Password

Cracking Tools
 Introduction
 A well-designed password-based authentication system doesn’t store a
user’s actual password.
 This would make it far too easy for a hacker or a malicious insider to
gain access to all of the user accounts on the system.
 Instead, authentication systems store a password hash, which is the
result of sending the password — and a random value called a salt —
through a hash function.
 Hash functions are designed to be one-way, meaning that it is very
difficult to determine the input that produces a given output.
 Introduction
 Since hash functions are also deterministic (meaning that the same
input produces the same output), comparing two password hashes (the
stored one and the hash of the password provided by a user) is almost
as good as comparing the real passwords.
 Password cracking refers to the process of extracting passwords from
the associated password hash.
 This can be accomplished in a few different ways:
• Dictionary attack: Most people use weak and common passwords.
Taking a list of words and adding a few permutations — like
substituting $ for s — enables a password cracker to learn a lot of
passwords very quickly.
 Introduction
• Brute-force guessing attack: There are only so many potential
passwords of a given length. While slow, a brute-force attack (trying
all possible password combinations) guarantees that an attacker will
crack the password eventually.
• Hybrid attack: A hybrid attack mixes these two techniques. It starts
by checking to see if a password can be cracked using a dictionary
attack, then moves on to a brute-force attack if it is unsuccessful.
 Most password-cracking or password finder tools enable a hacker to
perform any of these types of attacks.
 Most prominent password cracking tools
 John the Ripper - well-known free open-source password cracking
tool for Linux, Unix and Mac OS X.
 Ophcrack - free Windows password cracker based on rainbow
tables.
 Hashcat - popular open-source software for cracking passwords
that can crack various hashes using various attack modes
 Hydra - an excellent tool to perform brute force attacks, it provides
various other options which can make your attack more intense and
easier to gain unauthorized access to the system remotely.
 John the Ripper
 John the Ripper is a well-known free open-source password cracking
tool for Linux, Unix and Mac OS X.
 A Windows version is also available.
 John the Ripper offers password cracking for a variety of different
password types.
 It goes beyond OS passwords to include common web apps (like
WordPress), compressed archives, document files (Microsoft Office
files, PDFs and so on), and more.
 A pro version of the tool is also available, which offers better features
and native packages for target operating systems.
 You can also download Openwall GNU/*/Linux that comes with John
the Ripper.
 How to Setup Your Test Environment

 You’ll need a proper lab to test the command lines.

 The easiest way is to use a virtual machine with a dedicated
operating system like Kali Linux.
 There are other installation modes available, for example, on
Debian-based machines:
 sudo apt-get install john -y
 However, you may have to install additional modules manually to
crack specific file types, such as zip archives.
 You’ll also need samples to attack, which are easy to find on
platforms such as GitHub, but you can also generate your own
hashes.
 How to Setup Your Test Environment

 In terms of hardware, tutorials sometimes recommend large

RAM (16GB) and a good graphics processing unit (GPU).
 But that would be for more advanced uses, so any recent
computer will do the job correctly.
 How Does Password Cracking Work?

 The most popular techniques associated with password cracking are

brute-force and dictionary attacks.
 It often comes after stealing critical data, such as databases that
contain credentials.
 In the worst-case scenario, the credentials are in plain text, but most
of the time you only get a hash.
 Still, if the password is short and/or weak, John the Ripper can crack
such data quickly.
 In general, the time required to crack passwords is directly linked
to the strength of the password but, above all, its length.
 How Does Password Cracking Work?

 That’s why experts often say these kinds of attacks are about time
and calculation power, but if you don’t secure your passwords,
they will be found at the speed of light.
How Do You Crack Passwords with John the Ripper?

