Home » Security Bloggers Network » 5 Most Popular Password Cracking Tools: Protect Your Enterprise

5 Most Popular Password Cracking Tools: Protect Your Enterprise

by Joseph Carson on April 28, 2020

Passwords. How on earth did we get here? They’ve been around for so many years and yet there’s still so much to be said about them.

In most organizations passwords are what make the difference between keeping cyber criminals out—and falling victim to a cyber-attack. And for the multitude of applications, systems and infrastructure of so many organizations, the only security control preventing unauthorized access is a simple password somewhere between 4 and 127 characters long.

A password—sometimes called a passcode, passphrase, PIN or secret—is used to ensure that only authorized employees or users can access applications and systems. A password is usually combined with an identifier (typically a username or email address) to determine who is accessing the system, to verify the authenticity of that identity. A password should be known only to the user, and never shared.

Sponsorships Available

Ordinarily, a password is a set of character combinations such as letters, numbers and symbols used to authenticate an identity or to verify authorization to access a system or application. But not all login systems enforce the same security best practices. Different authentication systems require different lengths and complexities of password strings, and this presents a challenge. Some systems have set limits on password length, some have set limits on complexity, and some systems even require all lowercase characters.

Another popular login method is the PIN. This typically refers to a number-only password, usually 4 – 6 numbers, and is commonly used on mobile devices. As a best practice you should know the limitations on login systems so you can ensure the highest possible security is configured and used. And make sure your security solution is usable and not too complex or users will revert to poor password hygiene habits, like reusing passwords across multiple systems and credentials.

Not all logon systems have the same complexity — Login systems don't all offer the same security

Most login systems use a cryptographic technique known as a hash to store the password in a database, and that hash should be a one-directional only algorithm. No one other than the user or system should ever know the clear text password.

The most common hash used in the past was SHA1 until security researchers discovered ‘collisions’; this is when two different inputs create the same output. This was bad for security and meant that SHA1 could no longer be used to store passwords. It is important to know what hash algorithm is used and whether it also includes salt: additional random data added to the input.

Hash is a one-directional cryptographic algorithm used to store passwords

So, how do cyber criminals crack or steal your password to gain access to applications and systems?

The majority of cyber criminals will want to use the easiest, stealthiest and least costly way of stealing your passwords. And one of the easiest methods is phishing—they simply ask you for the password. This technique takes advantage of your trusting nature, and when directed to a fake login website (that looks perfectly authentic) you hand over your username and password to the attacker as you log in. Here are some of the most common techniques for getting passwords:

Ask the user for their password pretending to be an authentic internet service
Crack the password using brute force or dictionary attacks
Discover a vulnerability in the application, bypassing authentication

Give me your password, please — Some examples used by cyber criminals to get you to click on something bad

Let’s take a closer look at the password cracking techniques:

Before a cyber criminal can start cracking your password, they must first get the hash, which as previously mentioned is the cryptographic store value of your password. There are tools available to get those hashes:

Mimikatz – a Password Recovery and Audit tool
Capture Packets – tools such as Wireshark to capture the packets that move around the network
Metasploit Framework – a security framework that helps security professionals assess and manage security
Responder – LLMNR and NBT-NS (NetBIOS Name Service) responder

This is what a typical password cracking flow looks like:

Steal/Get the hashes
Organize and format the hashes depending on the tool
Plan your attack method: wordlist, rules and masks
Crack the passwords
Analyze password’s progress
Customize your attack
Repeat

5 Popular Password Cracking Tools

Kali Linux – Popular Penetration Testing Distribution Tool

Kali Linux is a well known security tool and it comes in many different bootable options from virtual images to software installations. It even runs on Raspberry PIs. It’s used around the world for penetration testing and by IT security teams protecting their networks or looking for vulnerabilities on their networks. Kali comes with a variety of popular password attack tools out of the box:

CeWL – Custom WordList Generator

CeWL is one of my favorite wordlist generators. It allows you to create word lists by spidering websites.

When using CeWL I start with a basic command like this:

The command line options are:

-h = help
-d = Depth to spider site
-m = Min Word length
-w = Output file
-e = include emails

Mimikatz – Security Audit Tool

Mimikatz is another popular security audit tool to extract plaintexts passwords, hash, PIN code and Kerberos tickets from memory. It’s mainly used to move laterally around the network elevating privileges one step at a time.

Hashcat – hashcat is the world’s fastest and most advanced password recovery utility

Hashcat is the password cracking tool most commonly used to perform different attack modes such as straight, combinations, brute-force and hybrid attacks.

Screenshot - Hashcat password recovery tool

Hashcat attack mode options:

Example of a hashcat command:

Command line options:

-m = hash type (0 = MD5, 100 = Sha1, 1000 = NTLM)
-a = attack mode

Pipal Password Analyzer

As you’re cracking passwords or analyzing password dumps, a great way to understand the passwords is to analyze them using a password analyzer. There are several excellent tools but Pipal is one of my favorites. It’s quite simple, yet powerful.

All you need to do is run the Pipal ruby against a password file. In the following example I am using the ‘rockyou’ password file:

Example output from Pipal Password Analyzer:

Password Cracking Summary

These are just a few of the top password cracking tools available and as you can see, a password can be easily cracked. So it’s important to make the task as difficult as possible for cyber criminals, and ensure that for critical systems and applications a password is not the only security control protecting your environment.

One of the main issues you’ll face is with your end users being responsible for creating and maintaining the passwords they use. Make it easier for them by choosing a security solution that’s usable.

With users often having to manage 30 or more different user accounts and credentials, it’s almost certain they’ll reuse passwords or use some variation of the same password. This means once an attacker has compromised one password it’s only a matter of time before they’ll guess the others too, and with tools like Hashcat, along with good wordlists and rules—it won’t take long!

Ensure that a password is not the only security control protecting your environment

We must educate end users and make the right tools available to them so they don’t develop bad security hygiene. Let’s make security usable and easy, and empower users to form a stronger front-line defense.

Remembering passwords causes cyber fatigue — Don’t let a password be the only security method protecting your critical assets

Finally, here are my 10 security tips to help users protect themselves, their families and the companies they work for. Security starts at home. Users must be educated and empowered beyond the workplace.