Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

5 Most Popular Tools Cyber Criminals use to Crack your Passwords: Protect Your Enterprise

Written by Joseph Carson

April 28th, 2020

Passwords. How on earth did we get here?  They’ve been around for so many years and yet there’s still so much to be said about them.

In most organizations passwords are what make the difference between keeping cyber criminals out—and falling victim to a cyber-attack. And for the multitude of applications, systems and infrastructure of so many organizations, the only security control preventing unauthorized access is a simple password somewhere between 4 and 127 characters long.

A password is a memorized secret

A password—sometimes called a passcode, passphrase, PIN or secret—is used to ensure that only authorized employees or users can access applications and systems.  A password is usually combined with an identifier (typically a username or email address) to determine who is accessing the system, to verify the authenticity of that identity.  A password should be known only to the user, and never shared.

Username + Password

Ordinarily, a password is a set of character combinations such as letters, numbers and symbols used to authenticate an identity or to verify authorization to access a system or application.  But not all login systems enforce the same security best practices. Different authentication systems require different lengths and complexities of password strings, and this presents a challenge.  Some systems have set limits on password length, some have set limits on complexity, and some systems even require all lowercase characters.

Another popular login method is the PIN. This typically refers to a number-only password, usually 4 – 6 numbers, and is commonly used on mobile devices.  As a best practice you should know the limitations on login systems so you can ensure the highest possible security is configured and used.  And make sure your security solution is usable and not too complex or users will revert to poor password hygiene habits, like reusing passwords across multiple systems and credentials.

Not all logon systems have the same complexity
Login systems don't all offer the same security

Most login systems use a cryptographic technique known as a hash to store the password in a database, and that hash should be a one-directional only algorithm.  No one other than the user or system should ever know the clear text password.

The most common hash used in the past was SHA1 until security researchers discovered ‘collisions’; this is when two different inputs create the same output. This was bad for security and meant that SHA1 could no longer be used to store passwords.  It is important to know what hash algorithm is used and whether it also includes salt: additional random data added to the input.

Passwords - not all logo systems store passwords encrypted or use strong hashing techniques
Hash is a one-directional cryptographic algorithm used to store passwords

So, how do cyber criminals crack or steal your password to gain access to applications and systems? 

I worked with my colleague Giulio Neri to create an excellent webinar that answers this question and demonstrates a live privileged account hack:
5 Most Popular Password Cracking Tools: Protect Your Enterprise

The majority of cyber criminals will want to use the easiest, stealthiest and least costly way of stealing your passwords.  And one of the easiest methods is phishing—they simply ask you for the password. This technique takes advantage of your trusting nature, and when directed to a fake login website (that looks perfectly authentic) you hand over your username and password to the attacker as you log in.  Here are some of the most common techniques for getting passwords:

  1. Ask the user for their password pretending to be an authentic internet service
  2. Crack the password using brute force or dictionary attacks
  3. Discover a vulnerability in the application, bypassing authentication
Give me your password, please
Some examples used by cyber criminals to get you to click on something bad

Let’s take a closer look at techniques:

Before a cyber criminal can get to work on your password, they must first get the hash, which as previously mentioned is the cryptographic store value of your password.  There are tools available to get those hashes:

  • Mimikatz – a Password Recovery and Audit tool
  • Capture Packets – tools such as Wireshark to capture the packets that move around the network
  • Metasploit Framework – a security framework that helps security professionals assess and manage security
  • Responder – LLMNR and NBT-NS (NetBIOS Name Service) responder

This is what a typical password cracking flow looks like:

  1. Steal/Get the hashes
  2. Organize and format the hashes depending on the tool
  3. Plan your attack method: wordlist, rules and masks
  4. Crack the passwords
  5. Analyze password’s progress
  6. Customize your attack
  7. Repeat

5 Popular Password Cracking Tools

Kali Linux – Popular Penetration Testing Distribution Tool

Kali Linux is a well known security tool and it comes in many different bootable options from virtual images to software installations. It even runs on Raspberry PIs.  It’s used around the world for penetration testing and by IT security teams protecting their networks or looking for vulnerabilities on their networks.  Kali comes with a variety of popular password attack tools out of the box:

Screenshot - Kali Linux Pentesting Tool

CeWLCustom WordList Generator

CeWL is one of my favorite wordlist generators. It allows you to create word lists by spidering websites.

Screenshot - CeWL custom wordlist generator

When using CeWL I start with a basic command like this:

Screenshot - CeWL basic command
Screenshot - CeWL basic command

The command line options are:

-h = help
-d = Depth to spider site
-m = Min Word length
-w = Output file
-e = include emails

MimikatzSecurity Audit Tool 

Mimikatz is another popular security audit tool to extract plaintexts passwords, hash, PIN code and Kerberos tickets from memory.  It’s mainly used to move laterally around the network elevating privileges one step at a time.

Screenshot - Mimikatz security audit tool

Hashcathashcat is the world’s fastest and most advanced password recovery utility

Hashcat is the password cracking tool most commonly used to perform different attack modes such as straight, combinations, brute-force and hybrid attacks.

Screenshot - Hashcat password recovery tool

Hashcat attack mode options:

Screenshot - Hashcat attack mode options

Example of a hashcat command:

Screenshot - Hashcat

Command line options:

-m = hash type (0 = MD5, 100 = Sha1, 1000 = NTLM)
-a = attack mode

  0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist

Pipal Password Analyzer

As you’re cracking passwords or analyzing password dumps, a great way to understand the passwords is to analyze them using a password analyzer. There are several excellent tools but Pipal is one of my favorites. It’s quite simple, yet powerful.

All you need to do is run the Pipal ruby against a password file. In the following example I am using the ‘rockyou’ password file:

Screenshot - Pipal Password Analyzer

Example output from Pipal Password Analyzer:

Screenshot - Pipal Password Analyzer

Summary

These are just a few of the top tools available and as you can see, a password can be easily cracked. So it’s important to make the task as difficult as possible for cyber criminals, and ensure that for critical systems and applications a password is not the only security control protecting your environment.

One of the main issues you’ll face is with your end users being responsible for creating and maintaining the passwords they use. Make it easier for them by choosing a security solution that’s usable

With users often having to manage 30 or more different user accounts and credentials, it’s almost certain they’ll reuse passwords or use some variation of the same password.  This means once an attacker has compromised one password it’s only a matter of time before they’ll guess the others too, and with tools like Hashcat, along with good wordlists and rules—it won’t take long!

Ensure that a password is not the only security control protecting your environment

We must educate end-users and make the right tools available to them so they don’t develop bad security hygiene. Let’s make security usable and easy, and empower users to form a stronger front-line defense.

Remembering passwords causes cyber fatigue
Don’t let a password be the only security method protecting your critical assets

Finally, here are my 10 security tips to help users protect themselves, their families and the companies they work for.  Security starts at home. Users must be educated and empowered beyond the workplace.

10 Security Tips to Reduce your Passwords Risks

  1. Use a strong passphrase
  2. Log out of systems when you’re not using them
  3. Don’t reuse passwords
  4. Use a password manager
  5. Longer passwords are better if they are also complex
  6. Rotate passwords
  7. Use a Privileged Access Management (PAM) product (business)
  8. Use Multi-factor Authentication, or at least 2FA
  9. Audit activity
  10. Don’t be afraid to ask for advice

Again, here’s a link to the webinar I mentioned above—take a look:
5 Most Popular Password Cracking Tools: Protect Your Enterprise

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS