There are many methods to hack devices, websites, services etc. These hacks are successful because they use an (unknown) weakness in the system or because a user makes a mistake such as phishing. There are of course several methods. Sometimes it goes so far that the hacker also becomes a thief of physical materials in order to gain access to data. But what if all that is not necessary. What if you can just present yourself as the rightful user. Then you have access to all data and software. No alarm bells will ring and the chance that you will get caught is very small. There is often only 1 thing that gets in the way. The user’s password. In this post I am talking about hacking passwords. How do we do it and how can you protect yourself against this?
DISCLAIMER: This post has been published for educational purposes. I am not responsible for potential damage or fraudulent practices applied with this knowledge. If you continue reading, you agree to use this information only for ethical matters. If not, stop reading now and close this page!
Of course it is not going like Hollywood movies. The reality is usually a bit trickier and less flashy. But there are different ways in which a password can be hacked. In this post I will talk about the different methods, we will discuss a number of tools and I will tell you how you can mitigate hacking of your password.
AND WHAT ABOUT THE USERNAME?
A successful login is always a combination of 2 details. The username and password. If either is incorrect then the login attempt will fail. But why are we only talking about the password? The username is of identical importance and is often not mentioned. Why?
The reason for this is quite simple. The username is usually fairly easy to retrieve. Usernames are mentioned in a lot of log data, so if a hacker can find out logging information from the device or through another device that the target device sometimes logs on to, the username is often found easily. Successful man-in-the-middle attacks also reveal the password. In addition, a username is often not complicated. It is usually a combination of your first and last name or your e-mail address. This info is also fairly easy to retrieve.
Also, general users are often used on a system. How about “administrator”, “administrator”, “root” and even “guest”. Specific systems also have a generic default user. If a hacker wants to hack a Raspberry Pi it will focus on the most common username, namely “pi”.
In short. The username is often fairly easy to retrieve. Usually a list of possible usernames is compiled and a list of different passwords. These passwords are then attempted against every possible username on the list.
The most difficult data, which is usually not found in logging information, is the password. So let’s focus on the password again!
PASSWORD HACKING METHODS
Let’s start with the methods used to hack a password. There are a number of commonly used methods. The method used depends on the system or service of which the hacker tries to retrieve the password.
Let us once again emphasize the previous sentence “trying to find out”. A hacker cannot always retrieve a password (Hollywood style). Whether this succeeds depends on a number of factors that are emphasized in the “mitigation” chapter. But while “trying” the following methods can be used.
The first method that is often used is simply guessing your password. The hacker will try to find out as much as possible about you online. Your name, your children’s name, your pets’ name, birth date, address, etc. Many people use a combination of this data to form a password. This so that the password can easily be remembered. If the hacker has this data, he will first try to manually enter the most common combinations. Simply “guess” so.
2. Dictionary Attack
If simply guessing the password fails, the hacker will create a “password file” with many different password combinations. In addition to these “user-based” combinations, there are existing lists of words and word combinations (so-called dictionaries). The hacker will first use his user-based dictionary and if this fails a default dictionary from his arsenal. Through a tool, the hacker will try these passwords on the systems. Thousands of passwords can easily be tried this way until the actual password is obsolete.
3. Brute Force Attack
If the password cannot be retrieved by means of a dictionary attack, the hacker can carry out a so-called “brute-force” attack. With a brute force all possible combinations are tried up to a certain size. If the hacker chooses a brute force attack of all possible letters and numbers up to 7 characters, all possible combinations from 0 to ZZZZZZZ are tried. This attack method is much slower because many more combinations are being tried. The speed depends on the hacker’s hardware configuration. More processing power in the form of strong GPUs, processors or even cooperating botnets ensures that a brute-force attack is faster than on a “simple” desktop PC.
Retrieving a password through a brute-force attack therefore depends on the length of your password and the complexity of your password. Each extra character takes substantially more time to process. An 8 character password will be successfully cracked within a few hours but a password of 10 characters takes months to retrieve. A 12 character password has been going on for several centuries.
