How to crack a password: Demo and video walkthrough
Want to see how easy it is for your weak passwords to get cracked? In this episode of Cyber Work Applied, Infosec Skills author Mike Meyers shows just how easy it is to use a brute-force attack or a password dictionary attack to crack a password.
What is password cracking?
Learn how to use Cain and Abel to conduct password attacks in this episode of Cyber Work Applied.
Using password cracking tools: How to crack a password | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Password cracking walkthrough and demo
Below is the edited transcript of Mike’s password-cracking walkthrough.
Where are passwords stored?
(0:10- 0:59) When we talk about cryptographic attacks, the easier way to interpret this is cracking passwords. Now, don’t get too excited. First of all, let’s ensure we understand what we’re talking about when we talk about password cracking.
When you have some kind of server — a web server, an FTP server, an SSH server, a game server, an operating system that’s sharing folders, it doesn’t matter what it is — you are going to have to have a list of usernames and passwords stored somewhere on that server system. Now, if you’re going to store them, which you have to do, then when someone logs in, they’re going to type in a username and password and then come to that server.
What is password hashing?
(1:00- 2:07) You have to store the password. So how do you store it? Well, you could just store it in clear text. You could literally have a list somewhere on your hard drive that says, Mike and then whatever his password is, and Bob and whatever his password is, and Janet and whatever her password is.” We could do that.
But the downside is that if a bad guy gets to that server, he could get easy access to our passwords. So traditionally, what we do with a password is that when we create a new user and have them type in a password, the password is never stored on the hard drive; we just hash it. We make a hash of the password.
Now, if we’ve got a hash of the password sitting on the server and somebody who’s a client wants to log in, the server is going to say, please type in your username and password.
So they type in a username and password on their side, and then that is hashed. So the hash comes over the internet and then gets to the server. Then the server compares to the hashes, and that’s how it logs in. We would really never use clear text except in the most primitive of situations.
Hacking passwords means hacking hashes
(2:08- 3:05) The important thing to understand here is that if you want to get into cryptographic attacks, if you want to hack passwords, what you’re really doing is hacking hashes.
There are a couple of things that come into play here. Number one, you have to be able to get to that list of hashes. One of the hardest jobs of cryptographic attacks is how you get to that server and how you grab those usernames and password lists. You don’t know what the passwords are, but how do you at least get the list? That varies for every single thing that’s out there.
If you want to get your Windows system, it has its own set of passwords and hashes. If you want to get to an FTP server, it depends on the brand. They have their own usernames and passwords. The biggest part of cryptographic attacks really isn’t hacking the hashes, the biggest part is getting to them. And I’m not covering that in this section because there are huge groups of people who spend all kinds of time with all kinds of different stuff to figure out how to get to these different things.
You can’t reverse a hash
(3:06- 3:49) The second thing we need to talk about is that if the password is stored in a hash, there is no way for you to reverse that hash to figure out what the password is. It’s just not going to happen.
What we’re going to do instead is we’re going to generate hashes until we get the hash that we have a copy of, and now that we have the copy, we know what this hash is because we generated it ourselves and then we know what the password is.
So when we’re talking about cryptographic attacks and in particular — we’re going to talk about brute-force attacks, dictionary attacks, rainbow tables and all that kind of stuff — keep in mind what we’re doing more than anything else is generating hashes and making a comparison. When we compare the right ones, we can finally say that we have the password.
Finding list of hashes in FreeSSH
(3:50- 5:36) I want to go through this process a little bit, and the best way to do this is to pick an arbitrary server to attack. In this case, I’m going to use a program called Free SSH, and I’ve got it right here. So this is Free SSH. Free SSH is a wonderful little SSH and Telnet server. I’ve been using this thing for years and years; nothing special about it, but one of the things that’s kind of fun is that it’s got these user accounts.
So I’m going to add a user, and I’m going to add a user called Timmy, and there are all these different ways I can store stuff. I could use NT, which is the Windows operating system that’s on. In this case, I’m going to use a password stored as a SHA1 hash. I’m going to give it a dangerously simple password, and I’m going to call it m-i-k-e, all lowercase. Do not try such a small password at home. Then what do I want this guy to be able to do with this particular SSH tool.
