Password cracking plays a very important role in hacking. We are not always lucky to get credentials during enumeration. There are two types of password cracking.
Online password cracking
Offline password cracking
In this tutorial we will learn about online password cracking. There are many techniques used in online password cracking. Some of them are,
Dictionary Attack: Dictionary password attack is a password cracking attack where each word in a dictionary (or a file having a lot of words) is tried as password until access is gained. This method will be successful when simple passwords are set. By simple, I mean common passwords which can be found in a dictionary like “password”, “iloveyou” etc. This type of attack consumes less time but is not bound to be successful always especially if the password is not present in the dictionary.
Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary attack. The only difference is in this attack, each and every possible combination is tried until the password is successfully cracked. For example, if there are two words say “abc” and “123” in a wordlist, other combinations like “abc1”, “abc2” and “abc3” a re also tried. Brute force attack will definitely succeed even if it means it will take years to do that.
Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force password attacks to crack the password.
Rainbow Table Attack: Rainbow Table password cracking technique uses pre -computed hashes to crack the encrypted hashes.
Kali Linux has various tools in its arsenal for both online and offline password cracking. Some of the online password cracking tools are Acccheck, John The Ripper, Hydra and Medusa etc.
We have already seen the working of the tool Accheck during SMB enumeration. In this tutorial, we will see how to crack passwords with a tool called Hydra. THC-Hydra is a password cracker which uses brute forcing to crack the passwords of remote authentication services. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPS, SMB, several databases and much more.
On our target Metasploitable2, we have many services which allow remote authentication like telnet, ftp and SSH. We also have rlogin available. We will use Hydra on one of these services. Hydra can be accessed from the applications menu of Kali Linux. It is available both in GUI and command line utility. For this tutorial, I’m using the graphical one.
Once opened, Hydra will look like shown below.
Change the target IP to that of Metasploitable’ s IP. There are many protocols to choose from Here I am choosing ftp. Change the port to 21 as ftp is running on port 21. I selected options “Be Verbose” and “show attempts” to see the cracking process.
Click on “passwords” tab. We can give a single username and password or a file containing a number of usernames and passwords. Here I am giving the same dictionary or wordlist for both username and password. This dictionary is big.txt. I selected the options “Try Login as password” , “Try empty password” and “Try reverse login”. These options are self explanatory.
The tuning tab is used to configure proxy and number of simultaneous tries. I left it as default.
I left even “specific” tab to default. When all the settings are set, go to “Start” tab. To start the attack, click on “Start” button.
The attack is displayed as shown below.
The time of the attack depends on the number of words present in the dictionary or the wordlist we specified. The password is cracked if the phrase is present in the dictionary. If the password is not there in the wordlist, we need to use another dictionary. The big.txt dictionary I used failed to crack the password. So I used another wordlist we made during enumeration “pass.txt”. After some time, Hydra found three valid passwords.
Scroll up to see what are those passwords.
Apart from Hydra, Kali Linux also has command line tools to use for password cracking. One such tool is Medusa. Open a terminal and type medusa to see the options of that tool. Below is the command in medusa to crack ftp using a wordlist.
Once medusa cracks a password, it will be shown as below. Once again we got three credentials we found also with Hydra.
We have used the same dictionary in both methods, but where do we find this dictionary or wordlist. Most wordlists of Kali Linux are present in /usr/share directory. Given below are different dictionaries in the “wordlists” folder.
These wordlists are named accordingly. For example, “common.txt” contains most common passwords used by users. But what if none of the dictionaries are helpless in cracking the password. Kali Linux also has tools to create our own dictionary or wordlist. Crunch is one such tool. The syntax is given below.
Here’s an example of how to create a wordlist with crunch.
We can also save the wordlist to a file as shown below.
