Posted on

Password Cracking for Beginners

Hello aspiring Ethical hackers. In this article, you will learn what is password cracking and various types of password cracking. In Ethical hacking, password cracking is recovering passwords from data that has been stored in or transmitted by a computer system. Hackers use password cracking to grab credentials which can be helpful in further exploiting of the system. There are various password cracking techniques. They are,

1. Shoulder Surfing
2. Password Guessing
3. Dictionary Attack
4. Brute Force Attack
5. Rainbow Table Attack  
6. Phishing
7. Sniffing
8. Malware

Let’s learn in detail of each attack.

1. Shoulder Surfing

Shoulder Surfing is one of the easiest password cracking techniques that doesn’t require use of any technology. In shoulder surfing, the hacker stands behind (or sits behind, position is not really important) the victim when he is entering his credentials and captures the credentials by simple observation. As you can see, this is the easiest way to capture credentials of the target.

2. Password Guessing

Another password cracking technique that doesn’t require any technology. In this technique, hacker tries to guess the password of the victim using his own mind. You may be surprised but this technique yielded me results at least 20% of the total attempts made.

3. Dictionary Attack

In a dictionary attack, a hacker uses a dictionary to crack passwords. A dictionary or wordlist has a huge list of words (possible passwords), each one of which is tried as a password. In Kali Linux, the dictionary or wordlists are present in /usr/share/dirb/wordlists directory.

4. Brute Force Attack

In a brute force attack, hackers use every possible criteria or password to crack the credentials. A brute force attack may be slow but it will eventually crack the password. A brute force attack works by calculating the hash function of every password string it has and compares it with one on the target system or victim.

5. Rainbow Table Attack

To understand Rainbow Table Attack, you need to first understand what is a Rainbow Table. A Rainbow Table is a database that contains huge list of plaintext passwords and their precompiled hashes. Unlike a Brute Force attack, Rainbow table attack bypasses calculation of a hash for every password string as it already has a pre compiled list of hashes.

6. Phishing

Phishing is one of the easiest methods to crack passwords. You have already learnt about phishing in our previous blogposts.

7. Sniffing

Sniffing or Man In The Middle (MITM) attack can also be used to crack passwords while they are on transit in a network.  Learn more about sniffing here.

8. Malware

Malware is another way hackers capture credentials of their victims. Once hackers gain initial access to a system, they install malware which allows hackers to not only perform further malicious actions but also capture user credentials from the target system.

Posted on

Name-That-Hash: A tool to identify hashes

Hello aspiring Ethical hackers. In this article, you will learn about a new tool named Name That Hash. Name That Hash is a hash identifying tool that can identify over 300 types including MD5 and SHA256. The other features of this tool include displaying summaries for the hashes identified, colored output and displaying in the order of their popularity etc. This tool can be installed from the repository of Kali as shown below.

Once this tool is installed, it can be started using command nth. To test a single hash, we can use “nth” with option “-t” as shown below. Let’s first give a MD5 hash.

nth -t <hash>

name that hash

Just like hashid and hash-identifier, this tool also got it right but it is giving us some additional information like where the hash is actually used. For example, Md5 is used in Linux shadow files. What about SHA-1 hash?

It got this right too. Next, let’s give it a LM hash.

It put this in the Least likely section. Next, let’s give it a NTLM hash.

It failed to get spot on NTLM too. Just like its predecessors, it correctly detected the SHA-512 and SHA-256 hashes.

The good thing about name-that-hash is that instead of being blank, it gives us more information about actually where the hash is used. This can be useful when you grab a collection of hashes from a target network. You can easily decide which hashes to crack and which not to crack.         
If you have more number of hashes, giving it one by one can be cumbersome. Luckily, you can give them all at once by saving these hashes in a text file as shown below.

and using “-f” option to specify the file.

nth -f <path to the file that has saved hashes>

The output which is not shown here is same as above.

Name-That-Hash is only designed to identify hashes unlike the other two but if you have a base64 encoded string, it can be decoded by nth using the “-b64” option.

nth -b64 -t <base64 encoded string>

It correctly decoded it as “hackercool” All the above are also encrypted hashes of the text “hackercool”.  Suppose you want the result to only display the most likely result, you can get this by using the “-a” option as shown below.

nth -a -t <hash>

If you observe the above images, you can see the banner of name-that-hash occupying lot of space. Just like me if this is putting you off, you can view result without banner using the “–no-banner” option. 

nth –no-banner <hash>

Once go to the image above the above image, the one where we used the “-a” option. Once, carefully observe the result. It correctly detected the hash as SHA-512. Next to it, you can see the text “HC 1700 JtR: raw-sha512”.                    This is HashCat (HC stands for HashCat) and John (JtR stands for John The Ripper) information being displayed by the tool because the next thing you will do after identifying the hash is to crack it using Hashcat or John. This requires what you need to put into these tools to crack it. For example, let’s take a simpler hash.

John The Ripper says its raw-md5. We need to just supply this format as shown below in JTR to crack this.

