Password cracking
Password cracking From the cryptanalysis and computer security point of view, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system The purpose of password cracking might be Help a user to recover a forgotten password Gain unauthorized access to a system Preventive measurement of password strength
Password strength Is a measure of the effectiveness of a password in resisting guessing and brute-force attacks There are two factors to consider in determining password strength The average number of guesses the attacker must test to find the correct password Length of the password Size of the character and/or symbol set The ease with which an attacker can check the validity of each guessed password How is the password stored and used
Password strength A way to reduce this risk is to store only a cryptographic hash of each password instead of the plain-text password
Hash functions A cryptographic hash function is a hash function which is considered practically impossible to invert Invert means to recreate the input data from its hash value alone The input data is often called the message, and the hash value is often called the message digest or simply the digest
Hash function Digest Hash function Message password passwOrd MD5 5f4dcc3b5aa765d61d8327deb882cf99 505162a3e704d0d0fa2197e0c1dada38
Hash function The ideal cryptographic hash function properties are: It is easy to compute the hash value for a given message It is infeasible to generate a message that has a given hash It is infeasible to modify a message without changing the hash It is infeasible to find two different messages with the same hash A minor change in the input message causes significantly different hash
Hash function Algorithm Output size [bits] Max message size Operations MD5 128 264 − 1 add mod 232, and, or, xor, rot SHA-1 160 SHA-256 256 add mod 232, and, or, xor, shr, rot SHA3-512 512 ∞ and, xor, not, rot
Password cracking – Brute force Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools that run on a CPU And billions of passwords per second using GPU-based password cracking tools A user-selected eight-characters long password with numbers, mixed case, and symbols, reaches an estimated 30-bit strength 230 is only one billion permutations and would take an average of 35 minutes to crack
Password cracking – Brute force Numerals 0123456789 Length Combinations Home PC Work station Botnet 2 100 Instant 3 1000 4 10,000 5 100,000 6 1 Million 7 10 Million 8 100 Million 10 Seconds 9 1000 Million 1½ Mins
Password cracking – Brute force Upper Case Alpha ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case Alpha abcdefghijklmnopqrstuvwxyz Length Combinations Home PC Work station Botnet 2 676 Instant 3 17,576 4 456,976 5 11.8 Million 6 308.9 Million 30 Secs 3 Secs 7 8 Billion 13 Mins 1¼ Mins 8 Secs 8 200 Billion 348 Mins 35 Mins 3½ Mins 9 5.4 Trillion 6¼ Days 15 Hours 1½ Hours 10 141 Trillion 163 Days 16 Days 39¼ Hours 12 95 Quadrillion 302 Years 30 Years 3 Years 15 1.6 Sextillion 5 Million years 531,855 Years 53,185 Years 20 19.9 Octillion 63.1 Trillion years 6.3 Trillion years 631 Billion years
Password cracking – Brute force Mixed Alpha, Numerals & Symbols 0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ Length Combinations Home PC Work station Botnet 2 9,216 Instant 3 884,736 4 85 Million 8½ Secs 5 8 Billion 13½ Mins 1¼ Mins 8 Secs 6 782 Billion 22 Hours 2 Hours 13 Mins 7 75 Trillion 87 Days 8½ Days 20 Hours 8 7.2 Quadrillion 23 Years 2¼ Years 83½ Days
Password cracking – Brute force
Password cracking – Dictionary attack A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (pre-arranged list of words) In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed Dictionary attacks succeed because many people chooses short passwords (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit
Password cracking – Dictionary attack To speed up the attack it is useful to pre-compute a list of hashes as a key from the dictionary The pre-computed dictionary (Rainbow table) need only be generated once (password hashes can be looked up almost instantly at any time to find the corresponding password)
