Hacking passwords, how do we do it?

SUSE course

There are many methods to hack devices, websites, services, etc. These hacks are successful because they make use of an (un)known weakness in the system or because a user makes a mistake such as phishing. There are, of course, several methods that can be devised. Sometimes it goes so far that the hacker also becomes a thief of physical materials in order to gain access to data. But what if none of that is necessary. What if you can just pretend to be the rightful user. Then you have access to all data and software. There will be no alarm bells ringing and the chance that you will be caught is very small. There is often only 1 thing that stands in the way. The user’s password. In this post, I’m talking about hacking passwords. How do we do it and how can you protect yourself against this.

Of course it’s not like the Hollywood movies. Reality is usually a bit trickier and less flashy. But there are several ways a password can be hacked. In this post I will tell you about the different methods, we will discuss a number of tools and I will tell you how you can mitigate the hacking of your password.

AND WHAT ABOUT THE USERNAME?

A successful login is always a combination of 2 data. The username and password. If either is incorrect, the login attempt will fail. But then why are we only talking about the password? The username is of identical importance and is often not talked about. Why?

The reason for this is quite simple. The username is usually quite easy to figure out. Usernames are mentioned in a lot of log data, so if a hacker can get behind logging information from the device or through another device that the target device sometimes logs on, the username is often easy to find. Successful man-in-the-middle attacks also reveal the password. In addition, a username is often not complicated. It is usually a combination of your first and last name or your email address. This info is also quite easy to find out.

Also, common users are often used on a system. How about “administrator”, “administrator”, “root” and even “guest”. Specific systems also have a generic default user. If a hacker wants to hack a Raspberry Pi, he will focus on the most common username, namely “pi”.

In short. The username is often quite easy to figure out. Usually a list of possible usernames and a list of different passwords is compiled. These passwords are then tried against every possible username on the list.

The most difficult item, which usually cannot be found in logging information, is the password. So now let’s focus on the password again!

PASSWORD HACKING METHODS

Let’s start with the methods used to hack a password. There are a number of commonly used methods. The method used depends on the system or service whose password the hacker is trying to retrieve.

Let’s emphasize the previous sentence “trying to find out” again. A hacker cannot always retrieve a password (Hollywood style). Whether this succeeds depends on a number of factors which are emphasized in the “mitigation” chapter. But while “trying” the following methods can be used.

1. Guess

The first method often used is simply guessing your password. The hacker will try to find out as much as possible about you online. What your name is, what your children are called, what your pets are called, dates of birth, address etc. Many people use a combination of these details to form a password. This is so that the password can be easily remembered. If the hacker has this data, he will first try to manually enter the most common combinations. Simply “guess”.

2. Dictionary Attack

If simply guessing the password fails, the hacker will create a “password file” with many different password combinations. In addition to these “user-based” combinations, there are existing lists of words and word combinations (so-called discctionaries). The hacker will first use his user-based dictionary and if this fails a default dictionary from his arsenal. The hacker will try these passwords on the systems by means of a tool. Thus, thousands of passwords can easily be tried until the actual password is discovered.

3. Brute Force Attack

If the password cannot be retrieved by means of a dictionary attack, the hacker can carry out a so-called “brute-force” attack. With a brute-force, all possible combinations are tried up to a certain size. If the hacker chooses a brute-force attack of all possible letters and numbers up to 7 characters, then all possible combinations are tried from 0 to ZZZZZZZ. This attack method is much slower because many more combinations are attempted. The speed depends on the hacker’s hardware configuration. More processing power in the form of strong GPUs, processors or even collaborating botnets ensures that a brute-force attack is faster than on a “simple” desktop PC.

Retrieving a password through a brute-force attack therefore depends on the length of your password and the complexity of your password. Each additional character takes substantially more time to process. An 8 character password will be successfully cracked within hours but a 10 character password will take months to recover. A 12 character password has taken several centuries.

