Password Cracking

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This articles provides the required knowledge in the field of key recovery. It gives the reader a brief introduction to password cracking in general. It also provides background information about common password attacks, attack modes and cracking tools. The article goes into more detail about the popular tools John the Ripper and Hashcat. Furthermore presenting a general guideline for offline password cracking. See also Related Articles. Acquisition and Cracking of macOS User Passwords or WPA/WPA2 PSK deauthentication attack may be used as an hands-on example.

Introduction

Password cracking or Password recovery is used in IT-Security and Cryptanalysis to recover passwords or digital keys in general, which are the most critical part of a digital identity that is associated with a specific service. To acquire such digital keys, common Password Attacks are employed to infer the corresponding key. Other techniques, like social engineering or dumpster diving, are also possible in some scenarios. Keys are unspaced sets of characters that allow to authenticate against a given security mechanism in order to gain access to data, programs, or secured systems. However, these techniques could also be used to gain unauthorized access to a remote system.

Once a key has been recovered, it can subsequently be used to undermine a digital authentication process, which provides privacy protection by mitigating risks of unauthorized access to individuals’ information. In other words, a key must be kept secret by a claimant, humanoid or not, while the verifier confirms the claimant’s identity. Additionally, choosing a strong password is crucial to prevent cracking and render recovery impossible. Furthermore, a Multi-factor (MFA) or Two-factor authentication (2FA) is recommended, since a claimant has to provide more factors to the verifier than just one key, which are something the claimant knows (knowledge), has (possession) or is (inherence), whereby a password recovery becomes pointless without knowing of the factors possession or inherence. [P1]

It should be noted that keys can be available in various forms. On the one hand, clear-text passwords can be transmitted over the network or stored locally, which then only needs to be intercepted or found. On the other hand, passwords can also appear in encoded, hashed or obfuscated forms. The latter differs in that the obfuscated password is brought back to its original form with the appropriate reverse algorithm. In contrast, a hashed password benefits from the one-way properties of the algorithm used and can only be concluded by hashing guessed password repeatedly and comparing them to the target hash until the original password or any rare hash collision has been found. In the following, only hashed keys are treated.

In order to be able to conclude on the original keys, high computing power is needed. Calculations can be done either by using CPUs with a small number of cores that have been developed for the sequential execution of processes. Alternatively, by using GPUs, which have a very high number of cores working in parallel, making them theoretically ideal for password cracking. The time to crack a password depends on its entropy, measured by the bit strength of a password and as well as the password length forming the target keyspace.

Background

Password Attacks

Password attacks can be performed in two ways. On the one hand, in the case of online attacks, designated system interfaces are used to try out passwords and, on the other hand, offline attacks in which hashed passwords were obtained via other channels and then processed locally at any time. Online attacks are much slower because the calculations are performed by the target, while the latency of the network link also plays an important role. Furthermore, such attacks could be detected and prevented by the attacked systems. Examples would be attacks on SSH or any web-based login form. On the other hand, offline attacks can no longer be detected after the hashes have been obtained and can be carried out highly effective since only hashes are calculated and compared here, but no further communication or processes between systems or the like are required.

As it is common in most areas of life, there is not only black and white but also the grey zone in between. For this reason, it should be noted that there are also non-electronic attacks on passwords, such as dumpster diving or social engineering. But also more drastic but highly effective ways like Coercion by the government or Rubber-hose cryptanalysis (torture) can be taken, in which the human factor as the weakest link in the chain is attacked. This work is focused on offline attacks, and no human nor animal has been harmed during this work. See also Password Security.

Attack Modes

The following paragraphs present the most common modes used with password attacks.

Brute-force attacks try all possible passwords until the right one is found. Such password crackers generate and hash in the worst case every possible password in the keyspace, while none of these intermediate results are stored. Every hashed password is compared to the target hash on the fly until a match, and thus also a valid password has been found. This may be the original password or any rare hash collision. The success probability is given if the target password is in the known keyspace. However, for this attack, an extremely high computing power is needed to reach the target in a reasonable time.

Dictionary attacks are a special kind of a brute force attack where the keyspace is restricted by using a dictionary (aka. wordlist). These wordlists usually contain common passwords grouped by specific criteria, which are then processed by crackers in sequence. The advantage is that one can quickly cover the most common passwords, so that these kinds of attacks are very effective, as many users use common weak passwords which are easy to remember. This can easily be fought by using passwords without underlying semantics. The best-known wordlist is the rockyou.txt, which contains 32 million passwords. Its content originates from a data leak of the company RockYou from the year 2009, who stored their passwords in clear-text.