Password cracking – Dictionary attack Rainbow tables Character Set Length Table Size ABCDEFGHIJKLMNOPQRSTUVWXYZ 14 0.6 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 3 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= 24 GB ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ 64 GB
Demo - Tools Hosted web application (DVWA) Kali linux – Hashcat Password dictionary
Demo If you remember the SQL Injection tutorial, we have obtained a list of usernames and passwords form the DVWA application username: admin, password: 5f4dcc3b5aa765d61d8327deb882cf99 username: gordonb, password: e99a18c428cb38d5f260853678922e03 username: 1337, password: 8d3533d75ae2c3966d7e0d4fcc69216b username: pablo, password: 0d107d09f5bbe40cade3de5c71e9e9b7 username: smithy, password: 5f4dcc3b5aa765d61d8327deb882cf99
Demo – brute force Start Kali linux Open terminal and get hashcat help root@kali:~# hashcat –help Hashcat usage hashc at [options] hashfile [mask|wordfiles|directories] See available options --hash-type=NUM 0 = MD5 100 = SHA1 200 = MySQL
Demo – brute force --attack-mode=NUM --threads=NUM 0 = Straight 1 = Combination 2 = Toggle-Case 3 = Brute-force 4 = Permutation 5 = Table-Lookup --threads=NUM --pw-min=NUM , --pw-max=NUM
Demo – brute force --custom-charset1=CS (usable in mask ?1?2?3) ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s e.g. --custom-charset1=?l?d --outfile=FILE
Demo – brute force Before we begin the attack itself, start CPU meter conky root@kali:~# conky Create input text file with password hashes root@kali:~# gedit /root/Desktop/hashes.txt
Demo – brute force Hashcat example 1 hashcat --hash-type=0 --attack-mode=3 --threads=32 /root/Desktop/hashes.txt ?l?l?l --outfile=/root/Desktop/hashes_cracked.txt --hash-type=0 means that source hashes are of MD5 type --attack-mode=3 means brute force attack threads=32 means that brute force will use 32 threads /root/Desktop/hashes.txt is source files with hashes ?l?l?l means password mask (we are looking for 3 characters long password consisting of lowercase letters) --outfile=/root/Desktop/hashes_cracked.txt is output file
Demo – brute force Hashcat example 2 hashcat –m 0 –a 3 –n 32 /root/Desktop/hashes.txt --custom-charset1=?l?d ?l?l?l?d?d?1 –o /root/Desktop/hashes_cracked.txt --custom-charset1=?l?d defines custom charset (?1) consisting of lower case characters (?l) and numbers (?d) l?l?l?d?d?1 this mask means that we are looking for passwords consisting of 3 lower case letters (3x?l) followed by 2 numbers (2x?d) and the last character (1x?1) is from set defined by --custom-charset1
Demo – brute force Hashcat example 2
Demo – brute force Hashcat example 3 hashcat –m 0 –a 3 –n 32 /root/Desktop/hashes.txt -–pw-min=7 ?l?l?l?l?l?l?l –o /root/Desktop/hashes_cracked.txt -–pw-min=7 means that we will start with 7 characters long passwords (we will skip 1-6 characters long passwords) ?l?l?l?l?l?l?l – this mask means that we are looking for passwords consisting of 7 lower case letters
Demo – brute force Hashcat example 3
Demo – dictionary attack We will use the rockyou.txt dictionary root@kali:~# cp /root/rockyou.txt /root/Desktop/dic.txt root@kali:~# vim /root/Desktop/dic.txt To close vim type :q<ENTER>
Demo – dictionary attack Hashcat example 4 hashcat –m 0 –a 0 /root/Desktop/hashes.txt /root/Desktop/dic.txt –o /root/Desktop/hashes_cracked.txt –a 0 means that we will do straight (dictionary) attack /root/Desktop/dic.txt is text file containing word list using by dictionary attack
Demo – dictionary attack Hashcat example 4
References DVWA - http://www.dvwa.co.uk/ http://www.sha1-online.com/ http://scrapmaker.com/view/dictionaries/rockyou.txt HACKING EXPOSED (ISBN: 978-0-07-161375-0) Penetration testing (ISBN-10: 1-59327-564-1) Principles of Computer Security (ISBN: 978-0-07-174857-5)
Warning Hacking is illegal because it is getting into a system another person owns. If you wanted to do legal hacking then you would have to own the system.