The password is our first defense barrier to protect our accounts against cybercriminals. In addition, any password is useless if it does not have certain characteristics, it could be easy to decipher. In that sense, it is not enough to have a great length, it also depends a lot on the types of characters that we use to make it more or less robust. One danger we face is that they can be cracked or decrypted using specialized software. In this tutorial, we are going to know the best tools to crack passwords and also to protect ourselves from their use by using a strong password.
The first thing we are going to do is explain the reasons why these types of tools are used. We will also briefly explain how to create our strong password and some tips related to it to increase security. And then we will continue with the most popular password cracking tools.
Why are password cracking tools used?
As for the reasons why password cracking tools are used, there are generally three:
- Conducting pentesting tests.
- Cybercriminals to carry out their attacks.
- Students and people who are curious about computer security issues.
As for the pentesting tests, we could say that they are the positive part and that they will help improve the security of a company. Thus, a penetration test or pentest could be defined as an attack on a computer system with the intention of finding its security weaknesses and checking what data can be accessed. Afterwards, security breaches found through this test are reported to the owner of the system. In this sense, it is positive because it allows evaluating the potential impacts that it could have on a company and suggesting measures to reduce these risks.
On the other hand, the downside is that these same password cracking tools are used by cybercriminals. A good way to protect ourselves would be to use a strong password that must contain:
- Capital letters.
- Lowercase.
- Numbers.
- Symbols.
- The minimum recommended length would be 12 characters.
Additionally, other good practices that can improve security include renewing passwords periodically, not reusing them for other sites, and enabling multi-factor authentication.
The best tools to cra-ck passwords
An important point is that these tools should only be used in our own infrastructures or in which we have the administrator’s permission.
Brutus
One of the oldest and still supported password cracking tools is Brutus. In addition, it is free, its first version dates from 1998 and is available for computers with Windows operating system.
The current version of Brutus includes the following types of authentication: HTTP, HTTPS, POP3, FTP, SMB, Telnet and IMAP, NNTP and NetBus could be added.
Among its functions we have a multistage authentication engine and it allows 60 simultaneous destination connections. It also has a list of passwords, configurable brute force modes and also allows you to pause and resume attacks at the same point where we left off.
Cain and Abel
The developer of Cain and Abel is Massimiliano Montoro, it is a proprietary program that was distributed for free. It should be noted that its latest version is from 2014 and that it is a product that will not have more updates, although for some tasks it may still be interesting.
Cain & Abel is a password recovery tool for Microsoft operating systems. Thanks to it, we can perform an easy recovery of various types of passwords by tracking the network, decrypting encrypted passwords through dictionary attacks, brute force and cryptanalysis. In addition, we can also record VoIP conversations, decode encrypted passwords, recover wireless network keys, reveal password boxes, discover cached passwords, and analyze protocol routing. This program does not exploit any vulnerability, but rather seeks to obtain passwords by conventional techniques.
Rainbowcrack
Another tool for cracking passwords is RainbowCrack, which uses previously processed tables, called Rainbow, which considerably reduce the time it takes to crack the keys. This program is up to date and can be used on both Windows 7/10 and Linux with Ubuntu. Thus we have Rainbow tables of LM, NTLM, MD5, SHA1, SHA256 and customizable hash algorithms.
It should also be noted that generating these tables takes a lot of time and effort, both human and processor. For this reason there are tables created both free and paid. Thanks to them, it is possible to avoid having to process them personally and thus from the beginning we would have RainbowCrack ready to work.
John the ripper
John the Ripper can be defined as an open source password security audit and recovery tool. It should be noted that it is available for various operating systems such as Windows, MacOS and Windows. This software supports hundreds of encryption and hashing types, including for Unix, macOS, and Windows version user passwords. Also comment that it is current and supported software. In addition, we can say that it is reliable since the open source is available to everyone.
Wfuzz
Wfuzz is another of the password cracking tools that we can use. In this sense, this software is designed to carry out brute force attacks against web applications. Thus, it could be used to search for hidden resources on the servers and also to use brute force against login forms and carry out various injection attacks (SQL, XSS, LDAP, etc.) in order to gain access to the server.
Another positive thing is that it is an updated software. Also Wfuzz is more than a web content scanner and could be used to:
- Protecting our web applications by finding and exploiting vulnerabilities in those web applications.
- It offers a completely modular framework and makes it easy for even the newest Python developers to contribute.
AirCrack NG
With Aircrack-NG we get a complete suite of tools to assess Wi-Fi network security. This software is famous for being one of the most effective when it comes to cracking and getting passwords for Wi-Fi networks. Thus it is capable of cracking the WEP and WPA PSK (WPA 1 and 2) ciphers.
Its way of working is by capturing enough packets and analyzing them and then decrypting the passwords for wireless networks. This program is up to date and works primarily on Linux, although it could also be used on Windows, macOS, FreeBSD, and more.
hashcat
This hashcat software is one of the best for cracking password hashes, it is aimed at reversing password hashes to obtain the key they hide. It is also compatible with more than 200 different protocols, being able to obtain, through all kinds of techniques, any type of password that we want to guess.
Hashcat is commonly used to complement other similar password retrieval programs.
jellyfish
Medusa is another one of the password cracking tools that we can use to crack passwords. It is a fast login, modular, parallel brute force tool. It should be noted that it supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet.
An important piece of information is that Medusa is a command line tool. That means that to use it we must learn its commands, so it is not easy to use software. On the other hand, its efficiency depends on the network connectivity. Thus, it is capable of testing 2000 passwords per minute on a local network.
OphCrack
OphCrack this is a freeware to crack passwords from Windows based on Rainbow tables. By using this type of tables the tool is very efficient.
In addition, it has a graphical interface and is multiplatform and can be used in Windows, Linux, Unix and Mac OS. On the other hand, it is compatible with free and paid Rainbow tables, and is capable of cracking the keys of any modern Windows, starting with XP. It also has a brute force module for simple passwords.
Thanks to the password cracking tools that we have seen throughout the tutorial, we could perform penetration tests with them.
