Standard Attacks
Dictionary
Dictionary (also called wordlist) attacks are when you feed your cracker a list of words (a text file with one word per line) for it to generates hashes from. This is the most basic attack in password cracking. Let's say my password is "PasswordVillage2020", and the website I use that password on stores the value in SHA1. To the website, my password looks like the following:
e8fe053fee4c87376132ed44d0f66f6c43bd93b0
Then Ub3rG00s3 pops that website via SQLi and steals all the user hashes. He knows it's SHA1 because he read our "Identifying Hash Types", so he fires up his cracker, tells it to make SHA1 hashes, and feeds it a dictionary with the following words:
foo bar foobar barfoo PasswordVillage2020
The cracker will start at the top, and hash the first value, and compare it to the hash he wants to crack. If it doesn't match, it tries the next one, until it gets a match, or exhausts the dictionary. Unfortunately for us, our password is in his dictionary, and will crack on the last line the cracker tries. Don't be intimidated by the following code. An explaination is included above each line to help you see what is happening.
sha1cracker.sh
#!/bin/bash # Read the hash value supplied on the commandline input_hash="$1" # Tell the script where the dictionary we want to use is dictionary="$2" # Function to process our hash and dictionary compare_sha() { # For each entry in the dictionary file: for i in `cat ${dictionary}`; do # Make an SHA1 sum of the entry candidate=`echo -n $i | sha1sum | cut -d ' ' -f 1` # If the SHA1 sum MATCHES the hash we want to crack if [ ${candidate} = ${input_hash} ]; then # Let us know we cracked it, what the plaintext was then exit the program! echo "Password cracked! Plaintext is: ${i}" exit 0 fi done } # Run the function compare_sha
While dictionary attacks seem incredibly simple, they can also be incredibly effective. If you maintain a list of all your cracks over the years, that dictionary is likely to remain very relevant for a long time to come. It's important to realize while we all think we're clever and unique, we generally think alike. As such, unless using a randomly generated password, it is likely that someone else is using the same password you are, or have used.
Hashcat Example Command | JTR Example Command |
---|---|
./hashcat64.bin hashlist wordlist |
./john hashlist -w:wordlist |
Combination
A combination attack is when we use two dictionaries make a new word. Lets assume our two dictionaries contain the following:
$ cat dict1.txt foo bar foobar barfoo
$ cat dict2.txt cat dog catdog dogcat
The cracker, or combinator program will read the first line of dict1.txt, then the first line of dict2.txt, and combine. In this example, the first combination will be "foocat". This will be passed as a candidate to the cracker, hashed, and the result will be compared to the hash we want to crack. If the hash matches, then we know we got it! Again, don't let the code intimidate you. We will reuse some of the code from before to keep it familiar and add a bit to combine the two words:
combinator.sh
#!/bin/bash # Read the hash value supplied on the commandline input_hash="$1" # Tell the script where the first dictionary is dict1="$2" # Tell the script where the second dictionary is dict2="$3" # Function to combinate words to pass to the cracker combinate() { # For each word in the first dictionary for i in `cat ${dict1}`; do # For each word in the second dictionary for j in `cat ${dict2}`; do # Combine the line from the first dictionary with the line from the second combinated="${i}${j}" # Run the cracker with the combinated word compare_sha done done } compare_sha() { candidate=`echo ${combinated} | sha1sum | cut -d ' ' -f 1` if [ ${candidate} = ${input_hash} ]; then echo "Password cracked! Plaintext is: ${combinated}" exit 0 fi } combinate
Becuase combinator attacks can quickly fill disk space, it is generally not advised to write the results to disk. To put it in perspective, if you combinate rockyou.txt with rockyou.txt, you will have a total word count of ~14,000,00014,000,000! Combination attacks are best done with small and medium sized lists unless you have a lot of processing power, and a lot of time.
Hashcat Example Command | JTR Example Command (using combinator.bin from hashcat-utils |
---|---|
./hashcat64.bin hashlist -a 1 wordlist1 wordlist2 |
./combinator.bin wordlist1 wordlist2 | ./john hashlist hashlist --stdin |
Bruteforce
Bruteforce attacks attempt to perform exhaustive keyspace guessing, which will take a very long, if not infinite, time. Unintelligent (with no logic applied to the order of guessing) bruteforce attacks are the least effecient way to crack passwords, and should only be used as a last resort in favor of other methods, such as dictionary attacks. For short passwords, brute force attacks may be feasible (depending on the password hash type and rig compute power), but for longer passwords, where they keyspace can be huge, bruteforcing is simply too inefficient to be effective.
While still supported by both Hashcat and JTR, bruteforce attacks are a bit out-dated and have been replaced by mask attacks. However, you can still instruct the software to just blindly guess, which both support out of the box.
Hashcat Example Command | JTR Example Command |
---|---|
./hashcat64.bin hashlist -a 3 wordlist |
./john --incremental hashlist |