🔐Password Attacks

Various techniques and tools to attack passwords.

Password when stored must be encrypted a Cryptographic Hashing Algorithm (one-way encryption algorithm) is used to protect from reading by malicious users.

Password Cracking

guessing process where attacker hash the gussed pass and compare it to the hashing value optianed from the breached DB.

💪BruteForce Attack

Will go through every single Capital/small letter + Number + Symbol combination until it finds the password, always successful given enough time.

pseudo-code for BruteForce Algo (unkown pass + length)

Estimating Password Cracking TimesBetter Buys

John the Ripper:

Support Bruteforce+Dictionary attacks agianst Passwords DB+ parallelization.

support nearly 100 Encryption formats

jhon --list=formates

Assuming we got from breached Linux system:

• /etc/passwd -> users accounts info.

• /etc/shadow -> actual hashed passwords.

we would like to bruteforce certain users with John

1- John needs both info in the same file (unshadow comes with it):

unshadow passwd.txt shadow.txt > crackme.txt

2- use this to pick a certain user to crack(pure BruteForce):

john -incremental -users:<users_list> <File_to_crack>

3- show the cracked password:

john --show <Cracked_file>

📖Dictionary Attack

Dictionary of common passwords to test.

Why Dict atttack faste than BruteForce exmaple.

make sure your password is secure when it's long (preventing BruteForce) + random (preventing Dictionary), check out this online testing tool:

How Secure Is My Password? | Password Strength CheckerSecurity.org

Mangling Words: variation on 'cat' could be: cat12, caT, CAT, c@t ...etc. another thing that Cracking tools provide.

John the Ripper:

to use dictionary attacks in John:

john -wordlist= <custom_worldlist> -rules <file_to_crack>
john crack_me.txt

-rules: to apply mangling. -users= : may also be used to provide list of users. • By not providing a custome worldlist you will use the defualt one.

Some helpful Password Dictionaries:

• SecList

apt -y install seclists

will find your passwords in : /usr/share/seclists/Passwords/leak

🌈 Rainbow Tables

Really Great explaination of what's a Rainbow Table.

ophcrack: to crack Windowds Authentication Passwords, tool avilabe for all major OS.

https://project-rainbowcrack.com/table.htmproject-rainbowcrack.com

Another tool is RainbowCrack Create a Rainbow Table:

rtgen <Hash_func> <charset> <plaintext_len_min> <plaintext_len_max> <table_index> <chain_len> <chain_num> <part_index>
rtgen sha256 loweralpha-numeric 1 10 0 1000 4000 0

1 10: from a to j. table index: 0 1000 is the length of the chain (how many times we hash ->reduce)

Crackin Pss protected MS Office files:

assuming you want to crack a .docx extract the hash first then crack it:

/usr/share/john/office2john.py MS_Word_Document.docx > hash

office2john.pyis a python script used to extract crackable information from the Microsoft Office .docx file.

john --wordlist=<worldlist> <hash>

HashCat

Another tool that can carry out all the 3 prev. mentioned attacks to crack passwords.

🐱‍👤Hashcat