4. Rainbow Table Attack
Passwords are often stored encrypted. We call this a “hash”. A hash has a shape and a layout and is determined by the hashing method. The hash is often constructed in combination with a “salt”. If the hash is “salted” then extra random data is added to the hash so that 2 passwords that are the same and hashed by the same method will eventually get a different hash.
If a hacker has obtained a list of password hashes that have been saved without salting, it is often sufficient to look up the hash in a so-called “hash table”. A hash table is actually a “dictionary” but not with “plaintext” passwords but with passwords that have been hashed according to the hashing method used. That way the hash can be looked up in the hash table and when it is found you immediately have the correct (readable) password.
Hash lists with hashes constructed using salting are a lot more difficult. To retrieve a “readable” password from this, a so-called “rainbow table” is often used. Rainbow tables and Hash tables are often confused. A Rainbow table is often incredibly large, depending on the number of characters and the characters used. A rainbow table works with chains or “chains”. These chains are made with the “reduction” parameter which is actually a “hash-to-plaintext” function. Please note that this does not convert the hash into a readable password, only parts of the hash are retrieved and then the remaining part is converted back into a readable password. You can have a plaintext password, therefore hashing, reductions (removing part of it), again hashing, reductions, hashing etc. Usually there are 3 reductions in a chain, but there can also be more. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next, look for a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash the new plaintext again. You look up this hash again. You do this as often as you like until you have a match. If you have a match, the actual password is in the chain in which it is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next, look for a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash the new plaintext again. You look up this hash again. You do this as often as you like until you have a match. If you have a match, the actual password is in the chain in which it is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. The rainbow table only stores your starting point (the plaintext password) and the ending point. Next, look for a hash in the “endpoint” column of the rainbow table. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash the new plaintext again. You look up this hash again. You do this as often as you like until you have a match. If you have a match, the actual password is in the chain in which it is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash the new plaintext again. You look up this hash again. You do this as often as you like until you have a match. If you have a match, the actual password is in the chain in which it is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. If the hash is found then you know the password. If the hash is not found, you remove part of it (reduction), make it plaintext and hash the new plaintext again. You look up this hash again. You do this as often as you like until you have a match. If you have a match, the actual password is in the chain in which it is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found. Now the chain is run again and all possible passwords are noted. These are then tried until the working password is found.
In short, a rainbow table is more complicated than a hash table and also takes longer to execute. With rainbow tables, salted hashes (if the salt is not too large) can sometimes be traced. Retrieving ordinary hashes gives a higher success rate but personally I would choose to use a hash table.
If we are really talking about “cracking” passwords, then the above methods are the methods used for this. Because password cracking often takes a lot of time, other methods are also used to retrieve passwords. This includes phishing, social engineering, spying or writing and implementing malware or keyloggers.
There are also “hybrid attacks” which are actually a combination of 2 or more attacks. A well-known hybrid attack is a combination of a dictionary attack and a brute-force attack. In this type of attack the password in the list will be tried and if it fails, the password will be supplemented with random characters according to the brute-force principle. For example, certain characters can be changed and characters can be added to the beginning and the end of the word. For example, the word “password” may be mentioned in the dictionary, but the brute-force method will attempt multiple combinations such as “w @ chtw00rd999”.
HACKING PASSWORDS, THE TOOLS
There are many types of tools that we can use to crack passwords. Sometimes own scripts will be written to perform this task. More often, default tools will be used which are available for free or are already present in distributions such as Kali Linux. These are my 10 top password cracking tools:
1. John the Ripper
John the Ripper is one of the more famous password hacking tools and is present in Kali Linux by default. There are also Mac and Windows variants of John the Ripper. John the Ripper is fully configurable to any wish and insight and combines various cracking methods and is specifically focused on cracking weak Linux passwords. Out-of-the-box John the Ripper supports crypt (3), DES, MD5, Kerberos and many others.
