Now that we have seen what types of attacks that are out there in regards to acquiring a person’s password or login credentials, let us take a look at the tools that can be used to perform these attacks. Just like almost everything else in our daily life, there is a large variety of tools to use.
Just a simple online search for "password penetration tools", on your search engine of choice, will give you millions of results. The top searches will probably be some form of list containing "Top 10 Password cracking tools"
or "Most popular password cracking tools". Open any of these and you will get a nice explanation of the tools, as well as a list of pros and cons of each tool. Here people can most likely find the tool that is most suitable for them.
Although there is a myriad of tools you can choose from, it is important to find the one(s) that is best suited for the type of attack you will be perform.
You need to know the variables of your attack in order to find the best tool.
Are you doing a computational attack on a hased password, are you trying to
intercept password traffic or are you going to "attack" the owner of the secret you want? Are you attacking a password computationally, are you doing so online or on an offline copy? Is your intent to somehow take advantage of the human element, are you doing so online or are you going to try a bit more physical approach?
In this section some of these tools are explained, in terms of what they are called, what their features are, what attacks they support, and which operating system they can run on. We look at the cracking toolsBrutus, Cain & Abel, John the ripper, Hashsuite, THC Hydra, AirCrack NG, RainbowCrack andHashcat We also explain a couple of packet sniffers likeWireSharkandWinDump. We also mention some tools that help with phising simulation, such asGophish, Ghost phisherandSocial Engineer Toolkit (SET).
5.3.1 Brutus
Brutus, see Figure 5.5, is a remote password-cracking tool that is used for attacking online authentication. It was first released in 1998 and only has support for the Windows operating system. It was originally created to test for common or default passwords on routers using a dictionary attack. The tool has support for multi-stage authentication and can connect to up to 60 targets simultaneously. It can be used on protocols like HTTP —both basic authentication and HTML Form/CGI —, POP3, FTP, SMB, Telenet, and it is possible to import other protocols, such as IMAP, NNTP, etc from their website.
It is also possibly to create one’s own authentication types and share it with others [80].
Figure 5.5: Brutus on Windows [81]
5.3.2 Cain & Abel
Cain & Abel, seen in Figure 5.6, is a password recovery tool that runs on Microsoft Windows only. The software can recover cached passwords and crack passwords using dictionary- and brute-force attacks as well as cryptoanalysis. It also has support for recording Voice over IP and sniffing several protocols like SSH-1 and HTTPS. Cain & Abel has the ability to capture credentials from a wide selection of authentication protocols.
Figure 5.6: Cain & Abel on Windows [82]
5.3.3 John the Ripper
John the Ripper, seen in Figure5.7, is an open-source terminal-based password cracking tool that works on Unix systems, MacOS and Windows. There also exists a GUI based version named Johnny the Ripper. The distributor of John, openwall, also has another Windows hash cracking tool known as Hash Suite, explained in Section5.3.4, and its mobile application counterpart for Android, Hash Suite Droid. It is free to use but also comes in aProedition that is built to deliver a product that is tailored for specific operating systems [83].
This tool supports several different attack types, Wordlist/dictionary, single-crack (explained in the next subsection), incremental —also known as brute-force —and even the ability to create your own modes [84]. It also allows for a quite large selection of word mangling rules, where a few rules are listed below:
• Adding numeric constants and variables
• Capitalize, convert to lower case, convert to uppercase and toogle case.
• Reverse the word, or duplicate the word.
• Rotate the word left "word" to "dwor" or to the right "word" to "ordw".
• Append or prefix a character.
• Pluralize, English grammar and lowercase only.
• Delete or insert character at start, end or positionn.
John can crack several password hashes, such as traditional-DES, BSDi extended-DES, MD5, blowfish-based, LM, NTLM, SHA, and the -jumbo edition adds support for hundreds more. The tool has a build in feature to restore an interrupted session to a checkpoint, regardless of whether this is done manually or due to a possible crash. To increase the efficiency of an attack John can take advantage of multiple CPU cores and even multiple CPUs, this feature is only available on Unix systems however. It can unshadow password
files, this is done by combining the shadow file with the passwd file. Other useful functions is the ability to crack salted hashes with a salt variable. [85]
Figure 5.7: John the Ripper on Linux [86]
Single crack mode
This mode will use the name, username and users home directory names as candidates for an attack. This is done in combination with a large set of different word-mangling rules. This is used only on the account the information is connected to, as well as other accounts that are associated with the same salt.
5.3.4 Hash Suite
Hash Suite is a Windows-based hash "cracking" tool with a GUI. It has support for 12 different hashes, seen in Table5.3, as well as salted hashes. It can run on multiple CPUs as well as on multiple GPUs in itsproedition. This to attack with several types of attacks, dictionary, brute-force, fingerprint and phrases.
In this tool the dictionaries used may be in a compressed state like azip or tgz file. The program can generate a report with statistics.
LM NTLM Raw-MD5
Raw-SHA1 Raw-SHA256 Raw-SHA512
DCC DCC2 SSHA,
MD5CRYPT BCRYPT WPA-PSK
Table 5.3: Hash suite supported Hashes
5.3.5 THC Hydra
THC Hydra, seen in Figure5.8, is a remote authentication cracking tool that is supported on unix-based systems, MacOS and Windows through the use of cygwin (explained in Section8.3), and even some mobile platforms such as Android. It can run both dictionary and brute-force based attacks against over 50 different protocols, including but not limited toHTTP, telnet, ftpas well as several database types. The attacks allow for the use of a single user or a user list as well as a single password or a chosen password attack. Hydra can run on parallel connects and reports its finding in an output file [87].