Rainbow attacks are just a more specialized form of dictionary attack, where pre-computed hashes are stored in so-called rainbow tables. This serves as a lookup table to invert a certain hash function. This variant results in a time-memory trade-off, where the process is faster since only comparison operations have to be performed, but this is only effective if the rainbow-table is stored in RAM, furthermore rainbow-tables take up more space on the hard disk than wordlists. The use of a key derivation function that uses a salt makes this attack infeasible.

Hybrid attacks combine brute force and dictionary attack by appending or prefixing each entry of a wordlist with all permutations of the brute force keyspace. It is a great method if the format of a password ist known. An example would be the use of the word ’password’ combined with all numbers from 0 to 9999. This is also very useful with usernames of com- panies using simple rules like an identifying string combined with an incrementing number. (e.g. Pass1234)

Rule-based attacks use methods to change passwords to cover all variants. It is a very flexible and efficient attack, but also very complicated to cover all desired cases. Ideal if the password requirements for a system are known, since passwords shall be easy to remember while being secure at the same time, many users use common passwords and modify them in a way that they match the password policy. (e.g. ’P@ssw0rD’)

Syllable attacks are again a combination of brute force and dictionary attack in which all permutations of each word within a wordlist are checked. This is used when the password is not a real word and is often better than pure brute-forcing.

Other attacks, like Combinator, Fingerprint, Mask, Toggle-Case, Permutation, Table- Lookup, PRINCE may be similar to the ones noted above and shall be mentioned but are not covered in any detail here.

Wordlists

Wordlist aka. dictionary attacks are often the first step to take when cracking passwords, since most users use common passswords or mutations of those. Besides the classic rockyou.txt, there are tons of wordlists for different use cases. For this purpose weakpass.com may be used used, which offers a great collection. Based on GeForce GTX 1060 6GB benchmark and Hash Crack by Netmux, the following table can be mostly been respected as general guideline to select worldlists for initial runs.

Example Hashtype Avg Speed ~10 min ~1 hour ~3-4 hours
MD5, NTLM, SHA(1-256), MySQL >5000 MH/s hashesorg2019 weakpass_2 weakpass_2a
md5apr1, md5crypt 5000 kH/s hashesorg2019 weakpass_2 weakpass_2a
WPA/WPA2,sha256crypt 200 kH/s hk_hlm_founds.txt HashesOrg hashesorg2019
PBKDF2, bcrypt, sha512crypt <5 kH/s dazzlepod rockyou.txt hk_hlm_founds.txt

Wordlist can also be created using web scraper, like the Custom Wordlist Generator (CeWL). Alternatively john can be used to create wordlists. In the following examples the rules single and wordlist are used to generate all possible mutations and permutations from a source wordlist.

john -wordlist="source_wordlist.txt" -rules=Single,Wordlist -stdout > "single_wordlist.txt"

John the Ripper

John the Ripper acronyms for John or JtR is a popular open-source password cracker from the Openwall developers. Historically, the main use has been to find weak UNIX passwords. To this day, john has been evolved to be fast and rich in features. John has the ability to recognize password hash types and supports multiple cracking modes, but it is mostly used for dictionary-style or incremental brute-forcing attacks. It should be noted that john even provides the ability to define custom cracking modes using a built-in C compiler. The developers provide additional variants like a commercial John the Ripper Pro version and Hash Suite, which is recommended when using Android or Windows. Besides the above-mentioned programs, there is also a graphical version of John named Johnny, for those who are not friends of the console, that is available for Linux, macOS, and Windows.

Furthermore John offers some support for CUDA and OpenCL GPUs. Whereas, CUDA is a parallel computing platform and programming model developed by NVIDIA for general computing on graphical processing units (GPUs). With CUDA, developers are able to dramatically speed up computing applications by harnessing the power of GPUs. OpenCL (Open Computing Language), on the other hand, is a low-level API for heterogeneous computing that runs on CUDA-powered GPUs. Using the OpenCL API, developers can launch compute kernels written using a limited subset of the C programming language on a GPU. [W7] No official numbers have been found regarding the number of supported hash algorithms for john, but there are over 2000 difference algorithms included in the jumbo version. Many of the algorithms under john are combinations of algorithms. These combinations are identified by the foreword dynamic_ and a subsequent number. Such combinations only appear in the jumbo version and have been added by the community.

