Password Guessing as an Attack Vector

A weak password can be as simple as having a password equal to a username, a blank password, or combination passwords such as ‘qwerty’. Users feel that they can get away with leaving a weak password oftentimes because they have trouble keeping track of them.

In a study done by Google in 2019, 75 percent of Americans were said to get frustrated trying to keep track of their passwords. This perhaps explains why the five most common passwords around the world, according to OWASP’s SecLists project, are weak passwords such as ‘123456’, ‘Password’, ‘12345678’, ‘qwerty’, and ‘123456789’. This is why one of the most common ways that hackers can break into computers and their accounts is by guessing their passwords. For system administrators, there can be no settlement for weak passwords as unauthorized access can potentially lead to catastrophic consequences such as loss of valuable data. This is why having a strong password is such an important aspect of computer security. System administrators can practice creating stronger passwords by using password cracker tools to test these passwords.    

 

Getting Started With Password Cracking

Password cracking is the technique of retrieving passwords from encrypted data stored in or communicated by a computer. In addition to helping recover lost passwords, many system administrators use password cracking tools to check for easily hackable passwords to prevent vulnerabilities. The best password cracker tools can handle multiple targets simultaneously, are usable on multiple platforms, and support multiple protocols. 

How Do Password Crackers Work?

Effective password cracker tools typically work in three different ways:

1. Dictionary attack: Passwords provided in a list with a large number of words, phrases, and possible passwords derived from previously leaked data dumps or breaches correspond to this kind of attack. The tool enters every single password from that list in an attempt to find the correct one. 
2. Brute-force attack: This kind of attack happens when a tool guesses every combination of passwords possible within a range and criteria specified by the user. The process can be effective, but also extremely slow. For example, a nine-character password comprising of a mix of upper and lower case letters along with digits and special characters will take over nine years to be guessed using a brute-force attack method, making the password close to uncrackable. That is why this example of a password is considered a strong password.
3. Rainbow tables: In this case, a pre-computed list of password hashes is compared against an existing data dump to find the correct password in its plaintext form. Rainbow tables are useful since security-oriented applications seldom have passwords stored in plaintext and instead store their fixed-length hashes. This is what makes using rainbow tables faster than brute-forcing as the hashed data is already precalculated. A condition where using a rainbow table would be ineffective is when password hashes are salted and salt values are too large. This would increase the complexity of cracking the password. 

Three of the Best Tools for Password Cracking

John the Ripper

Released in 1996, John the Ripper is an open-source native, password cracker tool that was originally produced for UNIX-based systems. Today, the tool can run on many different operating systems including Android, Linux, macOS, and Windows. Designed to test password strength, brute-force encrypted passwords, and crack passwords via dictionary attacks, the tool quickly grew in popularity, and today is one of the most recognizable password cracker tools. Some of its key features include multiple modes to speed up password cracking, automatically detecting the hashing algorithm used by the encrypted passwords and the ease of configuring and running the tool. The tool comes in both GNU-licensed and proprietary versions with the latter being designed for use by professional penetration testers. 

John the Ripper Modes and a Use-Case

John the Ripper utilizes modes to best meet the needs of its users. Three modes come with the tool:

1. Single crack mode: This mode is recommended to be run first since it is the quickest mode. Single crack mode utilizes information from UNIX passwd files as presented in GECOS fields within UNIX passwd files or shadow files to guess passwords. This is helpful for use cases where a user has to set a password for an account based on commonly available information or a phrase in the username such as root:root or radha:radha456. 
2. Wordlist mode: Similar in its operation to a dictionary attack, this mode relies on the user providing a text file with a list of passwords, ideally one per line with no duplicates. The application also comes with a set of default wordlists, with the proprietary version offering more choice. 
3. Incremental mode: An equivalent mode to a brute-force attack method, this mode is only effective for most weak passwords. If a password is long enough or complex enough, this mode may never be able to complete in a decent amount of time and never terminate. In the case of several combinations being too large, the user will have to interrupt this mode. 

Here are some examples of use-cases for John the Ripper:

• Cracking a user account password in Kali Linux: This use-case scenario demonstrates the simplicity of using John the Ripper for cracking a user account password on Kali Linux. Say the user creates an account using the command:

Say the user then set’s the password for this account:

To crack the password for the account with the username ‘James’ run the following command:

Not only will John the Ripper identify the hash method and display it on the terminal, but it will also decode the password hash into a raw password and display this password as well. 