Figure 5.8: THC Hydra on Unix [88]
5.3.6 RainbowCrack
RainbowCrack, seen in Figure 5.9, is a password cracking tool that utilizes rainbow tables. It was created by Zhu Shuanglei for Unix and Windows systems. It has support for several hash types and on their website it is possible to download a lot of rainbow tables [89]. A tool for the creation of new rainbow tables comes with RainbowCrack, seen in Figure5.10.
Figure 5.9: RainbowCrack on Windows [90]
Figure 5.10: Raibow table generation with RainbowCrack [90]
5.3.7 Hashcat
Hashcat, seen in Figure5.11, is a very versatile password-cracking tool that has support for Unix, Window and MacOS. It can run several different attacks, brute-force or mask, dictionary and hybrid to name a few. The tool can crack multiple hashes simultaneously and boosts it efficiency by using multiple devices at once. It allows for multiple GPUs and CPUs to work in parallel to enhance its computing power. Hashcat has support for over 200 hash algorithms, among them are MD5, SHA-512, LM and NTLM even with salt.
In case of crash, failure or the need to stop the tool, it lets the user restore a cracking session from its last checkpoint.
Under mask attack it allows for a mask to be written directly into the terminal command line or even the use of a mask file. It is also possible to use one of hashcat’s special character files to implement the use of country specific characters, like the German umlaut, in brute-force or mask attacks. A mask attack can also increment its length in order to test for passwords of a known structure but unknown length, this is also supported in hybrid attacks.
A dictionary attack can include special characters such as the Norwegian
’æøå’ as well as the use of multiple dictionaries at once. During the attack Hashcat has the ability to perform a myriad of word mangling rules as specified in the start command, this can be directly in the terminal line or included using a rule file.
During the attack Hashcat allows for the monitoring of progress using the terminal. This would include the ability to see a status report with statistics such as time elapse, estimated time remaining, passwords recovered and keyspace tried. When all this is done the tool can print out a report containing the information wanted in several different formats. The tool is quite versatile as it allows for many different add-ons and contains several different utilities.
Examples are the support for use of several machines in a node structure, and the possible merging of several dictionaries [91].
Figure 5.11: HashCat MD5 Benchmark on Windows
5.3.8 AirCrack NG
Aircrack-ng, seen in Figure 5.12, is the new generation (ng) of aircrack that was released in 2006. It is —in the publisher’s own terms —a complete suite of tools to assess WiFi network security. The tool is terminal-based and runs using command lines. It can be installed on Unix, Windows via cygwin and on MacOS using Xcode. Aricrack allows for the monitoring and the capture of packets, as well as several attacks like replay and deauthentication. It can also crack WEP and WPA PSK, both 1 & 2, with the use of a dictionary attack [92].
Figure 5.12: Start monitoring wireless adapter in aircrack using backtrack [93]
5.3.9 WinDump
WinDump is the Windows edition of tcpdump which is a terminal-based network-packet analyzer tool for Unix [94].
5.3.10 Wireshark
Wireshark, seen in Figure5.13, is a network/packet analyzer that was originaly released as Ethereal in 1998, then rebranded and released in 2006. It is a program that runs on Unix and Windows. The program is designed capture packets and display them as detailed as possible. Wireshark can search, filter and export packets, as well as the ability to import packets from other packet-capture programs.
Figure 5.13: Wireshark sniffing packets [95]
5.3.11 Gophish
Gophish, seen in Figure5.14, is an open-source phishing toolkit that is used to simulate phishing. It is built to help penetration testers and corporations to identify holes in their organization. It has support for operation systems like Windows, MacOS and unix. Among its functions is the ability to build groups and templates. The tool lets its user setup, schedule and deploy campaigns, view and export detailed reports. Gophish has support for sending HTML pages that can link to other pages as well as the capture of credentials [96].
Figure 5.14: Gophish result template [96]
5.3.12 Social Engineer Toolkit (SET)
Social Engineer Toolkit, seen in Figure 5.15, is toolkit for social engineering attacks for Unix and MacOS. It was created by TrustedSec’s to fill a void in the penetration tasting community [97]. It focuses on attackin a person or oganization via exploiting curiosity, greed or stupidity. SET offers several attack vectors, over email, a webpage, a USB or through SMS.
Figure 5.15: Social Engineer Toolkit main manu [98]
Chapter 6
Experiment
Now that we have taken a good look at the theoretical background of user authentication credentials known as the password, it is time to proceed to the practical work of attacking some password files. Below we briefly describe the techniques used to crack the passwords and what passwords will be cracked.
We attack an offline copy of a specific data breach merged with a collection of several other breaches.
6.1 The Machine and Software
In this attack the machine is a gaming system built by the author. The system contains the following relevant components.
• A AMD Ryzen 7 1700 processor with eight-cores, each with a 3.00 GHz clock speed,
• 16 GB of RAM.
• A GeForce GTX 1060 graphics card with 6GB of VRAM
• 64-bit version of Windows 10
We use the software Hashcat, explained in Section 5.3.7, to crack our passwords. A benchmark test of this machine’s relevant hash cracking speed is illustrated in Figure5.11.