10 most popular password cracking tools by Blackhat Pakistan
Today we will learn about 10 most popular password cracking tools
Passwords are the most commonly used method for user authentication. Passwords are so popular because their logic makes sense to people and they are relatively easy for developers to implement.
However, passwords can also present security vulnerabilities. Password crackers are designed to take credentials stolen in a data breach or other hack and extract passwords from them.
Note: Check out our How to Crack a Password article for instructions on some basic cracking methods.
Also Read:DEPLOYING EMV BYPASS VISA CARD 2023
What is password cracking?[most popular password cracking tools]
A well-designed password-based authentication system does not store the user’s actual password. This would make it too easy for a hacker or malicious insider to gain access to all user accounts on the system.
Instead, authentication systems store a password hash, which is the result of sending the password—and a random value called a salt—using a hash function. Hash functions are designed to be one-way, meaning that it is very difficult to determine which input produces a given output. Because hash functions are also deterministic (that is, the same input produces the same output), comparing two password hashes (a stored and a user-supplied password hash) is almost as good as comparing actual passwords.
Password cracking refers to the process of extracting passwords from the associated password hash. This can be achieved in several different ways:
- Dictionary attack: Most people use weak and common passwords. Taking a list of words and adding a few permutations—such as substituting $ for s—allows a password cracker to learn many passwords very quickly.
- Brute force attack: There are only so many potential passwords of a given length. A brute-force attack (trying all possible password combinations) is slow, but it guarantees that the attacker will eventually crack the password.
- Hybrid Attack: A hybrid attack combines these two techniques. It starts by checking whether the password can be cracked using a dictionary attack and then moves to a brute force attack if that fails.
Most password cracking tools or password retrieval tools allow hackers to perform any of these types of attacks. This post describes some of the most commonly used password cracking tools.
Hashcat is one of the most popular and widely used password cracker. It is available on every operating system and supports more than 300 different hash types.
Hashcat enables highly parallel password cracking with the ability to crack multiple different passwords on multiple different devices simultaneously and the ability to support a distributed hash cracking system through overlays. Cracking is optimized with integrated performance tuning and temperature monitoring.
Download Hashcat here.
- John the Ripper
John the Ripper is a well-known free open-source password cracking tool for Linux, Unix and Mac OS X. There is also a version for Windows.
John the Ripper offers password cracking for a variety of different password types. It goes beyond OS passwords to include common web applications (like WordPress), compressed archives, document files (Microsoft Office files, PDFs, etc.) and more.
There is also a pro version of the tool that offers better features and native packages for target operating systems. You can also download Openwall GNU/*/Linux, which is included with John the Ripper.
Download John the Ripper here.
Brutus is one of the most popular remote online password cracking tools. It claims to be the fastest and most flexible password cracking tool. This tool is free and only available for Windows systems. Released in October 2000.
Brutus supports a number of different types of authentication, including:
- HTTP (Basic Authentication)
- HTTP (HTML/CGI form)
- Custom protocolsIt is also capable of supporting multi-step authentication protocols and can attack up to sixty different targets in parallel. It also offers the ability to pause, resume and import an attack.
Brutus has not been updated for several years. However, its support for a wide variety of authentication protocols and the ability to add custom modules make it a popular tool for online password cracking attacks.
Get Brutus online password finder here.
Wfuzz is a web application password cracker like Brutus that tries to crack passwords using a brute force attack. It can also be used to find hidden resources such as directories, servlets, and scripts. Wfuzz can also identify in-application injection vulnerabilities such as SQL injection, XSS injection, and LDAP injection.
Key features of Wfuzz Password Cracker include:
- Injection at multiple locations in multiple directories
- Output in colorful HTML
- Brute forcing of posts, headers and authentication data
- Proxy and SOCK support, support multiple proxies
- HTTP brute-force password via GET or POST requests
- Time delay between requests
- Cookie fuzzing
- THC Hydra
THC Hydra is an online password cracking tool that attempts to determine a user’s credentials using a brute force attack. It is available for Windows, Linux, Free BSD, Solaris and OS X.
THC Hydra is expandable with the possibility of easy installation of new modules. It also supports a number of network protocols, including Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID , Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2 ), Telnet , VMware-Auth, VNC and XMPP.
Download THC Hydra here.
If you are a developer, you can also contribute to the development of the tool.
Medusa is an online password cracking tool similar to THC Hydra. It claims to be a fast, parallel, modular login brute force tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.
Medusa is a command-line tool, so a certain level of command-line knowledge is required to use it. The speed of password cracking depends on the network connection. It can test 2000 passwords per minute on a local system.
Medusa also supports parallel attacks. In addition to a list of passwords to try, it is also possible to define a list of usernames or email addresses to test during an attack.