Hashcat

Hashcat is a popular and effective open-source password cracking tool widely used by penetration testers and system administrators. Considered the world’s first and only in-kernel engine, Hashcat supports many different platforms and operating systems such as Linux, macOS, and Windows for desktops. The tool also has mobile support for Android, iOS, and Windows as well. However, an issue with Hashcat is that it’s limited in the kinds of passwords that can be recovered since, unlike John the Ripper which can recover passwords for databases and operating systems, this tool is mostly limited to documents such as PDF files, and WIFI passwords. Still, Hashcat is very much an effective password cracker tool to consider. 

Hashcat’s Attack Arsenal and Use-Case

At the most basic level Hashcat can guess a password, hash it, and then compare the resulting hash to the one it’s trying to crack. In addition to these brute-force attempts, Hashcat also supports dictionary attacks, combinator attacks, mask attacks, and rule-based attacks. 

1. Dictionary attack: Hashcat can utilize a word list text file to perform a dictionary attack. Users can start with the word list rockyou.txt. Containing more than 14 million passwords sorted by the frequency of use, using the word list with Hashcat can make for a very effective password cracker test.
2. Combinator attack: These kinds of attacks work best for passwords that are two words together without a space. For example, passwords such as ‘yellowcar’ or ‘blackbike’ count as passwords that are vulnerable to a combinator attack. Hashcat’s way of doing a combinator attack is by taking a dictionary list and creating a new word list of every word combined with every other word. Hashcat can also add punctuation such as hyphens, exclamation points, and other special characters to create a final word list with passwords such as ‘yellow-car!’ and ‘black-bike!’.
3. Mask attack: A mask attack works by looking for passwords with a similar outline. For instance, passwords with one upper case letter followed by six letters and a digit at the end are common for older passwords. Hashcat can search for similar passwords using a mask attack. Mask attacks are often orders of magnitude faster than a brute-force attack, with some brute-force attacks taking 4 years to crack a password compared to 40 minutes for mask attacks. 
4. Rule-based attack: Hashcat offers a programming language-like syntax for rule-based attacks in which users can specify what kind of passwords to try. This is useful for cases where a user has a sense of how their target constructs a password. One of the most complicated of all the attacks offered by Hashcat, the rule-based attack offers functions to modify, cut or extend words and has conditional operators, making it the most flexible, accurate, and efficient kind of attack.

Here is an example of a use-case for Hashcat:

• Word-list attack on a list of passwords stored in a hash file: A user has two files for the word-list and hash digest. The digest is a bcrypt-md5 hash

Since Hashcat does not support the name of the hash, the user needs to provide the numeric id of it while launching the attack. These values can be found from hashcat help or the example page on AttackDefense. 

Now that the user has everything required for cracking the password, they can launch the brute-force attack by executing the following command:

Once the kernel is initialized and the comparison starts, the password will be broken and given to the user in the format HASH:PlainText

CrackStation

What differentiates CrackStation from John the Ripper and Hashcat is that CrackStation does not offer a standalone program to be installed on the computer. Instead, the tool is a free web-based password cracker that uses the dictionary attack technique to crack hashes. This allows the program to be used on any kind of operating system, desktop and mobile included. The program also supports multiple protocols, such as LM, md2, md4, md5, ,d5(md5_hex), md5-half, MySQL 4.1+ (sha1(sha1_bin)). NTLM, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool,), and QubesV3.1BackupDefaults. The only downside to CrackStation is that only non-salted hashes without random strings can be used. 

How Does Crackstation Work and What is a Use-Case?

Crackstation uses large pre-computed look-up tables to crack password hashes. These tables can store a mapping between the hash of a password, and the correct password for that hash. What makes it possible to quickly search the database for a given hash is that CrackStation indexes the hash values. If the hash is within the database, the password can be recovered in less than a second. However, this can only work for non-salted hashes. CrackStation offers a hashing security page to check password hashing systems that are not vulnerable to pre-computed look-up tables. 

Here is an example of a use-case for CrackStation:

• Cracking MD5 hashes: One of the most simple use-cases for CrackStation, the MD5 hash of a password can easily be translated to syntax using CrackStation. Let’s say for the password ‘[email protected]’ the corresponding MD5 hash is. Plugging in this MD5 hash into CrackStation, the tool returns ‘[email protected]’. 

Our Thoughts

These password-cracking tools are helpful additions to any system administrator's arsenal for creating strong passwords. In addition to these tools, system administrators should also practice important security measures such as safeguarding passwords through proper use. This means never sharing passwords, and having references kept in a secure location. Other security measures include changing passwords every 90-days and having all production service accounts use the same specifications as domain administrator accounts for their passwords. Passwords must also not be included in email messages or other forms of electronic communication. Following these guidelines will help keep accounts secure and information safe.