Similarly, the HC number given is “0”. Let’s supply it as shown below in HashCat.

However, if you are an experienced ethical hacker with too much details hurting your ego, you can just view the result without the information of John The Ripper using “–no-john” option.

nth –no-john -t <hash>

This is the difference.

You can do the same with HashCat information using “–no-hashcat” information.

nth –no-hashcat -t <hash>

The difference can be seen below.

That was all about this tool.

Posted on

Password Cracking in Penetration Testing : Beginners Guide

Password cracking plays a very important role in hacking. We are not always lucky to get credentials during enumeration. There are two types of password cracking.

Online password cracking
Offline password cracking

In this tutorial we will learn about online password cracking. There are many techniques used in online password cracking. Some of them are,

Dictionary Attack: Dictionary password attack is a password cracking attack where each word in a dictionary (or a file having a lot of words) is tried as password until access is gained. This method will be successful when simple passwords are set. By simple, I mean common passwords which can be found in a dictionary like “password”, “iloveyou” etc. This type of attack consumes less time but is not bound to be successful always especially if the password is not present in the dictionary.

Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary attack. The only difference is in this attack, each and every possible combination is tried until the password is successfully cracked. For example, if there are two words say “abc” and “123” in a wordlist, other combinations like “abc1”, “abc2” and “abc3” a re also tried. Brute force attack will definitely succeed even if it means it will take years to do that.

Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force password attacks to crack the password.

Rainbow Table Attack: Rainbow Table password cracking technique uses pre -computed hashes to crack the encrypted hashes.

Kali Linux has various tools in its arsenal for both online and offline password cracking. Some of the online password cracking tools are Acccheck, John The Ripper, Hydra and Medusa etc.

We have already seen the working of the tool Accheck during SMB enumeration. In this tutorial, we will see how to crack passwords with a tool called Hydra. THC-Hydra is a password cracker which uses brute forcing to crack the passwords of remote authentication services. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPS, SMB, several databases and much more.

On our target Metasploitable2, we have many services which allow remote authentication like telnet, ftp and SSH. We also have rlogin available. We will use Hydra on one of these services. Hydra can be accessed from the applications menu of Kali Linux. It is available both in GUI and command line utility. For this tutorial, I’m using the graphical one.

Once opened, Hydra will look like shown below.

Change the target IP to that of Metasploitable’ s IP. There are many protocols to choose from Here I am choosing ftp. Change the port to 21 as ftp is running on port 21. I selected options “Be Verbose” and “show attempts” to see the cracking process.

Click on “passwords” tab. We can give a single username and password or a file containing a number of usernames and passwords. Here I am giving the same dictionary or wordlist for both username and password. This dictionary is big.txt. I selected the options “Try Login as password” , “Try empty password” and “Try reverse login”. These options are self explanatory.

The tuning tab is used to configure proxy and number of simultaneous tries. I left it as default.

I left even “specific” tab to default. When all the settings are set, go to “Start” tab. To start the attack, click on “Start” button.

The attack is displayed as shown below.

The time of the attack depends on the number of words present in the dictionary or the wordlist we specified. The password is cracked if the phrase is present in the dictionary. If the password is not there in the wordlist, we need to use another dictionary. The big.txt dictionary I used failed to crack the password. So I used another wordlist we made during enumeration “pass.txt”. After some time, Hydra found three valid passwords.

Scroll up to see what are those passwords.

Apart from Hydra, Kali Linux also has command line tools to use for password cracking. One such tool is Medusa. Open a terminal and type medusa to see the options of that tool. Below is the command in medusa to crack ftp using a wordlist.

Once medusa cracks a password, it will be shown as below. Once again we got three credentials we found also with Hydra.

We have used the same dictionary in both methods, but where do we find this dictionary or wordlist. Most wordlists of Kali Linux are present in /usr/share directory. Given below are different dictionaries in the “wordlists” folder.

These wordlists are named accordingly. For example, “common.txt” contains most common passwords used by users. But what if none of the dictionaries are helpless in cracking the password. Kali Linux also has tools to create our own dictionary or wordlist. Crunch is one such tool. The syntax is given below.

Here’s an example of how to create a wordlist with crunch.

We can also save the wordlist to a  file as shown below.

Posted on

Windows Local user hash carver exploit

Hi aspiring ethical hackers. In this article you will learn about the Windows Local user hash carver exploit. During a pen test, it  sometimes becomes necessary to change Windows password.

Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

Image explaining about usage of hash carver exploit Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the password and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. That’s all in windows Local User Hash Carver exploit. Learn how to upgrade from Command shell to Meterpreter session

Posted on 6 Comments

Crack password hash es with Kali

Hello aspiring hackers. In this article, we will learn how to crack password hash es using kali. n many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literally we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.

For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.

Image explaining how to crack hash es with kali linux

The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.

Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.

We can also use another tool hashid for similar purpose. It’s syntax is as shown below.

We know what the type of hash is. Now, it’s time to crack the hash. We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.

After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.

That’s all in how to crack password hash with Kali. Learn how to do SMB enumeration with Kali.