4. Rainbow Table Attack

Passwords are often stored encrypted. We call this a “hash”. A hash has a form and a format and is determined by the hashing method. Often the hash is constructed in combination with a “salt”. If the hash is “salted”, extra random data is added to the hash so that 2 passwords that are the same and have been hashed by the same method eventually get a different hash.

If a hacker has obtained a list of password hashes that are stored without “salting”, then it is often sufficient to look up the hash in a so-called “hash table”. A hash table is actually a “dictionary” but not with “plaintext” passwords but with passwords hashed according to the hashing method used. In this way the hash can be looked up in the hash table and when it is found you immediately have the correct (readable) password.

Hash lists of hashes constructed using salting are a bit trickier. A so-called “rainbow table” is often used to retrieve a “readable” password. Rainbow tables and Hash tables are often confused. A Rainbow table is often very large, depending on the number of characters and the characters used. A rainbow table works with chains or “chains”. These chains are created with the “reduction” parameter which is actually a “hash-to-plaintext” function. Note that this does not convert the hash into a readable password, but parts of the hash are removed and then the remaining part is converted back into a readable password. You can hash a plaintext password, reduct (remove part of it), hash again, reduct, hash etc. Usually there are 3 reductions in a chain, but this can also be more. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next you will look up a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash it again with the new plaintext. You look up this hash again. You do this until you have a match. If you have a match, the actual password will be in the chain in which it was found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next you will look up a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash it again with the new plaintext. You look up this hash again. You do this until you have a match. If you have a match, the actual password will be in the chain in which it was found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next you will look up a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash it again with the new plaintext. You look up this hash again. You do this until you have a match. If you have a match, the actual password will be in the chain in which it was found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash it again with the new plaintext. You look up this hash again. You do this until you have a match. If you have a match, the actual password will be in the chain in which it was found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash it again with the new plaintext. You look up this hash again. You do this until you have a match. If you have a match, the actual password will be in the chain in which it was found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found.

In short, a rainbow table is more complicated than a hash table and also takes longer to execute. With rainbow tables, salted hashes (provided the salt is not too large) can sometimes be retrieved. Retrieving ordinary hashes gives a higher success rate, but personally I would choose to use a hash table.

Other Methods

If we are really talking about “cracking” passwords, the above methods are the methods used for this. Because cracking passwords often takes a lot of time, other methods are also used to retrieve passwords. Think of phishing, social engineering, spying or writing and implementing malware or keyloggers.

There are also “hybrid attacks” which are actually a combination of 2 or more attacks. A well-known hybrid attack is a combination of a dictionary attack and a brute-force attack. In this type of attack, the password in the list will be tried and if it fails, the password will be supplemented with random characters according to the brute-force principle. For example, certain characters can be changed and characters can be added at the beginning and end of the word. For example, the word “password” may be mentioned in the dictionary, but the brute-force method will try multiple combinations such as “w@chtw00rd999”.

HACKING PASSWORDS, THE TOOLS

There are many types of tools that we can use for cracking passwords. Sometimes custom scripts will be written to perform this task. More often, default tools will be used which are available for free or already present in distributions like Kali Linux. These are my 10 top password cracking tools:

1. John the Ripper

John the Ripper is one of the better known password hacking tools and is present in Kali Linux by default. There are also Mac and Windows variants of John the Ripper. John the Ripper is fully configurable to your liking and insight and combines different cracking methods and is specifically focused on cracking weak Linux passwords. Out-of-the-box John the Ripper supports crypt(3), DES, MD5, Kerberos and many more.

2. Aircrack-NG

Aircrack-NG is specially designed for recovering WiFi (WEP/WPA(2)) passwords. Aircrack-NG is a suite which consists of Airmon, Airodump and Aircrack. Aircrack-NG finds out WiFi passwords by analyzing packets that are sent wirelessly. Aircrack-NG is a command-line tool, but there are various GUI-based scripts that use Aircrack-NG in the background, such as Fluxion .