Aircrack-NG is specially designed for retrieving WiFi (WEP / WPA (2)) passwords. Aircrack-NG is a suite which consists of Airmon, Airodump and Aircrack. Aircrack-NG retrieves WiFi passwords by analyzing packets that are transmitted wirelessly. Aircrack-NG is a command-line tool, but there are various GUI-based scripts that use Aircrack-NG such as Fluxion in the background .
L0phtCrack is an alternative variant of OphCrack. OphCrack is a rainbow-table password cracking tool for Windows. L0phtCrack is also this but offers multiple functions such as dictionary attacks and brute forcing. L0phtCrack works on workstations, servers, network stations, AD etc. In addition, L0phtCrack offers adjustable routine audits. L0phtCrack is a fantastic Windows password cracking tool.
4. Cain and Able
Cain and Able is remarkably enough only available for Windows systems and is used for cracking Windows passwords. However, Cain and Able can do much more than just retrieve Windows passwords. Cain and Able can also act as a network sniffer or as a Man-in-the-Middle proxy. But it can also record VoIP calls, perform cryptanalysis attacks, reveal password boxes, retrieve passwords from different caches, etc. Cain and Able works with dictionary attacks and brute-force attacks.
As the name suggests, RainbowCrack is a hash-cracking tool based on rainbow tables. RainbowCrack uses a “large-scale time-memory trade-off process” and therefore works extremely fast. RainbowCrack helps you generate the Rainbow tables, but the makers have also made various rainbow tables (LM, NTLM, MD5, SHA1) available for download, which you can use for free.
6. THC Hydra
THC Hydra is a web application cracking tool for retrieving passwords. Medusa, Wfuzz and many other tools are available to crack web applications. However, THC Hydra is a great choice if you are trying to retrieve HTTP FORM-GET and POST, HTTP-GET, HTTPS-GET, IMAP, ICQ, IRC, LDAP, MS-SQL, NNTP passwords. These are not the only authentication methods that are supported. THC Hydra is incredibly fast and the functionality can be expanded through various modules. THC Hydra is available on almost all platforms.
Wfuzz is a web application password cracking tool. Wfuzz cracks passwords through brute-forcing but at the same time tries to find hidden resources such as scripts, dictionaries and servlets. Wfuzz offers support for the use of proxy and SOCKS and can be set to take a break after an x number of requests. Generated output is a formatted HTML
HashCat is perhaps the best known password cracker. According to the documentation, Hashcat is one of the fastest password crackers because HashCat uses multi-threading and therefore functions optimally on modern computers. HashCat also supports multiple (maximum 128) GPUs and focuses on password cracking via dictionary attacks. HashCat can handle more than 150 algorithms including MD5, SHA-1, SHA-512, IKE-PSK, Kerberos 5 etc.
Crowbar (formerly Levye) is on my top 10 list because Crowbar supports algorithms that do not support many popular password cracking tools. Think of VNC Key Authentication, OpenVPN, SSP Private Key Authentication, RDP with NLA. Crowbar uses brute-forcing methods. Crowbar also works differently than other tools. Where many SSH Brute Force tools use a username and password, Crowbar tries to use the SSH keys (if these can be intercepted).
Brutus is an older password cracking tool that has not been maintained for a while. Just like Cain and Able, Brutus is only available for Windows. Despite his age, he can still be incredibly handy in many cases. Brutus supports the following authentications by default: HTTP (basic authentication & HTML Form / CGI), POP3, FTP, SMB, Telnet, IMAP, NNTP. Various other authentication schemes can also be downloaded for more functionality. Brutus focuses primarily on conducting dictionary attacks. A great feature in Brutus is that you can pause an ongoing process and restart it later. Brutus 60 can also make simultaneous connections and work with no or more user names.
MAKE YOUR PASSWORD UNHACKABLE (IS THAT A WORD ?!)