Read more about it here.
Download Medusa here.
All password cracking is subject to a trade-off between time and memory. If the attacker has precomputed a table of password/hash pairs and stored them as a “rainbow table”, then the process of cracking passwords is simplified to a table lookup. This threat is why passwords are now salted: by adding a unique, random value to each password before hashing means that the number of rainbow tables required is much larger.
RainbowCrack is a password cracking tool designed to work with rainbow tables. It is possible to generate your own rainbow tables or use already existing tables downloaded from the Internet. RainbowCrack offers free downloads of rainbow tables for LANMAN, NTLM, MD5 and SHA1 password systems.
Download the rainbow tables here.
There are also several paid rainbow tables that you can purchase here.
This tool is available for both Windows and Linux.
Download RainbowCrack here.
OphCrack is a free rainbow table based password cracking tool for Windows. It is the most popular tool for cracking Windows passwords, but it can also be used on Linux and Mac systems. Cracks LM and NTLM hashes. There are also free rainbow tables available for cracking Windows XP, Vista and Windows 7.
OphCrack live CD is also available to make cracking easier. Live CD OphCrack can be used to crack Windows passwords. This tool is available for free.
Download OphCrack here.
Download free and premium rainbow charts for OphCrack here.
L0phtCrack is an alternative to OphCrack. Attempts to crack Windows passwords from hashes. It uses Windows workstations, network servers, PDCs, and Active Directory to crack passwords. It also uses dictionary and brute force attacks to generate and guess passwords. It was acquired by Symantec and discontinued in 2006. It was later reacquired by L0pht developers and launched L0phtCrack in 2009.
L0phtCrack also comes with the ability to scan routine password security scans. Daily, weekly or monthly audits can be set and the scan will start at the scheduled time.
More about L0phtCrack here.
Aircrack-ng is a Wi-Fi password cracking tool that can crack WEP or WPA/WPA2 PSK passwords. It analyzes wireless encrypted packets and then tries to crack passwords using dictionary attacks and PTW, FMS and other cracking algorithms. It is available for Linux and Windows. Aircrack live CD is also available.
Aircrack-ng tutorials are available here.
Download Aircrack-ng here.
How to create a password that is hard to crack
In this post, we have listed 10 password cracking tools. These tools try to crack passwords using different password cracking algorithms. Most password cracking tools are available for free. So you should always try to have a strong password that is difficult to crack. These are some tips you can try when creating your password.
- The longer the password, the harder it is to crack: Password length is the most important factor. The complexity of a brute-force password guessing attack grows exponentially with the length of the password. A random seven-digit password can be cracked in minutes, while a ten-digit password takes hundreds of years.
- Always use a combination of letters, numbers and special characters: Using a variety of characters also makes it harder to brute force a password, as it means that crackers have to try a wider range of possibilities for each character in the password. Include numbers and special characters and not just at the end of the password or as a replacement for letters (like @ for a).
- Password diversity: Credential stuffing attacks use bots to test whether passwords stolen from one online account are also used for other accounts. A data breach at a small company could compromise a bank account if the same credentials are used. Use a long, random and unique password for all online accounts.
What to avoid when choosing a password
Cybercriminals and password cracking developers know all the “clever” tricks people use to create their passwords. A few common password mistakes to avoid include:
- Using a dictionary word: Dictionary attacks are designed to test every word in a dictionary (and common permutations) in seconds.
- Use of personal information: Pet’s name, relative’s name, place of birth, favorite sport and so on are dictionary words. Even if it wasn’t, there are tools to extract this information from social media and use it to create a list of words to attack.
- Using Patterns: Passwords like 1111111, 12345678, qwerty and asdfgh are some of the most commonly used passwords. They are also part of the word list of every password crack.
- Using character substitutions: Character substitutions such as 4 for A and $ for S are well known. Dictionary attacks test these substitutions automatically.
- Use numbers and special characters only at the end: Most people put the required numbers and special characters at the end of their password. These patterns are built into password crackers.
- Using Common Passwords: Every year, companies like Splashdata publish lists of the most used passwords. They create these lists by cracking cracked passwords, just like an attacker would. Never use passwords from these lists or anything similar.
- Use anything but a random password: Passwords should be long, random, and unique. Use a password manager to securely generate and store passwords for online accounts.
Password cracking tools are designed to take password hashes leaked during a data breach or stolen through an attack and extract the original passwords from them. They achieve this by exploiting the use of weak passwords or by trying every potential password of a given length.
Password finders can be used for many different purposes, not all of them bad. While commonly used by cybercriminals, security teams can also use them to audit the strength of their users’ passwords and assess the risk of weak passwords to the organization.