Cracking Passwords😈 like a pro😎 - Be a better crackhead😝

CyberMorans🤗

Encryption transforms plaintext into reversible ciphertext, which allows password managers to store and display the original plaintext password 👇

On the other hand, hashing is the typical and most popular method 🥸 used for storing passwords for online services. Since service operators don't need to reverse passwords, only to verify they are correct, passwords are hashed. Hash algorithms convert plaintext values into ciphertext in a one-way process 👇

A hacker😈 must retrieve the ciphertext value, often through man-in-the-middle attack, hacked credential databases, or phishing. Once an hacker😈 has obtained the hash, the next step is to crack the password. Most password-cracking techniques involve brute-forcing the password, but there are ways to make this process more efficient and streamlined...lets do this!💪

👊 Rainbow Tables

Since hashing algorithms are publicly known, it is possible to create massive lists of password hashes that a stolen hash☠️ can be compared against. Instead of generating a new hash for every variation, look up the stolen hash against a table to see if it matches🙊

There are many different hash methods and near-infinite password variations, which can quickly make managing and storing tables like this very difficult. There is another technique known as password salting that can also throw a wrench 💩 in this technique. If the server adds random values to the front and end of a hash (values known only to the server), then the resulting hashes won’t match known values anymore🙀

👊 Dictionary Attacks

To make brute-forcing a password easier, attackers😈 can use dictionaries of common words and phrases like company names, sportsteams, etc. This narrows down the list of potential password choices. In the past, users were recommended to change their password often like, every 90 days or something and to use complex passwords☠️

But, this led to users choosing passwords like !BaneDC2023#, which makes the job of a password cracker easier. Once the base word, Bane, is guessed through a dictionary attack, trying a few different symbols and numbers can quickly crack the password😈

👊 Markov chain attack

This is an advanced dictionary attack involving a statistical analysis of a list of words stored in a table and used to calculate the probability of character placement in a brute-force attack💀

Illustration of a markov chain attack by shulk from super smash bros

👊 Weak Hashing

Of course, not all password hashing schemes are created equal. As technology evolves, what was once considered secure may no longer be so. This is true for hash algorithms like MD5 or SHA-1, which can be cracked quickly💀

A system that stores user password hashes with one of these algorithms could have its entire database cracked quickly. Modern systems recommend more secure algorithms, such as bcrypt, which uses salted password hashes 🤓

👊 Brute Forcing

Sometimes, the only way to find a password is to attempt every possible combination of letters, numbers, and symbols😈 If the password is random, many other techniques to make the job easier may not work🧐

This 👆 approach is the least efficient, but it may be the only option when all else fails.

An attacker😈 may use a computer or a cluster of computers to attempt every possible variation. The longer the password, the more difficult, power hungry and time-consuming the cracking process can become💫

🚀 Password Cracking Tools

Though the techniques themselves are essential to know, many password crackers rely on readily available tools.

Though the standard tools are listed below, many more are available. All of the below are open-source and community-developed, which means they are ever-evolving 👇

• 👉 John the Ripper - Supports hundreds of hashes types across many applications and is available on multiple platforms.

• 👉 Hashcat - Works with the CPU and GPU to provide a high-speed command-line password-cracking tool supporting many hash types.

• 👉 Ophcrack - A tool based around rainbow tables focused on LM and NTLM passwords used in Windows environments.

• 👉 Zip Cracker - Crack Zip Passwords With Dictionary Attacks

• 👉 RainbowCrack - Optimized memory trade-off tool for table creation, conversion, and lookup.

• 👉 AirCrack - Uses FMS Attack Supports WEP and WPA passwords

🚀 Protect Yoselves

With all the talk of password cracking, what can you do to protect yoself? Modern security organizations such as NIST, though their 800-63B guidelines, now recommend the following 👇

• 💨 Use a Double-Blind Password Strategy - also known as "horcruxing", "password splitting", or "partial passwords", involves storing the long and complex part of a password in a password manager and keeping the short unique identifier, such as a PIN code or word, to yourself. Splitting the password into two parts makes it much harder for an hacker😈 to gain full access, even if they have stolen your password manager's passphrase and secret.

• 💨 Ditch the regular password change requirements. Only change passwords if requested explicitly by a user or if a password has been breached😈

• 💨 Decrease the arbitrary need for password complexity and focus on overall password length, such as a minimum of 12 characters😈

• 💨 All new passwords must be compared against commonly used or previously compromised passwords😈

• 💨 Do not reuse passwords across different services to avoid attacks such as credential stuffing😈

• 💨 Increased hash security means that even shorter passwords take far longer to crack, such as MD5 vs. PBKDF2.😈

• 💨 To keep end-users in your organization secure and to prevent password-based vulnerabilities, it is important to incorporate MFA whenever possible.😈

🚀Conclusion 🤖

Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking tools, vectors, stories, tutorials and other Infosec stuff...😋

Follow me on twitter for daily Infosec Memes and shenanigans😝

Morans😈

Thank you for taking time and hope you learned something new, Like/Share and leave a comment and as always, stay awesome! 😋👊 💪