1. THC Hydra
THC Hydra is one of the powerful tools used by hackers for cracking passwords. The software tool is available for macOSX, Windows and Linux. The tool works online and uses both brute-force and dictionary to attack login pages. More so, THC Hydra is known for its fast network login hacking. The tool’s brute-force attack technique can raise the alarm of a security breach if there are security measures put in place on the targeted login page (WondorHow, 2020). For instance, the login pages may contain a maximum number of attempts beyond which the account may be disabled or locked. Brute-force works by guessing passwords to the login page. Thus, there is an increased chance that there will be excessive attempts on the login using brute-force.
THC Hydra is a build-in software in Kali Linux, and anyone using the operating system does not need to install it. However, the tool does not work alone but works together with other tools such as the “Tamper Data,” which is one of the plugins for Mozilla Firefox. The plugin produces essential information to be used by the Hydra tool, such as the HTTPS and HTTP POST and GET information. Tamper Data is simply a web proxy that is similar to the Burp Suite.
Once Tamper data is installed on the web browser and activated. We can navigate to our interesting website. The example below shows the navigation of the website of the Bank of America.
Tamper Data returns all critical information on the form, after trying to login to the site using “hacker” as the user name. The information is useful since it is used in Hydra to try cracking the passwords. Below is a screenshot of the information returned by Tamper Data.
Description of the Results Obtained
After obtaining the essential information from Tamper Data, we now go to Hydra to crack an online password. To open Hydra in Kali Linux, we go to Kali Linux, go-to password, and go to Hydra, then online attacks, as displayed on the screenshot below.
The Window below opens after clicking on online attacks ready to execute an attack on the online platform.
Kali Linux has several built-in pass wordlist that can be used to crack passwords. However, any password text file can be used, including downloaded. Change on the directory by typing this command “kali > cd /usr/share/wordlists”. Then list the contents of the directory by entering this command “kali > ls.” Below is the screenshot of the results displayed after typing the commands.
Next step, we want to use the tool to crack passwords. The screenshot below shows the values entered on the software terminal. We are using the tool to crack the admin password and at IP address 192.168.89.190 on port 80 as the target, using “rockyou.txt.”
Below is a screenshot of the results displayed
2. John, the Ripper
Just like the Hydra password cracking tool, John the Ripper is also used for cracking passwords using. However, the tool is used to crack both online and offline passwords, unlike HTC Hydra, which is used to crack online passwords only. John the Ripper is an old software tool and was first released in 1996 that was originally meant for the Unix-based systems (Blackmoreops, 2020). The tool was designed and created for establishing the strength of passwords and crack passwords via a dictionary attack. John the Ripper is one of the simplest and essential tools for penetration testing often used by hackers and information security personnel. More so, the tool comes in both a free and a proprietary version, with the proprietary version having some advanced features such as performance optimization, multilingual wordlists and supports 64-bit architecture. It was designed specifically for professional penetration testers.
Furthermore, John the Ripper supports several encryption technologies such as Window based systems and UNIX. The software autodetects the encryption contained on the hashed data, then checks through a large plain-text of files containing popular passwords in comparison. Once it finds a matching password, it stops. In addition to that, the software contains a wordlist of some commonly used passwords for more than twenty languages. The software can generate thousands of possible passwords with this list. However, when using Kali Linux, you don’t need to install John the Ripper since it is included among the penetration testing tools for Kali Linux. The tool contains encryption technologies for UNIX crypt, Kerberos, FreeBSD MD5-based and Traditional DES-based, Windows LM etc.
Information security personnel can devise ways of making it hard for hackers to penetrate systems using this tool in several ways. For example, the system information security personnel and system administrators must ensure that the system accounts use strong passwords. John the Ripper works to exploit weak passwords before carrying out an attack. More so, information security specialists should advise system developers to consider double authentication on their login interfaces. After entering the password, the system will send a One Time Password to the user’s phone to be allowed to access the system resources.