Implementations exist for many UNIX-based systems such as Linux, macOS, Android, and Solaris, as well as for Windows. But also for more exotic devices running under DOS, BeOS, or OpenVMS. The resources are provided as pre-compiled binaries or as source code. The latter can then be adapted as desired and compiled for a specific system. A basic version of John can be installed using package managers such as apt, pkg, or snap. However, it is recommended to choose the community enhanced-jumbo version, which offers support for a variety of additional password hash types as well as non-hashes like SSH private keys, RAR archives, or PDF files. The following listing provides the necessary steps to clone and build latest bleeding-edge Jumbo version of John on most UNIX-based system. Source files for all versions could also be downloaded from Openwall.net. See also Password cracking on Android.

# Clone GIT repository
git clone git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo john 3 
# Build
cd ./john/src && ./configure && make -s clean && make -sj4

Hashcat

Hashcat is yet another very popular cross-platform cracking tool, whose developers claim to have developed the world’s fastest and most advanced open-source password recovery utility. Since Hashcat version 3, the old CPU-based hashcat-legacy and GPU-based oclHashcat have been merged. The tool allows to use all OpenCL compatible processors of the same device in parallel and even work distributed over the network. Hashcat supports five unique attack modes for more than 200 highly optimized hash algorithms.

Hashcat currently supports CPUs, GPUs, and other hardware accelerators such as DSPs, FPGAs, and co-processors in Linux, Windows, and macOS, as well as distributed password decryption functions. Almost all of this information and much more can be found on the Hashcat man page, which is one of the best that I have seen so far. Hashcat can be downloaded via package manager like `apt` under Linux or `brew` on macOS. But here it is recommended to download the source files again and build it manually. Compared to john, however, fewer platforms are supported here. The processors available for each platform can be listed using the `-I` or `–opencl-info` flag. These may need the corresponding drivers for Intel, AMD, or NVIDIA to be addressed correctly. This process will not be successful on every platform.

# Clone GIT repository
git clone https://github.com/hashcat/hashcat.git
# Build
cd ./hashcat && make && make install

Basic Usage

The core syntax of hashcat is as follows:

hashcat -a <$attack mode> -m <$hash_algorithm> <$hash (stdin/file)> <$dictionary>

$hash and $dictionary are your target hashes and dictionary/wordlist file. We’ll touch on the other parts below.

Hashing Algorithms

This is the type of hash you’re trying to crack. Hashcat supports hundreds of hashes and the chosen hash mode needs to be stated for hashcat to know what to attack. The modes can be found using hashcat ‐‐help (note: hashcat cannot attack multiple hash types in a single session but there are other tools that can). Recent versions of hashcat also support hash auto-detection if -m <$mode> isn’t passed, however as several hash types are constructed similarly, false positives can occur and therefore it isn’t encouraged.

For example, MD5 would be -m 0, SHA1 would be -m 100 and so on.

Hashing Algorothms Hashcat.png

Attack Modes

This is the type of password attack you’d like to carry out. Dictionary (referred to as ‘Straight’ in hashcat) is attack mode 0. This is also the default attack type and doesn’t need to be explicitly added if a dictionary attack is being performed. Hashcat’s supported attack modes are shown below and again can also be found by using hashcat ‐‐help. This post is only going to cover dictionary attacks, however, future guides might address more.

Attack Modes Hashcat.png


Rules

If an attack does not lead to a successful result, the individual words can be changed using rules. The rules correspond to typical patterns of how people form passwords. Simple rules can be:

  • First letter capitalized
  • Known words written from back to front
  • Appending a number from 0-9 to the end of a word
  • Appending a year like 1900-2020 to the end of a word
  • Conversion to LeetSpeak (e.g. <password> --> p455w0rd)

Rules are configured under "usr/share/hashcat/rules/best64.rule". These are passed to hashcat with the -r option.

Character Set

If the correct password can not be determined even with these modifications, a brute force attack is usually resorted to. For this purpose, the character space can be restricted by specifying the number of characters and the respective character type.


Character Set Character
l Lower case letters
u Upper case letters
d Digits 0-9
h Digits 0-9 + "abcdef"
H Digits 0-9 + "ABCDEF"
s special characters
a ?l?u?d?s
b 0x00 - 0xff

Performance Comparison

Below is a performance comparison between John the Ripper and hashcat. The tools were tested under Kali Linux in VMware with four processors. An NVIDIA GTX 1080 graphics card was used for the system. "hashcat" shows the clear performance difference in the table below.