As you can see above, there are quite a few tools for recovering passwords. The list above is just the tip of the iceberg. If one wants to retrieve a password, there are therefore various methods and tools for doing this. The chance of success, however, depends on your own commitment to secure your password and make it as strong as possible. Below a number of rules of thumb for securing your password.
1. Password strength
A strong password is more difficult, much harder to find than a weak password. A long password is more difficult than a short password. Process some special characters and numbers and you are already well on the way. For a strong password, observe the following rules:
- More than 12 characters
- Use at least 1 symbol
- Use at least 1 capital letter
- Use at least 2 digits
- Do not use personal information (zip code / name etc).
- Change your password periodically (at least every 6 months)
- Never use the same passwords for different services / systems
The above rules may be quite a challenge in the beginning. However, if you are used to it, it becomes a simple and fast routine that greatly increases the security of your password, and thus your account and data.
If you want to see how secure your password is, you could use this website . However, enter a variant of your current password here. This website can also log passwords and get hold of them. So always be careful with this.
Tip: If you have problems remembering all those different, more difficult passwords, use a password manager such as “Lastpass”. However, secure access to your password manager according to the above and below guidelines. If you have access to your password manager, you have immediate access to all your passwords and therefore all your accounts.
2. Strong Username
A lot less important than a strong password, but a strong username can help mitigate account hacking. Often access is given to a service or account through the combination of a username and password. If a hacker has not been able to retrieve a user name, he will use default user names or user names that are “logical” such as your initial + last name, your last name, your e-mail address etc. So do not use “logical” data in your user name or mix it with other information. The username “JarnoBaselier” is a lot less secure than “JarnoWrites a Blog” or even “JarnoJarno3”. So try your username if you have the choice to make it as “illogical” as possible.
3. Two-Factor Authentication
When you have the choice of two-factor authentication (also known as 2-way authentication or multi-factor authentication) it is important that you ALWAYS enable this. Two-factor authentication ensures that you double log in. Usually with something that you know (such as your password) also with something that you have (such as your phone, fingerprint, e-mail etc.). So you first log in with a username and password and if these are successful the system will ask you to log in with “the 2nd factor”. Often you have to enter a code which is stated in an authenticator app on your phone such as the Google Authenticator. Or a code will be sent by SMS or e-mail. Sometimes you can log in with a fingerprint or an iris scan. It does not matter which two-factor authentication method you activate, activating the method ensures that you are 90% more secure than without this two-factor authentication. A hacker must still have your phone, fingerprint or other method before he can misuse your account. Even if he has been able to hack the password.
Note that two-factor authentication via e-mail is the least secure method. Better than nothing, but there is a chance that the hacker will also have gained access to your e-mail after retrieving your password, so that he can still successfully perform two-factor authentication.
4. Disable unused accounts
You can disable all accounts that are not being used. Administrator, Guest? If you are not using it, switching off is the best option. That way, the accounts cannot be misused. If you do not want to switch them off, change the password to a very hard-to-crack password according to the guidelines in step 1.
5. Don’t fall for Phishing
Phishing is often aimed at retrieving your password. So never enter your password on websites that you do not trust. Always check if the URL is correct and if the website uses a valid SSL certificate (in the case of HTTPS websites).
6. Set up a 2nd e-mail account
Many (e-mail) services give you the option to set up a 2nd e-mail account. This 2nd email account is used if you no longer have access to your active account. Recovery information can be sent to this 2nd e-mail account. So always set this 2nd (backup) e-mail account so that you can always restore your primary account.
7. The obvious
Of course we can continue for a while. Make sure your computer is malware-free. Log out your accounts when you are done. Delete your cookies when you close the browser. Use HTTPS if possible etc. There are many methods with which hackers can retrieve your passwords. However, points 1 to 5 are the key to success. If you follow these points, the chance that your password will be hacked is extremely small.
I hope you found this post interesting! Yes? Then give a big thumb on Facebook and share the message with your friends or other interested parties. Positive feedback ensures that more articles like this come online and that I keep writing about security and tips! Thank you!