Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ethical Password Cracking

You're reading from   Ethical Password Cracking Decode passwords using John the Ripper, hashcat, and advanced methods for password breaking

Arrow left icon
Product type Paperback
Published in Jun 2024
Publisher Packt
ISBN-13 9781804611265
Length 168 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
James Leyte-Vidal James Leyte-Vidal
Author Profile Icon James Leyte-Vidal
James Leyte-Vidal
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Part 1: Introduction and Setup
2. Chapter 1: Password Storage: Math, Probability, and Complexity FREE CHAPTER 3. Chapter 2: Why Crack When OSINT Will Do? 4. Chapter 3: Setting Up Your Password Cracking Environment 5. Chapter 4: John and Hashcat Rules 6. Part 2: Collection and Cracking
7. Chapter 5: Windows and macOS Password Cracking 8. Chapter 6: Linux Password Cracking 9. Chapter 7: WPA/WPA2 Wireless Password Cracking 10. Chapter 8: WordPress, Drupal, and Webmin Password Cracking 11. Chapter 9: Password Vault Cracking 12. Chapter 10: Cryptocurrency Wallet Passphrase Cracking 13. Part 3: Conclusion
14. Chapter 11: Protections against Password Cracking Attacks 15. Index 16. Other Books You May Enjoy

What is password cracking?

Password cracking is the process of recovering a secret from scrambled (typically encrypted or hashed) text. This very broad term encompasses many types of password storage and scrambling. As such, not all password-cracking operations are created equal – some passwords, as well as methods of password storage, are easier to crack than others. We will discuss this more throughout this book.

Password cracking can be broken down into various approaches to attempt to recover the secret:

  • Dictionary-based
  • Combination
  • Brute force
  • Hybrid
  • Partial knowledge, also known as mask attacks

Let’s discuss each of these in turn.

Dictionary-based attacks

Dictionary-based attacks, as you might have guessed based on the name, use a list of words or phrases as password candidates – the potential password we will test to see if it is the correct password. This list is informally referred to as a dictionary, even though it may or may not contain dictionary words. The wordlist may not resemble a dictionary much at all. This term is mostly a holdover to earlier times when many passwords were based on dictionary words, before password complexity requirements (such as adding uppercase letters, numbers, and symbols to a password) were common.

Speaking of complexity requirements, it seems like traditional dictionary words would not be as effective as password candidates during a password-cracking operation due to complexity requirements becoming more commonplace. We’ll address that in the upcoming sections.

Constructing a wordlist for a dictionary attack can be simple or a time-consuming effort. However, in many cases, spending time upfront for a good wordlist tailored to your target may reap dividends at cracking time. The tradeoff here is that your wordlist may not be as reusable for other password-cracking situations. We’ll discuss using open source intelligence (OSINT) to help build a wordlist in Chapter 2, Why Crack When OSINT Will Do?

A good and fairly large wordlist to start with is often the RockYou wordlist. This is named after the breach of the RockYou company in 2009, where over 32 million user credentials were exposed. While available in several places on the internet, a common location to download the RockYou wordlist is https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt. This list contains over 14 million unique password candidates and is also included in many common penetration testing distributions, such as Kali Linux (available at https://www.kali.org/get-kali/#kali-platforms) and Slingshot Linux (available at https://www.sans.org/tools/slingshot/).

Combination attacks

Combination attacks take two wordlists as input and concatenate (append together) one password candidate from each list to create the password candidate for testing purposes. For example, one wordlist might contain the words word1 and word2, while the second wordlist might contain the words word3 and word4.

In this scenario, a combination attack would use a word from both lists to create potential password candidates, such as word1word3, word1word4, word2word3, and word2word4.

Current guidance from the National Institute of Standards and Technology (NIST) recommends password length over complexity for the best resistance to password cracking. This helps encourage our users to create a password that is easy to remember but hard to crack and reflects the current guidance from NIST. This can be performed by stringing several dictionary words together and adding a mnemonic to help the user remember the password. This is only one approach, but this example points out – in conjunction with the current NIST guidance – that combination approaches to password cracking may be more effective as more users follow the guidance to shift to passphrases.

That being said, some standards may slow the adoption of longer, less complex passphrases. For example, the Payment Card Industry Data Security Standard (PCI-DSS) standard, which is required for merchants processing credit card data, requires 12-character passwords, as well as letters and numbers for passwords associated with accounts that have access to cardholder data.

Brute-force attacks

Brute-force attacks do exactly what their name suggests – every position in the password candidate is filled with every possible candidate for that position. For example, if a password can only be eight characters long, a brute-force approach might attempt aaaaaaaa as the password candidate, then attempt aaaaaaab, and so on, until the possibilities for the password are all attempted – exhausted. The problem with this approach is that once a password reaches any reasonable length, the time to perform this style of attack becomes untenable. Additionally, the number of character sets available to use for the password (lowercase, uppercase, numbers, and symbols) will also greatly increase the number of guesses to complete this kind of attack.

The good news for password cracking is that it is possible to crack any password with this approach. However, the amount of time it would take with today’s computing power makes it essentially folly for larger passwords or more complex (more time-consuming for each password guess) algorithms.

Hybrid attacks

Hybrid attacks merge some of the characteristics of combination attacks and brute-force attacks. A hybrid attack uses a wordlist as its base, then modifies the words in the wordlist by adding one or more characters to the word and brute-forcing the character space associated with that. As an example, let’s say I have the following word from my wordlist:

banana

However, I know the password policies of my target require a number in every password. I might try a hybrid attack that takes my word from my wordlist and adds a number after the word. So, now, my password candidates are as follows:

banana1
banana2
banana3
banana4

This allows us to test environments more effectively where users often append (add to the end) or prepend (add to the beginning) some base dictionary word for their password.

Partial knowledge, also known as mask attacks

Mask attacks leverage the idea that we partially understand the format used to construct a password to create a brute-force-like approach that is sped up due to assumptions we make about the password format.

An example will be helpful here. Let’s say that we are testing passwords for a company that requires one uppercase character, one lowercase character, and a number for their passwords. This is a common password complexity requirement in many companies, and many users will meet this requirement by taking a word (dictionary or otherwise), capitalizing the first letter of the word, and appending one or two numbers to the word.

Incidentally, this type of password requirement, along with 90-day password rotation intervals, can lead to the dreaded season-year password, where users will set their password to the name of the current season (Spring, Summer, and so on) and append a two or four-digit year to the password (Spring22/Spring2022, Summer22/Summer2022, and so on).

These complexity requirements may lead us to construct a mask for the password that assumes the user will choose a password that starts with a capital letter, then has five or six characters of lowercase letters, and ends with two or two digits from base10 numbering (0-9). This mask will attempt to brute-force any passwords meeting these lengths and criteria. While this will not retrieve every password in a given list, this approach historically yields high percentages of cracked passwords since this approach is a common one for users to take when constructing passwords.

Important note

We will suggest better methods for password construction and mitigations in Chapter 11.

You have been reading a chapter from
Ethical Password Cracking
Published in: Jun 2024
Publisher: Packt
ISBN-13: 9781804611265
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image