Attempting to hack into a system you don’t own is almost definitely against the law in your country (plus hacking your own systems may [and often does] violate any warranty for that product).
Let’s start with the basics. What is a brute force attack?
This type of attack includes repeatedly trying every possible letter, number, and character combination to log in as a user (using automated tools).
This can be done either online (in real-time, by frequently trying different username/password combinations on accounts like social media or banking sites) or offline (for example, if you have a set of hashed passwords and are cracking them offline).
Offline isn’t always possible (obtaining a set of hashed passwords can be difficult), but it is much more silent. This is because a security team will almost certainly notice a large number of failed login accounts from the same account, but if you crack the password offline, you won’t have a record of failed login attempts.
With a short password, this is relatively simple. Because of the sheer amount of options, a longer password becomes exponentially more difficult.
For example, if you know someone’s password is 5 characters long and only contains lowercase letters, the total number of possible passwords is 265 (26 letters to pick from for the first letter, 26 letters to choose from for the second letter, and so on), or 11,881,376 combinations.
However, if a password is 11 characters long and only contains lowercase letters, the total number of possible passwords is 2611, or 3,670,344,486,987,776.
It becomes much more complex and time-consuming to crack when you include capital letters, special characters, and numerals. The more possible passwords there are, the more difficult it is for a brute force attack to succeed.
How to protect yourself
There are a few different techniques to protect against this type of attack. To begin, you can create passwords that are sufficiently long and difficult (at least 15 characters). To reduce the risk of data breaches, use unique passwords for each account (or use a password manager!).
After a set number of failed login attempts, a security team can lock out an account. They can also use a secondary verification mechanism, such as Captcha, or 2-factor authentication (2FA), which requires a second code (SMS or email, app-based, or hardware key-based).
What is password strength?
The efficiency of a password in repelling password cracking attacks is measured by its password strength. The following factors affect the strength of a password:
- Length: the number of characters the password contains.
- Complexity: does it use a combination of letters, numbers, and symbols?
- Unpredictability: is it something that can be guessed easily by an attacker?
Let’s now look at a practical example. We will use three passwords namely
When creating passwords in this example, we’ll use Cpanel’s password strength indicator. The graphics below depict the password strength of each of the passwords mentioned above.
Note: the password used is password the strength is 1, and it’s very weak.
Note: the password used is password1 the strength is 28, and it’s still weak.
Note: The password used is #password1$ the strength is 60 and it’s strong.
The higher the strength number, the better the password.
We will now use http://www.md5this.com/ to crack the above hashes. The images below show the password cracking results for the above passwords.
As you can see from the above results, the first and second passwords with lower strength numbers were cracked. The third password, which was longer, more complex, and unpredictable, eluded us. It had a greater strength rating.
Password cracking techniques
There are a number of techniques that can be used to crack passwords. We will describe the most commonly used ones below;
- Dictionary attack– A wordlist is used to compare against user passwords in this manner.
- Brute force attack– The dictionary attack is comparable to this strategy. Brute force attacks create passwords for the attack using methods that mix alpha-numeric letters and symbols. Using the brute force method, a password with the value “password” can also be tested as p@$$word.
- Rainbow table attack– This method makes use of hashes that have already been computed. Assume we have a database where passwords are stored as md5 hashes. Another database with md5 hashes of widely used passwords can be created. The password hash we have can then be compared to the hashes recorded in the database. If there is a match, we know the password.
- Guess– As the title suggests, this method entails making educated guesses. Passwords like qwerty, password, admin, and others are frequently used or set as defaults. They can be readily compromised if they have not been changed or if the user is careless when selecting passwords.
- Spidering– Passwords containing company information are used by the majority of businesses. This information is available on company websites as well as social media sites such as Facebook and Twitter. Spidering collects data from these sources in order to create word lists. After that, the word list is employed in the dictionary and brute force attacks.
Password cracking tool
These are programs that are used to crack passwords for users. In the previous example, we looked at a similar tool for password strength. A rainbow table is used to crack passwords on the website www.md5this.com. We’ll take a look at some of the most widely utilized tools now.
John the Ripper
To break passwords, John the Ripper uses the command prompt. As a result, it’s best suited to advanced users who are used to working with commands. It cracks passwords using a wordlist. The application is free, but the word list must be purchased separately. It provides you with free alternative word lists to utilize. Visit https://www.openwall.com/john/ to learn more about the product. for additional information and instructions on how to use it
Cain & Abel
Cain & Abel is a game for Windows. It’s used to recover passwords for user accounts, recover Microsoft Access passwords, sniff networks, and more. Unlike John, the Ripper, Cain & Abel employs a graphical user interface. It is especially popular among beginners and script kids due to its ease of use. More information and instructions on how to use the software can be found here., visit https://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml.
Ophcrack is a password cracker for Windows that uses rainbow tables to crack passwords. It is compatible with Windows, Linux, and Mac OS. Among other things, it provides a module for brute force attacks. For additional information and instructions on how to utilize the product, go to https://ophcrack.sourceforge.io/.
- An organization can use the following methods to reduce the chances of the passwords being cracked
- Avoid short and easily predictable passwords
- Avoid using passwords with predictable patterns such as 11552266.
- Passwords stored in the database must always be encrypted. For md5 encryptions, it’s better to salt the password hashes before storing them. Salting involves adding some words to the provided password before creating the hash.