Description of the Results Obtained
After opening John the Ripper tool and getting the hashes, we can process an existing file using the awk command. The screenshot below shows the commands entered, and the results displayed.
Using the incremental mode to such for password cracks, the following result is obtained.
The above screenshot shows the number of passwords that have been found and cracked online.
One cannot think about a password cracking tool without having considered Rainbow Crack. Rainbow Crack is among the best and efficient password cracking tools used by information system security specialists for penetration testing. Hackers also take advantage of the tool and are not left behind but use the tool to crack passwords to perform an attack. RainbowCrack uses the brute-force technique to carry its operation. In addition to that, the tool uses rainbow tables, which make it very fast and efficient in cracking passwords. Furthermore, RainbowCrack is efficient because it doesn’t use the traditional brute-force but uses plain texts to compute the hashes.
For system security experts and administrators, they need to understand some of the ways they can protect the information system from this kind of attack from hackers. Firstly, to prevent password hacking, password policies must be strictly implemented, and weak passwords must not be allowed. System users must be advised to use strong passwords that would be hard for hackers to crack. Strong passwords are composed of a combination of characters such as numerical, alphanumerical, and upper and lower case letters. In addition to using strong passwords, the system developers should ensure a two-level authentication by the use of a password and a code sent to the email or telephone number of the system users.
Description of the results obtained
Below is a screenshot which shows RainbowCrack in use, trying to crack passwords.
This tool is specifically used to crack Windows login passwords using rainbow tables. The inventors of the method used rainbow tables to make the tool more efficient in cracking the Windows password. The tool runs on multiple platforms and comes with a graphical user interface. The rainbow tables used by the tool contain LM hashes that are used for cracking Windows password (Tornio, 2020). Furthermore, one does not need to buy the software to use since it is also free and open-source software. The tool allows users to use additional rainbow tables that can be downloaded to add to the software’s rainbow tables.
The tool finds it hard to crack passwords containing more than fourteen characters and has a combination of numerical and alphanumerical values. Therefore, for the system admin to protect the Windows system from this kind of attack, they need to use a password that will not be easily cracked with a hacker.
Description of the results obtained
The screenshot below shows the cracking process using the OphCrack tool. Before launching a successful Windows password crack, some several procedures and steps need to be observed. When the software is run, for example, the number of logical cores of the computer should correspond to the threads. Then the hashes are loaded using the load button, which can be entered manually. Lastly, the user’s accounts that may not be required are deleted, and the yellow and green buttons are enabled. When the crack button is clicked, the process of cracking the windows password begins. The image below shows a screenshot of a complete cracking process.
Recommendations for the Best Password Cracking Tool.
According to the analysis from the research done on the four password cracking tools, each of them is important, depending on the user’s intentions. For example, if you wish to crack the password for windows login, the OphCrack tool is the best to use. On the other hand, if you want to hack online accounts, you can either use the Hydra or John the Ripper. However, in this case, John the Ripper is better than HTC Hydra. It is because HTC Hydra works only online, but John the Ripper can be used both online and offline to crack passwords. In addition to that, John the Ripper is available for both the professionals and the novices.
WondorHow. (2020). Hack Like a Pro: How to Crack Online Passwords with Tamper Data & THC Hydra. WonderHowTo. Retrieved 28 August 2020, from https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-passwords-with-tamper-data-thc-hydra-0155374/.
Blackmoreops. (2020). Cracking password in Kali Linux using John the Ripper. blackMORE Ops. Retrieved 28 August 2020, from https://www.blackmoreops.com/2015/11/10/cracking-password-in-kali-linux-using-john-the-ripper/.
Tornio, S. (2020). Let’s Get Cracking: A Beginner’s Guide to Password Analysis. Blog.focal-point.com. Retrieved 28 August 2020, from https://blog.focal-point.com/lets-get-cracking-a-beginners-guide-to-password-analysis.