Now I’ve got this Timmy in here, and I want to go ahead now, and I want to — first of all, I have to figure out where this Timmy password is. To do that, all I’ve done there is actually got Free SSH to save that particular one. I had to do a lot of research for this old program, but I finally found some documentation that says all the passwords with the SHA-1 hash are stored in this little file right here. So I could open this file up and scroll it around. Here, I can see some other user accounts. But here’s the Timmy account right here, and that is the actual hash that is storing that password of m-i-k-e.
Using Cain and Abel for a brute-force attack
(5:37- 8:13) Now that I have the hash, I need some tool that I could take this hash value and throw it in and say, keep running a bunch of hashes until you find one that matches that. And that process, which we call a brute-force attack, can be done in all kinds of different ways. Now, for this one particular example, I’m going to use an old program called Cain and Abel. Let me show you that guy.
So this is Cain and Abel. Now, I need to warn you a couple of things about Cain and Abel before we get started with this. First of all, Cain and Abel is a very, very powerful tool, but it’s very dated, so even though I’m running a modern Windows 10 system here, there are a lot of features of Windows 10 that really just don’t come into play anymore.
The other thing is that anytime we talk about cryptographic tools like this, they’re not instantly easy to use. It would be kind of like someone saying, “Hey, let’s go ahead and make an accounting spreadsheet,” and I hand you Excel. Sure, it’s a good tool, but you really have to understand what’s going on. So there are a lot of steps in here that I’m familiar with because I’m familiar with this tool, but you have to do a little experimentation on yourself.
So we take a look at this, and there is a cracker function right here. You see that, and it says, what do you want to crack? These are different kinds of hashes because that’s mainly what we’re hashing in this world. So I know this is a SHA-1 hash because that’s how the Free SSH store stuff.
Here’s my SHA-1 hash tool. What I’m going to have to do, first of all, is go over, and I’m going to grab this hash. I’m just doing a regular old copy, and I need to put it into the cracker. And what I’ve done now is I’ve inserted this SHA-1 hash into it.
So now, let’s go ahead and start cracking. So what we’re going to do first is we’re going to do brute force. We’re basically going to say, Cain and Abel, I want you to start with the letter “a,” make an SHA-1 hash, make the letter “b,” make a SHA-1 hash, go through all those, then do “aa,” then do “ab,” then do “abcd.” Get the idea that this could take a little bit of time? Well, it absolutely does. So let’s watch what happens.
So what we’re going to do is a brute-force attack. Now, you’ll notice that I’ve got a lot of options here, and all of these crackers have some tool like this, so it’s going to say, just use lowercase and numbers. Now, for the sake of brevity, what I’m going to do here is I’m going to make it even simpler than that, and I’m just going to say, just use lowercase letters.
Why long passwords are more difficult to break
(8:14- 9:14) Now, what I want you to watch right here is the keyspace. So right now, I’m in the thousands, millions, billions, trillions, gazillions — the number of permutations that would have to go through to do every possible combination just using the 26 letters of the alphabet, as you can see, is huge. But there are a few other things we know. And again, I’m cheating here folks simply because I know the password is very, very short.
I want you to watch the keyspace while I reduce the possible password length. So watch what happens to that keyspace as I keep making the number shorter and shorter.
One of the reasons why people always say to use long passwords, you just saw it right there. The longer the password, the more difficult it is for me to crack it. In a brute-force scenario, if you use complicated passwords with upper and lowercase and numbers and all that stuff, it starts going into the months, days, years, kind of a thing to crack using Cain and Abel.
Cracking the simple password “mike”
(9:15- 10:01) So what I’ve done here is I’ve got it knocked down to a maximum of eight characters, and let’s go ahead and start it and see what happens.
If you take a look right here, it was pretty much instantaneous, but you’ll see it found the password is mike. So that is one example of brute force.