- Most registration systems have password strength indicators, organizations must adopt policies that favor high password strength numbers.
How can you crack passwords faster?
A dictionary attack includes repeatedly trying to log in using a number of combinations from a pre-compiled ‘dictionary,’ or list of possible combinations.
Because the combinations of letters and numbers have already been computed, this is frequently faster than a brute force approach, saving you time and computing power.
But if the password is sufficiently complex (for example 1098324ukjbfnsdfsnej) and doesn’t appear in the ‘dictionary’ (the precompiled list of combinations you’re working from), the attack won’t work.
It is frequently successful because, often when people choose passwords, they choose common words or variations on those words (for example, ‘password’ or ‘p@SSword’).
When a hacker knows or guesses a component of the password (for example, a dog’s name, children’s birthdays, or an anniversary – information a hacker can acquire on social media pages or other open-source resources), they can utilize this type of attack.
Similar protection measures to those described above against brute force attacks can prevent these types of attacks from being successful.
What if you already have a list of hashed passwords?
Passwords are stored in the /etc/shadow file for Linux and C:\Windows\System32\config file for Windows (which are not available while the operating system is booted up).
You can try ‘offline’ password cracking if you’ve managed to access this file, or if you’ve obtained a password hash in another means, such as sniffing network traffic.
Rather than trying to log in repeatedly as in the previous attacks, if you obtain a list of hashed passwords, you can break them on your system without activating the notifications generated by failed login attempts. Then, after successfully cracking the password, you just try logging in once (and hence there is no unsuccessful login attempt).
You can use brute force attacks or dictionary attacks against the hash files, and maybe successful depending on how strong the hash is.
Wait a minute – what’s hashing?
Recognize this message? It says ‘Hi my name is Rocky’
This one is the first paragraph of this article. Yes, it looks like nonsense, but it’s actually a ‘hash’.
A hash function allows a computer to take a string (a collection of letters, numbers, and symbols), mix it up, and return a fixed-length string. As a result, despite the fact that the strings’ inputs were of varying lengths, both strings are the same length.
Hashes can be created from nearly any digital content. Basically, all digital content can be reduced to binary or a series of 0s and 1s. Therefore, all digital content (images, documents, etc.) can be hashed.
There are a variety of hashing functions available, some more secure than others. MD5 was used to create the hashes above (MD stands for “Message Digest”). The length of the hash produced by different functions varies as well.
The same content in the same hash function will always produce the same hash. However, even a small change will alter the hash entirely. For example,
Is the hash for ‘Hi my name is Megan’ Just capitalizing the M in Megan completely changed the hash from above.
Hashes are also one-way functions (meaning they can’t be reversed). This means that hashes (unique and one-way) can be used as a type of digital fingerprint for content.
What’s an example of how hashes are used?
Hashes can be used as verification that a message hasn’t been changed.
When you send an email, for example, you can hash the entire email and send the hash as well. Then the recipient can run the received message through the same hash function to check if the message has been tampered with in transit. If the two hashes match, the message hasn’t been altered. If they don’t match, the message has been changed.
Also, passwords are usually hashed when they’re stored. When a user enters their password, the computer computes the hash value and compares it to the stored hash value. This way the computer doesn’t store passwords in plaintext (so some nosy hacker can’t steal them!).
If someone is able to steal the password file, the data is useless because the function can’t be reversed (though there are ways, like rainbow tables, to figure out what plaintext creates the known hash).
What’s the problem with hashes?
If a hash can take data of any length or content, there are unlimited possibilities for data that can be hashed.
Since a hash converts this text into fixed-length content (for example, 32 characters), there are a finite number of combinations for a hash. It is a very very large number of possibilities, but not an infinite one.
Eventually, two different sets of data will yield the same hash value. This is called a collision.
If you have one hash and you’re trying to go through every single possible plaintext value to find the plaintext which matches your hash, it will be a very long, very difficult process.
However, what if you don’t care which two hashes collide?
This is called the ‘birthday problem’ in mathematics. In a class of 23 students, the likelihood of someone having a birthday on a specific day is around 7%, but the probability that any two people share the same birthday is around 50%.
The same type of analysis can be applied to hash functions in order to find any two hashes which match (instead of a specific hash that matches the other).
To avoid this, you can use longer hash functions such as SHA3, where the possibility of collisions is lower.
You can try brute-forcing hashes, but this will take a long time. Using pre-computed rainbow tables is a faster approach to execute this (which is similar to dictionary attacks).
It seems really easy to get hacked. Should I be concerned?
The most important thing to keep in mind when hacking is that no one wants to do any more effort than they have to. Brute forcing hashes, for example, can be time-consuming and challenging. If there’s an easier way to steal your password, a malicious actor will most likely try it first.
As a result, establishing fundamental cyber security best practices is probably the most simple method to avoid being hacked. Indeed, Microsoft has stated that simply enabling 2FA will prevent 99.9% of automated assaults.
- Password cracking is the art of recovering stored or transmitted passwords.
- Password strength is determined by the length, complexity, and unpredictability of a password value.
- Common password techniques include dictionary attacks, brute force, rainbow tables, spidering, and cracking.
- Password cracking tools simplify the process of cracking passwords.
About us: Codelivly is a platform designed to help newbie developer to find the proper guide and connect to training from basics to advance