🔐Password Attacks
Various techniques and tools to attack passwords.
Password when stored must be encrypted a Cryptographic Hashing Algorithm (one-way encryption algorithm) is used to protect from reading by malicious users.
Password Cracking
guessing process where attacker hash the gussed pass and compare it to the hashing value optianed from the breached DB.
💪BruteForce Attack
Will go through every single Capital/small letter + Number + Symbol combination until it finds the password, always successful given enough time.
John the Ripper:
Support Bruteforce+Dictionary attacks agianst Passwords DB+ parallelization.
support nearly 100 Encryption formats
Assuming we got from breached Linux system:
/etc/passwd -> users accounts info.
/etc/shadow -> actual hashed passwords.
we would like to bruteforce certain users with John
1- John needs both info in the same file (unshadow comes with it):
2- use this to pick a certain user to crack(pure BruteForce):
3- show the cracked password:
📖Dictionary Attack
Dictionary of common passwords to test.
make sure your password is secure when it's long (preventing BruteForce) + random (preventing Dictionary), check out this online testing tool:
Mangling Words: variation on 'cat' could be: cat12, caT, CAT, c@t ...etc. another thing that Cracking tools provide.
John the Ripper:
to use dictionary attacks in John:
-rules: to apply mangling. -users= : may also be used to provide list of users. • By not providing a custome worldlist you will use the defualt one.
Some helpful Password Dictionaries:
will find your passwords in : /usr/share/seclists/Passwords/leak
🌈 Rainbow Tables
Really Great explaination of what's a Rainbow Table.
ophcrack: to crack Windowds Authentication Passwords, tool avilabe for all major OS.
Another tool is RainbowCrack Create a Rainbow Table:
1 10: from a to j. table index: 0 1000 is the length of the chain (how many times we hash ->reduce)
Crackin Pss protected MS Office files:
assuming you want to crack a .docx extract the hash first then crack it:
office2john.py
is a python script used to extract crackable information from the Microsoft Office .docx file.
Another tool that can carry out all the 3 prev. mentioned attacks to crack passwords.
Last updated