 The “john” command has an extensive range of options and flags

you can use to run accurate sessions and match the specific
format and encryption of your targeted password.
 The tool has built-in wordlists that automatically apply by
default, but you can specify your own with –wordlist and the path
to your custom wordlist.
 Using only the built-in features and the MD5 hash of a weak
password (not even “123456”), it is possible to retrieve the true
password in seconds:
 echo “4f95578c0f588e028b8e2ea441fc683b” > hash.txt
How Do You Crack Passwords with John the Ripper?

 john hash.txt –format=Raw-MD5

 # julien2022
 If you need to crack a password-protected zip, just generate a
hash with ssh2john and pass “zip” as the format argument:
 john –format=zip hash-zip.txt
 It’s the same method with .kbdx (KeePass 2.x database file
format) databases and SSH private keys.
 First, you generate the hash, then you pass it to John.
 OPHCRACK

 What is ophcrack?
 Ophcrack is a free Windows password cracker based on
rainbow tables.
 It is a very efficient implementation of rainbow tables done by
the inventors of the method.
 It comes with a Graphical User Interface and runs on multiple
platforms.
 Features:
• � Runs on Windows, Linux/Unix, Mac OS X, ...
• � Cracks LM and NTLM hashes.
 OPHCRACK

• � Free tables available for Windows XP and Vista/7.

• � Brute-force module for simple passwords.
• � Audit mode and CSV export.
• � Real-time graphs to analyze the passwords.
• � LiveCD available to simplify the cracking.
• � Dumps and loads hashes from encrypted SAM recovered from a
Windows partition.
• � Free and open source software (GPL).
 OPHCRACK
 Ophcrack is a free, open-source tool that can be used to recover
lost Windows passwords.
 It works by using pre-computed tables to crack password hashes,
allowing users to recover their forgotten passwords quickly and
easily.
 Ophcrack is only able to recover passwords for local Windows
accounts, and not for Microsoft accounts.
 If you are using a Microsoft account to sign in to your Windows
computer, you will need to reset your password through the
Microsoft account website.
 How To Use Ophcrack for Windows Password Recovery?

 Step 1: Download and Install Ophcrack

• The first step in using Ophcrack for Windows password recovery
is to download and install the tool.
• You can download the latest version of Ophcrack from the official
website at https://ophcrack.github.io/.
• Once the download is complete, run the installer and follow the
prompts to install Ophcrack on your computer.
 How To Use Ophcrack for Windows Password Recovery?

 Step 2: Create a Bootable Ophcrack USB or CD

• Next, you will need to create a bootable Ophcrack USB or CD.
• This will allow you to boot your computer from the Ophcrack USB
or CD, allowing you to access the Ophcrack software and recover
your lost password.
• To create a bootable Ophcrack USB, you will need a USB drive
with at least 1 GB of storage space and a tool such as Rufus to
create the bootable USB.
• To create a bootable Ophcrack CD, you will need a blank CD and a
tool such as ImgBurn to create the bootable CD.
 How To Use Ophcrack for Windows Password Recovery?

• Once you have your bootable Ophcrack USB or CD ready, move on

to the next step.
 Step 3: Boot Your Computer from the Ophcrack USB or CD
• With your bootable Ophcrack USB or CD ready, it’s time to boot
your computer from it.
• To do this, you will need to enter your computer’s BIOS or UEFI
settings and change the boot order.
• The exact steps for entering the BIOS or UEFI settings and
changing the boot order will vary depending on your computer’s
make and model.
 How To Use Ophcrack for Windows Password Recovery?

• In general, you will need to press a key (such as F2 or Del) during

the boot process to enter the BIOS or UEFI settings, and then
navigate to the “Boot” or “Boot Order” settings and change the
order so that the Ophcrack USB or CD is first in the list.
• Once you have changed the boot order, save your changes and exit
the BIOS or UEFI settings.
• Your computer should now boot from the Ophcrack USB or CD.
 Step 4: Use Ophcrack to Recover Your Lost Password
• With your computer booted from the Ophcrack USB or CD, you
can now use the Ophcrack software to recover your lost password.
 How To Use Ophcrack for Windows Password Recovery?