Now keep in mind, one more time, what brute force is doing. It’s literally generated based on the predefined character set that I set up for it. I said, let’s start with just the letters of the alphabet and just lowercase. And then it ground through them. So you can see that it went through just about a trillion iterations in a very, very short amount of time.
Why you should a complex passwords
(10:02- 11:14) Let’s take a look at this one more time, and imagine this time, let’s say I had a big complicated password.
So let’s change the predefined character set, so it’s going to be lowercase alphabet, uppercase alphabet and numbers. Do you see that right there? Now, watch the keyspace as I start to bring it up. You see that? I’m already up to exponential notations.
So that is a really good example of why we use complex passwords. We use complex passwords to make cryptographic attacks harder. Period.
That’s one example. In this particular example, what we did is we simply ran a brute-force attack. As you can see, when things get complicated a brute-force attack can become incredibly onerous. Now, this is just a regular, middle-of-the-road desktop system. If I wanted to, I could buy computer systems or build one myself that use graphics processors and all this extra power, and they can calculate a lot faster, but it still becomes very difficult.
Using Cain and Abel for a dictionary attack
(11:15- 14:56) So what we want to do is I want to go ahead and do an attack, but let’s make some assumptions. One of the things we know about people is that I don’t think I’ve ever met anybody who used a password that was 12XF9L&2, right?
What we do as human beings is we tend to use dictionary words — Mike47, Timmy22 and 1Johnny5 — and we turned all the Os into zeros, and you know all that stuff. Well, if we know that, we can do another kind of attack called a dictionary attack.
A dictionary attack starts by using a text file that is filled with dictionary words. It’ll take those dictionary words and then it’ll manipulate them. For example, if I put the word mike in the dictionary, I could tell the cracker to go, don’t do just mike, but do capital M-I-K-E and then make MIKE1, MIKE2, MIKE47, all that type of stuff.
So a dictionary attack will always, always start with a text file that’s full of dictionary words. So let’s try a dictionary attack. All right, so let’s go ahead and grab that hash one more time, and I’m going to go ahead and plug it in here. So here’s my hash.
Now, the whole idea behind a dictionary attack is we have to feed the attacking tool a dictionary. So I have a very simplified one. If you take a look right here, I’ve made a little file called dictionary.txt, and you could see that I have all of about what, nine words in there.
Keep in mind that you can download dictionaries from the internet that have hundreds and hundreds of thousands of different words in there, so dictionaries can be massive, massive devices. Again, I’m cheating for the sake of brevity, and so we’ve got that dictionary ready to go.
Let’s go ahead and do the dictionary attack. I’m going to go ahead and select Dictionary Attack this time, and you’ll see that I’ve already preselected that text file.
Now, this is a pretty handy tool because he always remembers where you left off, and I’ve done an attack before. He remembers I’m at the end of the file, so I got to go through this little process to tell it to go back to the beginning.
What I’m going to do is start it, and boom, you can see, almost instantly, I got the answer. Now, I made this one easy because the password is just four characters and they’re all lowercase alphas, so for brevity, it works out really well. But let’s take a look with a little bit more detail here.
You’ll notice that you tell these crackers how to deal with the particular type of words. So for example, here’s one where it says if the word is in all lowercase, then try it also as uppercase or vice versa if the word in the dictionary is all uppercase.
Here, I could say, do case permutations. Now watch if I click that. It actually turns a couple of these off because now it’s saying, change just the second letter to uppercase, change the third letter, or however that might be.
And the other one right here at the bottom might be familiar to some of you guys, which is to add two numbers to the end. So whatever the word is, if it’s mike, do mike1, mike2, mike3, mike4, all the way up to mike99.
I wonder how many of you guys out there said, “Oh yeah, the thing would probably crack my password,” based on that. So dictionary attacks are fantastic. They speed the process up simply because they take advantage of the fact that human beings tend to use words they’re familiar with as part of their password. At the top of every one of these dictionaries is password and 1, 2, 3, and 1, 2, 3, 4. So don’t even bother with those. They’ll have you hacked in milliseconds literally.
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get free cybersecurity resources. Check out the latest free training courses and resources to keep learning!