You all must have heard of password cracking, maybe in movies where a hacker cracks the password of any locker or system very easily. However, in reality, that’s not the case—it can take up to months or even years to crack some really strong passwords. At the end of this article, you will be able to crack any password hash, .cap file captured from a WiFi deauth attack, encrypted file, etc.

Disclaimer⚠️

Before we begin, it's essential to note that using password-cracking techniques for unauthorized access is illegal and unethical. The methods discussed here are meant for educational purposes and should only be used in legitimate penetration testing scenarios or for personal security testing.

Before diving into the journey of password cracking, let’s understand some basics. Password cracking is the recovery of passwords from data/systems, etc., used by Red Teamers, System Administrators, and Ethical Hackers. Meanwhile, you must be vulnerable to hackers if you are using any of these most commonly used passwords: list-of-most-common-passwords

Encryption vs Hashing vs Encoding

• Encryption: Encryption is the process for securing any document binding it with a unique key, which in case cannot be accessed without secret key. 

• Hashing: Hashing is the process of verifying integrity of data by creating a unique fingerprint of the data that cannot be reversed.

• Encoding: Encoding is not meant for security purpose, rather encoding is the transformation of data into different format for easy retrieval.

How Passwords are Stored?

1. Plaintext (Unhashed Password):

Plaintext passwords are stored exactly as entered without further conversion into a hash to increase password security. If anyone gains access to the password file, all the passwords can be easily viewed by opening the file with a text editor. This is the most insecure way to store passwords. You can convert your plaintext password into a hash using websites like browser-ling.

2. Hashed:

Hashed passwords are the most commonly used and secure method for storing passwords, where passwords are converted into hash values that cannot be converted back into the original password. These days, SHA-256 is the most commonly used hash. MD5 and SHA-1 are not widely used anymore.

3. Salting:

Salting enhances password security by adding random data (randomly generated string) to the passwords before hashing, making them more difficult to crack. Even if two people have the same password, their hashed values will differ.

4. Pepper:

Pepper adds another layer of security on top of salting. A secret global value (known as pepper) is appended to the password before hashing. Pepper values are stored separately from the database, usually in the application code.

"Hashing is not the same as encryption. Hashing is a one-way function, whereas encryption is a two-way function"

Techniques to Crack Any Password

1. Brute-Force Attack

Brute force tries all possible password combinations until the correct password is found. Brute forcing weak passwords can be effective, but it is highly time-consuming for complex passwords. A 25-GPU computer cluster, for example, can crack a standard Windows password within 6 hours.

2. Dictionary Attack:

A dictionary attack uses a list of possible passwords (wordlists) to find the correct password. Popular wordlists include `rockyou.txt`, `seclist`, `crackstation`, and `onelistforall`. You can create your own custom wordlist using tools like `crunch` for better results. Explore more wordlists at: passwordcollection

3. Rainbow Table Attack:

A rainbow table attack matches the hash of the password with a stolen or breached password hash directly, without converting the hash further into plaintext.

Tools for Password Cracking

1. Hashcat:

Hashcat is the fastest password-cracking tool, leveraging GPU power to speed up the cracking process. It supports a wide range of hashing algorithms.

hashcat -m 0 -a 0 example.hash /usr/share/wordlists/rockyou.txt

• -m 0: Specifies MD5 hash.
• -a 0: Attack mode (0 for dictionary attack).
• example.hash: File containing the hash to crack.
• /usr/share/wordlists/rockyou.txt: Wordlist file

2. John the Ripper:

John the Ripper is an open-source password-cracking tool that relies on CPU power, making it beneficial for low-end PCs.

john --wordlist=/usr/share/wordlists/rockyou.txt example.hash 

• --wordlist: Path to the wordlist.
• example.hash: File containing the hash.

3. Hydra:

Hydra is a fast network login cracker that supports multiple protocols such as SSH, FTP, HTTP, etc. It focuses on online attacks, including login pages and user authentication.

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.12

• -l root: Login name (root).
• -P: Path to the password wordlist.
• ssh://192.168.1.12: SSH server address.

4. Medusa:

Medusa is designed for brute-forcing credentials over various network protocols like SSH, FTP, SMB, etc. It focuses on speed and parallelized attacks (multiple hosts at once) and is similar to Hydra.

medusa -h 192.168.1.10 -u admin -P /usr/share/wordlists/rockyou.txt -M ftp

• -h: Host address.
• -u admin: Username to test.
• -P: Path to the wordlist.
• -M ftp: Specifies FTP module.

5. Ophcrack

Ophcrack is used to crack Windows passwords using rainbow tables. It works efficiently on LM & NTLM hashes.

ophcrack -n 3 -t tables_xp

• -n 3: Number of threads.
• -t tables_xp: Use the XP rainbow tables.

6. Ncrack

Ncrack is a high-speed network authentication cracking tool, supporting SSH, RDP, FTP, Telnet, and more. It is known for its flexibility and customizability.

ncrack -p 3389 192.168.1.10 -U users.txt -P passwords.txt

• -p 3389: Targeting RDP (port 3389).
• -U users.txt: File with usernames.
• -P passwords.txt: File with passwords.

7. Aircrack-ng:

Aircrack-ng is specially designed for cracking WiFi passwords. It captures wireless packets and can crack WEP & WPA/WPA2-PSK keys using your own wordlist.

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:14:6C:7E:40:80 capture.cap

• -w: Path to the wordlist.
• -b: Target access point’s MAC address.
• capture.cap: The file containing captured packets.

8. Online Services:

• CrackStation

CrackStation is an online tool that allows you to crack password hashes by searching its vast database of precomputed hashes.

• Hashes.org

Hashes.org is a community-driven project that maintains a large collection of hashed passwords, both cracked and uncracked

• GPuhash.me

GPuhash.me is effective for WiFi WPA/WPA2 cracking and NTLM hashes using GPU-accelerated cracking rather than only using CPU power.

Time Required to Crack Passwords

Password cracking consumes time, which depends on the strength of the password. The strength is measured by information entropy.

The formula for calculating password entropy is:

H = L × log₂(N)

(Where L is the length of the password and N is the number of possible symbols.)

"By comparing the entropies of two passwords, we can determine which one is stronger."

Maximum Cracking Time:

To crack a complex password not found in any wordlist, a brute-force attack would try all possible character combinations.

Here’s an example:
– Total possible characters: 62 (0-9, a-z, A-Z)
– Password length: 6
– Attempts per second: 10,000,000

Time taken = 62^6 / 10,000,000 seconds

Time Taken to Crack Different Hashes

The time to crack various hashes, from longest to shortest, is as follows:

bcrypt Hash > SHA-512 Hash > SHA-256 Hash > NTLM > SHA-1 Hash > MD5 Hash > LM Hash

You can see time required to crack your password on: passwordmonster

If you want to crack any password hash/file for ethical purposes, you must follow this workflow:

1. Identify the hash type.
2. Try a dictionary attack.
3. Move on to brute force or rainbow table attacks as needed.

For better password security, use a password manager and generate random passwords. You can check out this link for choosing the right password manager.