Passwords cracking
Password cracking is the process of recovering passwords from data that have been stored in or transmitted in a hashed form by a computer system.
Passwords cracking can be attempted using a:
Brute-force attack, in which all possible passwords are exhaustively tried. Past a certain password length and complexity, brute force attack become ineffective
Dictionary attack rely on a wordlist to guess passwords
Rainbow table attack use a precomputed table of hashes reducing the computer processing time required
The time to crack a password is related to the password strength and the hashing function used.
Wordlist
The following word list can be used for passwords cracking:
darkweb2017-top
10/100/1000/10000
Top X passwords.
rockyou.txt
14 millions
Usually considered sufficient for any CTF purpose, coupled if necessary with cracking rules.
CrackStation
’s 15GB
1.5 billion
The publicly available most complete password wordlist to date.
kwprocessor
kwprocessor
is a keyboard-walk generator utility, with configurable basechars, keymap and routes. Keyboard-walk sequences correspond to a sequence of juxtaposed keyboard keys, such as "qwerty" or "azerty" for example.
The basechars
characters list consist of every characters that will be used as a starting point for the keyboard-walking sequences. The tiny.base
list includes very limited, QWERTY
keyboard based, starting points: 1q!Q
. The full.base
file provides a more comprehensive basechars
list and its use is recommended.
The keymap
correspond to a keyboard layout, representing the physical disposition of the keyboard keys. A keymap
file should consist of 12 lines: 4 complete physical keyboard lines, represented as of (azertyuiop^$
), and if pressed in combination with the modifier keys Shift
(AZERTYUIOP¨£
) and AltGr
(€¤
). Various keymaps (en-us
, en-gb
, fr
, es
, de
, ru
, etc.) are provided on the kwprocessor
GitHub.
The route
corresponds to the patterns used to generate the keyboard-walking sequences. A route
is composed of a sequence of number(s), each number representing the number of pressed keys in the same geographical directions (north, south, west and east by default, extendable to north-west, north-east, south-west, south-east and repeat in place). For example, the route 1
, for the h
key starting point and with the default kwprocessor
configuration, would generate the following words: hn
, hg
, hj
and hy
.
For more information and explanation on route
, refer to the kwprocessor
GitHub documentation: https://github.com/hashcat/kwprocessor
Python EXREX
The Python EXREX
module can be used to generate wordlists from the specified regular expression.
Hash types
The hashid
Python utility can be used to determine the hash type and its corresponding hashcat
and john
modules:
Additionally, the hashcat
documentation may be directly used as well in order to identify the hash type and its corresponding hashcat
mode:
Passwords cracking tools
It is recommended to use the cracking tools on the native operating system, as opposed to a virtual system, as the performance can greatly improve.
John should be used for quick passwords cracking attempts while hashcat allows for better performance and more complex attacks for serious needs.
John-the-Ripper & magnumripper John-the-Ripper
John
, also abbreviated JrT
, is a password cracking tool, available notably on Linux and Windows and supporting a wide range of hashes type.
The Jumbo
version of John the Ripper
is a community-enhanced version of John
that can be found on the magnumripper
GitHub
repository. It notably supports more hash types.
John
will try to automatically detect the hash type of the provided hashes. John stores the cracked passwords in a "pot" file, located in ~/.john/john.pot
.
John-the-Ripper
usage:
hashcat
hashcat
is an advanced cracking tool that generally offer better performance than John
and is considered to be among the world's fastest password cracking tool.
Multi-OS (Windows, Linux, etc.) and multi-platforms (CPU, GPU, etc.), hashcat
supports more than 200 different hash types.
Moreover, hashcat
introduced rule-based attack, which is one of the most complicated of all the passwords cracking attack modes. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators.
The OneRuleToRuleThemAll
or its newer version OneRuleToRuleThemStill
rule aggregate multiples rule sets with the aim of maximizing efficiency (success rates versus number of total candidates).
The following attack modes can be used, specified by the -a
/ --attack-mode
option:
0: dictionary attack
1: combinator attack, concatenating words from multiple wordlists
3: mask attack, trying all combinations from a given keyspace, defined using a mask
6/7: hybrid attack, combining wordlists+masks (mode 6) and masks+wordlists (mode 7)
hashcat
usage:
Misc
Firefox / Thunderbird stored passwords
Firefox
and Thunderbird
save the password registered by the user in the user profile:
The passwords are stored in the following files:
A master password can be set in either program and this affects key3.db
. By default no password is set.
John-the-Ripper
can be used to crack the master password:
The passwords can then be extracted from the Firefox
/ Thunderbird
profile:
ZIP and RAR protected archives
The Linux utilities zip2john
and rar2john
, packaged with the John the Ripper Jumbo
community version, can be used to extract the hash of the password protecting the archive.
Jumbo john
can then be used to crack the extracted hash.
The Linux utility fcrackzip
may be used as well and works directly on the ZIP archive.
Password protected PDF
The Linux utility pdfcrack
can be used to crack password protecting PDF files.
Encrypted SSH private keys
The Linux utilities ssh2john
, packaged with the John the Ripper Jumbo
community version, can be used to convert an encrypted SSH private key to a crackable hash by john
.
Jumbo john
can then be used to crack the extracted hash.
Linux Unified Key Setup (LUKS)
hashcat
and bruteforce-luks
can be used to crack LUKS encrypted disks:
Once the password is retrieved, the Linux utility cryptsetup
can be used to create a device that can be mounted:
PKCS#12 certificate
The Linux utilities pfx2john
, packaged with the John the Ripper Jumbo
community version, can be used to convert a password protected PKCS12
certificate to a hash crackable by john
.
mRemoteNG
mRemoteNG
is an open source multi-protocol remote connections manager. The connections information, including usernames and passwords, are stored encrypted in confCons.xml
files.
On older versions of mRemoteNG
, the passwords were encrypted in AES-128-CBC using the md5 of mR3m
as the secret key and storing the IV in the 16 first bytes of the passwords hash.
The clear-text passwords can be retrieved on all mRemoteNG
versions directly through the GUI application by creating an external tool:
References
https://github.com/hashcat/kwprocessor http://cosine-security.blogspot.com/2011/06/stealing-password-from-mremote.html https://robszar.wordpress.com/2012/08/07/view-mremote-passwords-4/
Last updated