System Speed [Hashes/sec]
John the Ripper (CPU with 4 Cores) 21.552
hashcat (NVIDIA GTX 1080) 24.943.000.000

Also GRC Haystack can by used to check how quick a password can be cracked. Just type in a custom password and the tool will show several attack scenarios like it was shown in the figure below. [1]

Haystack.PNG

Miscellaneous Tools

There is no black and white, and all tools have their strengths as well as their weaknesses. Also, combinations between some are quite useful. This section consists mostly of descriptions of the individual developers as they can best introduce themselves and as this section is only intended to introduce further tools. Written-off paragraphs are marked with a footnote. Here the Kali Linux knowledge-base [W2] has been referenced, which in turn refer to the developers’ websites and Github repositories, as well as giving short usage examples. The following examples have been selected by versatility and range of application to present other great tools besides Hashcat and John. aircrack-ng suite to analyze and attack wireless networks. THC-Hydra, an online login cracker and the alternative ncrack for our nmap lovers, Medusa is be the third in line. WFuzz, the web application cracker and last but not least RainbowCrack which uses rainbow tables to crack passwords.

Aircrack-ng

Aircrack-ng is an 802.11 Wired Equivalent Privacy (WEP) and Wifi Protected Access pre-shared key (WPA-PSK) cracking program that can recover keys once enough data packets have been captured. It implements the standard Fluhrer, Mantin, and Shamir (FMS) attack along with some optimizations like KoreK attacks, as well as the all-new Pychkine-Tews-Weinmann (PTW) attack, thus making the attack much faster compared to other WEP. However, Aircrack-ng is much more than just a cracking program.

The developers offer a versatile application suite for analyzing and attacking wireless networks. `aerodump-ng` even makes it possible to capture packets in a wireless network, and then attack contained handshakes of a WPA/WPA2-PSK using Hashcat or John efficiently. See also WPA/WPA2 PSK deauthentication attack.

THC Hydra

THC Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Hydra can be used to start an Brute-Force Attack on the Login from on the "Damn Vulnerable Web Application (DVWA)". DVWA is a PHP/MySQL web application, whose main goal is to be an aid for security professionals to test their skills and tools in a legal environment. Also this tool should be available by default in Kali Linux.

The figure below shows the Login form of DVWA:

DVWA BruteForce.jpg

The command can be adjusted depending on the login form. An attacker usually proceeds here by looking at the source code of the website with the network analyzer and adapting his command to the login forms accordingly. For the DVWA web application the appropriate command to execute such an attack will be shown in the "Example" section below.

Also following Youtube video can help to get through this attack: [2]

ncrack

Ncrack is a high-speed network authentication cracking tool. It was designed using a modular approach, a command-line syntax similar to Nmap, and a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s, and many more.

At this point should be noted that Nmap itself can be used for simple online attacks, by using the -script parameter with the desired script like telnet-brute.nse and the corresponding values for userdb and passwd with the additional parameter -script-args. See also Brute-Force with NMAP

WFuzz

Wfuzz (the web fuzzer) is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc.), bruteforce Forms parameters (User/Password), Fuzzing, etc.

Rainbow Crack

Hashcat nor john are capable of performing rainbow attacks. This is were RainbowCrack comes into the game. An alternative tool to perform rainbow attacks is Ophcrack, a free Windows (LM and NTLM) password cracker which also provides a GUI, and WOphcrack, a PHP based web frontend for Ophcrack.

RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It crack hashes with rainbow tables. RainbowCrack uses a time-memory tradeoff algorithm to crack hashes. A time-memory tradeoff hash cracker needs a pre-computation stage. At the time, all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed, and results are stored in files called rainbow table. It is time-consuming to do this kind of computation. But once the one-time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.

Procedure

This Chapter provides a basic guideline for offline password cracking. It is intended for scenarios, where the analysist is presented with a hashed password.

Identification

First, the according hashing algorithm must be identified. the In a nutshell there are there are three componenents used for manual hash identification:

  1. Special Characters
  2. Character Set
  3. Length of the Hash

There are automated tools for the terminal or online that perform the identification based on HEX encoded hashes. But it is always only about guessing and probability, since f.e. cascaded algorithms cannot simply be identified. This should be used in combination with manual identification.