• Upon booting, Ophcrack will automatically detect all of the user

accounts on your computer and display them in a list.
• Simply select the user account for which you want to recover the
password, and Ophcrack will begin the cracking process.
• Depending on the complexity of the password, the cracking process
may take some time.
• Ophcrack will use the pre-computed tables to try different password
combinations and crack the password hash.
• Once the password has been recovered, it will be displayed on the
screen.
 Example:
 Step 1. You will need a USB
bootable device that has kali
Linux live version running on
it.
 Step 2. Next, you can see in
the image below there are two
files that stores user
passwords and information in
windows by the name SAM
and SYSTEM.
 Example
 Step 3. Now just attach your kali Linux live bootable USB to the
system and boot into kali Linux.
 Step 4. Now we will go to the path where the above two files are stored
and we will copy them using the cp command into the desktop.
 Example

Step 5. Now we will create a Hash to

load into Ophcrack software for the
cracking process, use the following
command to do so after copying both
files into the desktop.
$ samdump2 SYSTEM SAM -o windowskey.txt
Step 6. This will create a new file of
hash on your desktop.
 Example
 Step 7. Now we need to
download the rainbow tables
from the official website, by the
name window vista free, and
then extract it.
 Step 8. Now open Ophcrack and
click on load and then click on
PWDUMP and then choose the
hash file we created earlier.
 Example

 Step 9. Now Go to and tables

and click vista free and click
install, then locate the file we
have extracted with the name
vista free in the above steps and
click open.
 Example

 Step 10. after this

process is done simply
click on crack, and you
will see it starts the
cracking process. based
upon your password
complexity it will take
time.
 Hashcat

 It is a popular open-source software for cracking passwords that can

crack various hashes using various attack modes.
 It takes advantage of hardware acceleration from the GPU, which can
perform computational tasks more efficiently than a general-purpose
CPU could.
 The speed of a GPU directly affects the cracking speed because a
faster GPU can process more password guesses simultaneously,
significantly reducing the time required to find the correct password.
 Depending on the type of hash, the complexity of the password, and
the GPU being used, Hashcat can test up to millions of password
combinations per second during a brute force attack, greatly beyond
the capacity of a CPU.
 HASH
 A hash is a fixed-length string representation created from the
password using a hash function.
 Simply put, a hash function takes input data and returns a fixed-
length string through mathematical computations.
 Once the data has been hashed, there is no way to reverse the
process and retrieve the original data from the hash.
 Here is an example of an MD5 hash of the password
“password123”.
Hash - Examples
 Password Lists for Hashcat

Password Lists In Kali

 Kali comes pre-packaged with wordlists that can be used for
cracking passwords.
 The wordlist files are in the /usr/share/wordlists directory.
 The one that is used the most, especially when doing a CTF
(capture the flag), is the rockyou.txt file.
 This file is massive, It contains over fourteen million user
passwords.
 Hashcat

 The rockyou.txt file comes from the over 32 million user

credentials exposed due to a data breach in 2009 on the social
media platform RockYou.
 These passwords were kept in plain text, not hashed or
otherwise obfuscated.
 Other Locations for Password Lists
 Another great resource for passwords is SecLists on GitHub.
 This list contains many password lists, including “500-worst-
passwords.txt” and “darkweb2017-top10000.txt.”
 The password lists are collections of commonly used, default, or
leaked passwords.
 Three options for running Hashcat
1. Virtual Machine
Pros:
 Environment Isolation: keeps your main OS separate from your Host OS
 Ease of Setup: Hashcat is already installed on Kali
 Testing and Experimentation: allows to test without affecting host OS.
Cons:
 Performance Overhead: slower than running it on native hardware
 Hardware Access: GPU passthrough can be complex and may not be
supported on all systems.
 Resource Allocation: Running intensive applications in a VM could impact
the performance of the host system.
2. Host Machine
Pros:
 Performance: Performs better than running it inside a VM.
 Simplicity: It might be simpler to install and run
Cons:
 Resource Consumption: Use as much of system's resources as
possible to perform its tasks quickly.
 System Compatibility: There can always be unforeseen compatibility
issues or bugs that could impact its performance or stability on some
systems.
3. Cloud
Pros:
 Scalability: Cloud platforms offer the ability to easily scale up your
resources.
 Cost-Effectiveness: You only pay for what you use.
 Access from Anywhere: Cloud environment can be accessed from
anywhere
Cons:
 Price: The costs can also add up quickly if you're running powerful
instances for long periods of time.
 Complexity: They can also be complex to set up and manage.
 Legal and Ethical Considerations: Using cloud resources for cracking
passwords might violate the provider's terms of service.
 Installing Hashcat on Windows
 The first step is to download the binary from the Hashcat site.
 Once downloaded, you will need to extract the 7Zip file, we put
ours in the C:\Hashcat folder, but you can put yours wherever
makes the most sense for you.
 To start using Hashcat in Windows, head to the command line
and move into the directory you saved it.
 Next, you need to load hashcat.exe and any options you want
to run.
 How to Use Hashcat

Hashes Available in Hashcat

 The Hashcat Wiki has a
great resource for finding
all the hashes that work
with the program.
 It gives you a table view of
hashes.
 How to Use Hashcat
 You can easily search through this with the find command in your
browser. This will help you find which hash mode to use with the
hash you need to crack.

