadow /etc/passwd /etc/shadow > mypasswd
- E.g. on Linux, John has
- Crack password file using default order:
john mypasswd
- Passwords are saved in
$JOHN/john.pot
- You can also run
john --show mypasswd
to see the passwords
- Passwords are saved in
- Dump OS password to a file.
Hydra
- Parallelized login cracker for different network protocols such as HTTP, Cisco, MySQl.
- 💡 You can use DVWA: damn vulnerable web app for educational purposes & learning pen-testing
- E.g.
hydra -L usernamelist.txt -P passlist.txt -e ns -F -t 1 -w 10 <host-ip-address> http-form-post "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -v
-e ns
: e additional optionsn
: try null (for empty password)s
: try also same password as a user name
-t 1
: number of tasks (based on threads), default is 16- ❗ Careful. Too many connections and too quick = Detected immediately
-w 10
: waiting time of 10 ms<host-ip-address>
- Usually people go to the target using proxies and examine results in proxies.
- E.g. burp suite
- Usually people go to the target using proxies and examine results in proxies.
http-form-post "/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed
- Posts data to server as the HTML does
Login failed
: text to search in result page to determine whether the login has failed.
Hashcat
- Very fast, GPU-based password cracker with in-kernel rule engine
- Can do dictionary hash attack, brute force hash, role based attack and more
- Website | source code
- 💡 Good idea to use in cloud to get more compute power.
- Proper drivers are required for e.g. AMD and Intel and NVIDIA
- E.g. cracking Linux OS password
./hashcat64.bin -a 3 -m 1800 ?u?l?l?l?d?d?d
-m 1800
: Hash modesha512crypt $6$, SHA512 (Unix)
-a 3 ?u?l?l?l?d?d?d
: Mask attack- Brute-force on user specified character sets
?u?l?l?l?d?d?d
= uppercase + lowercase + lowercase + lowercase + number + number + number- 💡 Do certain assumptions or it might take until the next big bang to crack the password.
- E.g. usually passwords start with capital letter and continues with lowercase letters
Password recovery tools
- Elcomsoft Distributed Password Recovery
- Data recovery and password recovery services
- Runs on Windows
- For forensic and government agencies
- Can crack systems passwords for Windows, Unix and Mac OS and many more other passwords.
- Passware Kit Forensic
- Tool for encrypted electronic evidence discovery and decryption
- Can crack systems passwords for Windows, Unix and Mac OS and many more other passwords.
Windows password reset tools
- Resets Windows login passwords.
- Often can run from a bootable USB or CD/DVD.
- Include • Stellar Password Recovery • Windows Password Recovery Pro ISeePassword • Windows Password Recovery Tool • Windows Password Refixer • PCUnlocker
chntpw
- Also known as Offline NT Password & Registry Editor
- 📝 Linux utility used for resetting or blanking local passwords used by Windows.