Offline
  • hashid
  • hash-identifier
  • john
Online

The passwords must first be sanitized and decoded, if necessary. The goal is to get a HEX string in the next step. 0x may be used to indicate HEX, but is not important and can be discarded. Furthermore the special characters : and $ are commonly used as delimiter between salt and digest and are not part of the charset. For all passwords which are not of the charset [a-fA-F0-9] a BASE64 encoding, with the charset [A-Za-z0-9+/], was used. Base{16,32,64} encoding is usually recognized quickly due to one or two trailing =, which are used for padding. The Base{16,32,64} encoding format and charset is described in RFC4648. In this scenario BASE64 and HEX encoding should be the only ones that are used. Mind the -n with the echo command in oder to supress adding a trailing \n. The hashcat example hashes or the john --list=format-details can be used as a reference for manual identification. If there is information about the system that creates or uses the hashes, its documentation could be consulted. Below some helper commands for manual hash identification.

# ASCII to Base64 
echo -n $STRING | base64 
# Base64 to ASCII 
echo -n $BASE64 | base64 -d 
# ASCII to HEX 
echo -n $STRING | xxd -pu 
# String length 
echo -n $STRING | wc -c 
# HEX encoded String bit length 
echo $((`echo -n $HEX_ENCODED_STRING | wc -c` / 2)) 
echo -n $HEX_ENCODED_STRING | perl -lpe '$_=unpack"B*"' | wc -c

Cracking

It is generally claimed that Hashcat is more performant than John the Ripper (john) and that Graphical Processing Units (GPU) can calculate more hashes per second than Central Processing Units (CPU). See also Password Cracking: Software and Hardware Comparison. John the Ripper has the ability to recognize password hash types and supports multiple cracking modes, but it is mostly used for dictionary-style or incremental brute-forcing attacks using the CPU. Hashcat is claimed to be the world’s fastest and most advanced open-source password recovery utility and supports five unique attack modes using GPUs, DSPs, FPGAs, and co-processors. The John jumbo edition supports way more hash types than hashcat (~2300 > ~200), while hashcat is highly optimized and may not run an any hardware and OS. Alternatively there are online lookup tables. However, this is useless for most slated hashes and advanced hashing algorithms. Acquisition and Cracking of macOS User Passwords or WPA/WPA2 PSK deauthentication attack may be used as an hands-on example.

Offline
  • john
  • hashcat
  • RainbowCrack
Online

Examples

#Hash detection
john $HASHFILE

# Incremental Brute-force
john --incremental=ASCII $HASHFILE --format=dynamic_1 --fork=16

# Rule-based
john $HASHFILE --format=dynamic_1 --rules=Wordlist \
   --wordlist=$WORDLIST --fork=16
john $HASHFILE --format=dynamic_1 --rules=Wordlist,Single \
   --wordlist=$WORDLIST --fork=16

# Custom rule that adds a new line to the end of ech password from a wordlist
cat AddNewLine.rule
[List.Rules:AddNewLine]
$\x0a

sudo nice -n -20 john $HASHFILE --rules=AddNewLine.rule \
   --wordlist=$WORDLIST --format=Raw-SHA1

# Bruteforce
sudo nice -n -20 \
    hashcat -m 100 \
    $HASH \
    -a 3 password?d?d?d?d

# Wordlist + Mask attack
sudo nice -n -20 \
    hashcat -m 100 \
    $HASH \
    -a 6 $WORDLIST ?d?d?d?d

# Custom Rule
cat AddNewLine.rule           
$\x0a

# Straight attack /w custom rule
sudo nice -n -20 \
    hashcat -m 100 -r AddNewLine.rule \
    $HASH \
    -a 0 $WORDLIST

# Dictionary Attack (MD5 Hashes)
sudo nice -n -20 \
    hashcat -a 0 -m 0 hashes.txt rockyou.txt
    $HASH

# Rainbowtable Attack (Rainbowcrack)
sudo apt-get install rainbowcrack                # Installing Rainbowcrack
rtgen -h                                         # Open Manual
sudo rtgen md5 loweralpha 1 3 0 1000 1000 0      # Create Rainbowtable
cd /usr/share/rainbowcrack/                      # Change directory to view table
rtsort .                                         # Sort every file in directory (very important)
./rcrack . -h example_hash                       # Execute Rainbowcrack

# Brute-Forcing Login Page of DVWA (with Hydra)
hydra 127.0.0.1 http-form-get "/vulnerabilities/brute:username=^USER^&passwords=^PASS^&Login=submit:F=Username and/or password incorrect.:H=Cookie:security=low; PHPSESSID=uhuja6fe3jof98cf2j86r0qtpq" -L usernames.txt -P passwords.txt

Related

References