Password cracking is an essential skill for penetration testers.

Whether it is being used to crack a hash you’ve got from using responder, gain a first foothold on a device, or attempting to compromise accounts for lateral movement through a network, it is an important part of testing.

But with limited time available for a security test, we need to be aware of the steps that can make password cracking more efficient and effective. 

So, let’s talk passwords – and password cracking.

Understanding password cracking

First, let’s make sure that there is an agreement on what password cracking is. 

Password cracking is the process of compromising an account by identifying the user’s password.  There are two main ways that we can conduct password attacks:  online and offline attacks. 

Online attacks

Online password cracking involves interacting directly with a live system and attempting to identify the correct password by making multiple attempts to log onto a machine.  This may be over SSH, RDP, a web interface etc.

Key Characteristics:

Real-time interaction:  online attacks interact with a system in real time and identify a password by successfully authenticating to a system.

Network Traffic:  these kinds of attacks generate network traffic that can be detected by defensive systems.  (Not many people fail to log into their account over 100 times in a short duration!)

Slow in speed:  due to lockout policies and defensive software that may block attackers, a successful online attack will likely need to be conducted slowly.    

Offline attacks

Offline password cracking requires an attacker to have already gathered the password hash from a compromised system. 

The actual password cracking is then done from the attacker’s machine, as there is no need to further interact with the system.

Key Characteristics:

Initial access:  there needs to be a method of gaining initial access to the password hash – this may be compromising a machine, gaining access to a database or monitoring network traffic.  But there needs to be a method to gather password hashes.

Faster in speed:  Most offline password cracking leverages GPU (Graphics Processor Unit) to increase the amount of ‘guesses’ that can be made every second and reduce the time to crack the password.  As this is not interacting with a system, there is no risk of triggering lock out policies etc.

Online Vs Offline

Brute force vs Dictionary attacks

Brute force vs Dictionary attacks

Regardless of whether you are attempting online or offline password cracking, there are two main techniques used – brute force attacks and dictionary attacks. 

Both of these have value, but the technique you use is likely to depend on your ultimate goal.

Brute force attack:

A brute force attack is often what most people think of when they think about password cracking.  This technique uses every possible combination of characters, until it identifies the correct password.

A brute force attack WILL be successful given enough time. 

(Which is why we have those terrible graphics telling people to make sure to include uppercase, lowercase, numbers and special characters in their passwords.  The goal is to increase the number of possible variations of characters.)

Dictionary attack (sometimes referred to as a wordlist attack)

Pentesters and hackers aren’t idiots though.  No one is going to try a, aa, aaa, aaaa, and so on and so on, until they get to ‘password’ and realise the account used a bad password from the start.

This is where dictionary attacks come in. 

Dictionary attacks use lists of known passwords and common variations to speed up the time required to crack a password.  These lists are commonly gathered from data breaches, making them even more effective as they are actual passwords people have used.

Creating effective wordlists

Now we know the different ways we can attempt to crack passwords and compromise accounts, it becomes clear that the quality of the wordlist used as part of a dictionary attack can play a big role in whether passwords get cracked.

Some incredibly effective and well-known wordlists can be found here:

SecLists:  https://github.com/danielmiessler/SecLists/tree/master/Passwords

Probable-Wordlists:  https://github.com/berzerk0/Probable-Wordlists

Crackstation:  https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

RockYou:  https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

However, only words in a wordlist will get cracked – so the question is, if these don’t work, how do we make effective or customised wordlists?

Let’s look at how to create a custom wordlist

CeWL (custom wordlist generator)

CeWL is command line tool designed to help you create custom wordlists by scraping websites and collecting unique words.

The output is a list of words unique to that organisation that can be used by the password cracking tool of your choice.

How it works

• Web crawling: CeWL starts by crawling a specified website.  It follows links within the website recursively, up to a user-defined depth, to gather a comprehensive list of pages and their content.

• Word extraction: as it crawls, CeWL extracts words from the website’s HTML and text content. It ignores common HTML tags and focuses instead on extracting meaningful words, which are likely to be used as passwords or security answers.

• Wordlist generation: After completing the crawl, CeWL compiles all extracted words into a single text file. This text file serves as a custom wordlist that reflects the language, jargon, and topics relevant to the crawled website.

How to use CeWL

Cewl https://northgreensecurity.com – specifies the URL of the website to be crawled

-m 8 – specifies that words shorter than 8 characters should be ignored

-w – specifies the file to write the wordlist into

This produces the following output, which definitely has some key words that would not appear in a standard wordlist.

Hashcat

Hashcat

While most people will be aware that hashcat is a particularly good offline password cracking tool that uses GPU power to crack passwords at speed and can make wordlists smarter by applying rules, it can also be used to create customised wordlists.

Hashcat supports ‘rule-based’ password cracking. 

This is where a rule will modify an existing wordlist to create variations that may match the password (think password to p@55word).  These rules can also be used to generate wordlists.

How it works:

• Prepare your initial wordlist:  first, you will need an initial wordlist. This could be a basic list of company specific words, a dictionary list, or a custom list generated using tools like CeWL.

• Create or use existing rules:  Hashcat comes with a variety of predefined rules that modify words in different ways. These are located in the ‘rules’ directory of your Hashcat installation (hashcat/rules/). You can also create custom rules tailored to your specific needs.
• Apply rules to wordlist:  use Hashcat to apply these rules to your initial wordlist. Hashcat will then generate new words based on the rules and append them to your output file.

How to use Hashcat

Create a wordlist

Next, pick the rule that best suits your needs

–stdout – tells hashcat to output the results to standard output

Northgreen.txt – specifies the input wordlist file

-r /usr/share/hashcat/rules/best64.rule – specifies the hashcat rule to use

This creates a file with content like this:

This is a simple rule that has turned a 6-line wordlist into 462 different variations. 

By using more sophisticated rules (OneRuleToRuleThemAll – https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule) we can end up with customised wordlists with tens of thousands of variations.

Conclusion – and a word of warning

These techniques have created customised wordlists that can be used for both online and offline password cracking and may result in a higher success rate when conducting a penetration test.

It is important to never underestimate the likelihood for organisations to use their name, key locations or products as part of a password.

While password cracking is an enjoyable part of penetration testing, it is important to highlight that this attack targets individuals – and could potentially lead to negative consequences, such as disciplinary actions, due to employees being perceived as the weak link in security.

It is therefore important to ensure that your actions always remain both ethical and legal.