3. L0phtCrack

L0phtCrack is an alternative variant of OphCrack. OphCrack is a rainbow-table password cracking tool for Windows. L0phtCrack is also this but offers multiple functions such as dictionary attacks and brute forcing. L0phtCrack works on workstations, servers, network drives, AD etc. In addition, L0phtCrack offers configurable routine audits. L0phtCrack is a fantastic Windows password cracking tool.

4. Cain and Able

Remarkably, Cain and Able is only available for Windows systems and is used for cracking Windows passwords. However, Cain and Able can do much more than just recover Windows passwords. Cain and Able can also act as a network sniffer or as a Man-in-the-Middle proxy. But it can also record VoIP conversations, perform cryptanalysis attacks, reveal password boxes, retrieve passwords from different caches, etc. Cain and Able works through dictionary attacks and brute-force attacks.

5. RainbowCrack

RainbowCrack is, as the name suggests, a hash-cracking tool based on rainbow tables. RainbowCrack uses a “large-scale time-memory trade off process” and therefore works extremely fast. RainbowCrack helps you generate the Rainbow tables, but the makers have also made several rainbow tables (LM, NTLM, MD5, SHA1) available for download which you can use for free.

6. THC Hydra

THC Hydra is a web application cracking tool for recovering passwords. Medusa, Wfuzz and many other tools are available to crack web applications. However, THC Hydra is a great choice if you’re trying to figure out HTTP-FORM-GET and POST, HTTP-GET, HTTPS-GET, IMAP, ICQ, IRC, LDAP, MS-SQL, NNTP passwords. These are not the only authentication methods that are supported, however. THC Hydra is incredibly fast and the functionality can be expanded through various modules. THC Hydra is available on almost all platforms.

7. Wfuzz

Wfuzz is a web application password cracking tool. Wfuzz cracks passwords by brute-forcing but at the same time tries to find hidden resources such as scripts, dictionaries and servlets. Wfuzz supports the use of proxy and SOCKS and can be set to pause after x number of requests. Generated output is a formatted HTML

8. HashCat

HashCat is perhaps the best known password cracker. According to the documentation, Hashcat is one of the fastest password crackers because HashCat uses multi-threading and thus functions optimally on modern computers. HashCat also supports multiple (up to 128) GPUs and focuses on cracking passwords via dictionary attacks. HashCat can handle more than 150 algorithms including MD5, SHA-1, SHA-512, IKE-PSK, Kerberos 5 etc.

9. Crowbar

Crowbar (formerly Levye) is in my top 10 list because Crowbar supports algorithms that many popular password cracking tools don’t support. Think of VNC Key Authentication, OpenVPN, SSP Private Key Authentication, RDP with NLA. Crowbar uses brute-forcing methods. Crowbar also works differently than other tools. Where many tools for SSH Brute Force use a username and password, Crowbar tries to use the SSH keys (if they can be intercepted).

10. Brutus

Brutus is a somewhat older password cracking tool that has not been maintained for a while. Like Cain and Able, Brutus is only available for Windows. Despite his age, he can still be very handy in many cases. Brutus supports the following authentications by default: HTTP (basic authentication & HTML Form/CGI), POP3, FTP, SMB, Telnet, IMAP, NNTP. There are also several other authentication schemes to download for more functionality. Brutus mainly focuses on performing dictionary attacks. A nice feature in Brutus is that you can pause a running process and restart it later. Brutus 60 can also make simultaneous connections and work with no or more usernames.

MAKE YOUR PASSWORD UNHACKABLE (IS THAT A WORD?!)

As you can see above, there are quite a few tools to retrieve passwords. The above list is just the tip of the iceberg. If you want to retrieve a password, there are various methods and tools to do this. However, the chance of success depends on your own efforts to protect your password and make it as strong as possible. Below are a few rules of thumb for protecting your password.