 You can also view the list of hashes from the command line using
--help.
 How to Use Hashcat
 And scroll down a little until you see the section titled “Hash
modes.”

 On a Linux system, you can also use the grep command to search
quickly for a specific hash, such as hashcat --help | grep md5.
 Hydra
 Hydra is one of the favorite tools of security researchers and
consultants.
 Being an excellent tool to perform brute force attacks, it provides
various other options which can make your attack more intense and
easier to gain unauthorized access to the system remotely.
 Hydra – a very fast network logon cracker which supports many
different services.
 It is a parallelized login cracker which supports numerous
protocols to attack.
 New modules are easy to add, besides that, it is flexible and very
fast.
 Hydra
 This tool gives researchers and security consultants the possibility
to show how easy it would be to gain unauthorized access from a
remote to a system.
 Currently this tool supports:
 adam6500, afp, asterisk, cisco, cisco-enable, cvs, firebird, ftp, ftps,
http[s]-{head|get|post}, http[s]-{get|post}-form, http-proxy, http-
proxy-urlenum, icq, imap[s], irc, ldap2[s], ldap3[-{cram|digest}md5]
[s], mssql mysql(v4), mysql5, ncp, nntp, oracle, oracle-listener,
oracle-sid, pcanywhere, pcnfs, pop3[s], postgres, rdp, radmin2, redis,
rexec, rlogin, rpcap, rsh, rtsp, s7-300, sapr3, sip, smb, smtp[s], smtp-
enum, snmp, socks5, ssh, sshkey, svn, teamspeak, telnet[s], vmauthd,
vnc, xmpp
 Hydra

 For most protocols, SSL is

supported (e.g., https-get,
ftp-SSL, etc.).
 If not, all necessary libraries
are found during compile
time, your available services
will be less.
 Type “hydra” to see what is
available.
 To guess Password for specific username

 If you have a correct username but want to login without knowing the
password, so you can use a list of passwords and brute force on
passwords on the host for ftp service.
 hydra -l ignite -P pass.txt 192.168.1.141 ftp
 Here -l option is for username -P for password lists and host ip
address for ftp service.
 For login ignite password 123 made success.
 To guess username for specific password
 You may have a valid password but no idea what username to
use.
 Assume you have a password for specific ftp login.
 You can brute force the field with correct username wordlists to
find the correct.
 You can use the -L option to specify user wordlists and the -p
option to specify a specific password.
 hydra -L users.txt -p 123 192.168.1.141 ftp
 Here, our wordlist is users.txt for which -L option is used, and
password is 123 and for that -p option is used over ftp.
 Brute forcing Username and Password
 Now if you don’t have either of username or password, for that you
can use a brute force attack on both the parameters username and
password with a wordlist of both and you can use -P and -U
parameters for that.
 hydra -L users.txt -P pass.txt 192.168.1.141 ftp
 Users.txt is wordlist for username and pass.txt is wordlist for
password and the attack has displayed valid credentials ignite and
123 for the host.
 Verbose and Debug Mode
 -V option is used for verbose mode, where it will show the login+pass
combination for each attempt.
 Here, we have two wordlists users.txt and pass.txt so the brute force
attack was making combinations of each login+password and verbose
mode showed all the attempts.
 hydra -L users.txt -P pass.txt 192.168.1.141 ftp -V
 Here the users.txt has 5 usernames and pass.txt has 7 passwords so the
number of attempts was 5*7= 35 as shown in the screenshot.
 Now is the -d option used to enable debug mode. It shows the complete
detail of the attack with wait time, conwait, socket, PID, RECV
 hydra -l ignite -P pass.txt 192.168.1.141 ftp -d