1. Password strength

A strong password is more difficult, much more difficult to retrieve than a weak password. A long password is more difficult than a short password. Process some special characters and numbers and you’re well on your way. For a strong password, observe the following rules:

  • Longer than 12 characters
  • Use at least 1 symbol
  • Use at least 1 capital letter
  • Use at least 2 numbers
  • Do not use any personal information (postal code / name etc).
  • Change your password periodically (at least every 6 months)
  • Never use the same passwords for different services/systems

The above rules may be quite a task to handle at first. However, once you get used to it, it becomes a simple and quick routine that greatly increases the security of your password, and thus your account and data.

If you want to see how secure your password is, you could use this website . Please enter a variant of your current password here. This website can also log passwords and get them. So always be careful with this.

Tip: If you have trouble remembering all those different, more difficult passwords, use a password manager like “Lastpass”. However, secure access to your password manager according to the guidelines above and below. If people have access to your password manager, they have immediate access to all your passwords and therefore all your accounts.

2. Strong Username

A lot less important than a strong password, but a strong username can certainly help mitigate account hacking. Often access to a service or account is given through the combination of a username and a password. If a hacker has not been able to find out a username, he will use default usernames or usernames that are “logical” such as your initial + surname, your last name, your e-mail address, etc. So do not use “logical” data in your username or mix it with other information. The username “JarnoBaselier” is a lot less secure than “JarnoSchrijftEenBlogje” or even “JarnoJarno3”. So try to make your username as “illogical” as possible, if you have the choice.

3. Two Factor Authentication

When you have the choice to use two-factor authentication (also called 2-way authentication or multi-factor authentication), it is important that you ALWAYS enable it. Two-factor authentication ensures that you log in twice. Usually with something you know (like your password) also with something you have (like your phone, fingerprint, email etc.). So you first log in with a username and password and if these are successful, the system will ask to log in with “the 2nd factor”. You often have to enter a code which is listed in an authenticator app on your phone, such as the Google Authenticator. Or a code is sent by SMS or e-mail. Sometimes you can log in with a fingerprint or an iris scan. It doesn’t matter which two-factor authentication method you activate, activating the method ensures that you are 90% more secure than without this two-factor authentication. A hacker still needs to have your phone, fingerprint or other method before he can abuse your account. Even if he managed to hack the password.

Note that two-factor authentication via email is the least secure method. Better than nothing, but there is a chance that the hacker has also gained access to your e-mail after recovering your password, so that he can still successfully perform the two-factor authentication.

4. Disable unused accounts

You can disable all accounts that are not being used. Administrator, Guest? If you’re not using it, turning it off is the best option. That way, the accounts cannot be abused. If you don’t want to disable them, change the password to a very hard to crack password according to the guidelines in step 1.

5. Don’t fall for Phishing

Phishing is often aimed at recovering your password. So never enter your password on websites that you do not trust. Always check that the URL is correct and that the website uses a valid SSL certificate (in the case of HTTPS websites).

6. Set up a 2nd e-mail account

Many (e-mail) services give you the option to set up a 2nd e-mail account. This 2nd email account will be used if you no longer have access to your active account. Recovery information can be sent to this 2nd email account. So always set up this 2nd (backup) email account so that you can always restore your primary account.

7. The obvious

Of course we could go on and on. Make sure your computer is malware-free. Log out of your accounts when you’re done. Delete your cookies when you close the browser. Use HTTPS if possible etc. There are many methods by which hackers can retrieve your passwords. Points 1 to 5, however, are the key to success. If you follow these points, the chance that your password will be hacked is extremely small.

I hope you found this post interesting! Yes? Then give a big thumbs up to Facebook and share the message with your friends or other interested parties. Positive feedback ensures that more articles like this come online, so I keep writing about security and tips! Thank you!

Leave a Reply

Your email address will not be published.

Back To Top