Content uploaded by Aakif Mairaj
Author content
All content in this area was uploaded by Aakif Mairaj on Mar 01, 2021
Content may be subject to copyright.
A Real-world Password Cracking Demonstration
Using Open Source Tools for Instructional Use
Tejaswi Kakarla, Aakif Mairaj, Ahmad Y. Javaid
Electrical Engineering and Computer Science Department
University of Toledo, Toledo, OH 43606, USA
E-mail: Tejaswi.Kakarla@rockets.utoledo.edu,Aakif.Mairaj@rockets.utoledo.edu, Ahmad.Javaid@utoledo.edu
Abstract— Passwords are the among the most standard ways
to protect and authenticate the security of a network or any other
confidential information. Password cracking helps in the
penetration testing so that we can find out the strength of a
password. In this paper, we are going to discuss different types of
password cracking tools with an emphasis on THC Hydra. We
are also going to discuss different types of attacks that can be
launched by password cracking tools. The paper specifically
demonstrates the attack of THC Hydra on an FTP server and an
SSH server that can be used in the teaching of a foundational
cybersecurity course. We conclude the paper with a discussion on
several actions that can be taken for end-user protection.
Keywords-Hydra; Dictionary attack; Bruteforce attack; server;
cracking
I. INTRODUCTION
The technological advances in the last decade have brought
many new concepts like Cybersecurity into the picture.
Cybersecurity is the set of processes designed to protect
important data from attack or unauthorized access. Frequent
security breaches in the last few years have led the people to
educate themselves regarding the protection of valuable
information against any malicious attack. The year 2017
witnessed many high-profile data breaches; for example, the
increase in crypto-currency related malware is becoming a
popular and profitable choice for cybercriminals [1]. Computer
security, therefore, depends on all users being aware of the
risks and taking responsible action to avoid these risks.
This paper deals with one aspect of cybersecurity, i.e.,
Password cracking. Password cracking is a term used to
describe the penetration in a network to unlock a protected
resource with or without tools. Passwords are the most standard
form of authentication during a login process. Password-based
authentication is used by comparing the credentials provided
by a user with stored secrets. Password cracking ranges from
decrypting a password to hacking into a network. In this paper,
we explain about different types of attacks and tools available
to implement the attacks. The explosive growth of technology
has brought forward many password cracking tools which are
available for free on the web. These password cracking tools
are developed by the technology buffs who treat hacking as an
‘art’ form.
This paper discusses the different types of attacks and tools
used in password cracking and provides the basic information
on the general do’s and don’ts to secure valuable information
against unauthorized users.
II. PASSWORD CRACKING TECHNIQUES
The main goal of a hacker is to gain access to your private
information for monetary gain by demanding ransom or
selling it to your opponent. Figure 1 [2] shows some scenarios
and attempts at password cracking. There are five main types
of password cracking techniques: Dictionary attack, Brute
Force attack, Hybrid attack, Rainbow tables attack and social
engineering attack.
A. Dictionary Attack
This type of attack tries to find its decryption key by
repeatedly trying millions of most likely possibilities, such as
all the words in a dictionary. In a dictionary attack, a wordlist
comprising of most likely passwords is used by the hacker
while attempting to gain access to a system [3]. In Addition,
wordlists that have proven to be the most successful are
composed of various public sources and are easily available
online [4]. Several wordlists are available; the most common of
which is “rockyou.txt.”
B. Brute Force Attack
In a Brute Force attack, the user uses every possible
combination of the alphabet hoping that at least one
combination is correct. This attack is faster when it is used to
check for short passwords. The only drawback of this method
is that, if the password is a long one it takes longer to find the
right password, hence consumes lots of system resources. [5]
Figure 1: The flow of password attacking possibilities [2]
978-1-5386-5398-2/18/$31.00 ©2018 IEEE
0387
C. Hybrid Attack
Hybrid Attack is a blend of both the dictionary attack and
the Brute Force attack. It requires a list of possible passwords
like the dictionary attack, but it will attempt all the possible
combinations with the passwords present in the list like a Brute
Force attack [4]. It takes a very long computational time
compared to other attacks based on the number of passwords
present in the list.
D. Rainbow Tables Attack
The Rainbow tables attack uses a pre-existing table to
reverse the cryptographic hash functions. Rainbow Tables
benefit the person constructing those precomputed tables since
he can choose required storage by selecting the number of links
in each chain [6]. If there are more links between the initial
value and the final value, then more passwords are seen. There
is one weakness in this attack though, the person building the
chains do not select the passwords they capture; hence
Rainbow Tables cannot be optimized for general passwords.
E. Social Engineering attack
Social Engineering attack is an inclusive term for all
different attacks that occur due to Human interaction. These
attacks occur in numerous steps - at first, the attacker gets to
know the victim and identifies the potential points of entry,
then the attacker gains the trust of the victim, thereby gaining
the knowledge of sensitive information, which in turn will
provide him the access to critical resources [7].
III. PASSWORD CRACKING TOOLS
In the previous section we discussed various types of
attacks, now this section is focused on different tools that are
available on the web and can implement such kinds of attacks.
Some of these tools are available for password cracking. For
example, the likes of John the Ripper [8], THC Hydra [9],
Rainbow Crack [8], Cain and Abel [8] and Medusa [9].
A. John the Ripper
John the Ripper is a slow password cracker - initially, it
was meant for UNIX. However with time, it became more
versatile, and now it is implementable on windows, OpenVMS
and MAC OS. Its primary purpose is to detect weak Unix
passwords. This tool is available for free and supports both
Brute Force and dictionary attacks. It is a time-consuming
password cracking tool.
B. THC Hydra
THC Hydra is a password cracking tool that can perform
very fast dictionary attacks against more than fifty protocols
like HTTP, HTTPS, FTP, etc. It is a fast and stable Network
Login Hacking Tool which uses a dictionary or brute-force
attacks to try various password and login combinations on a
login page. This tool was developed by Van Hauser and is
easily available online at GitHub where all its newest releases
are frequently updated. It is a fast and flexible password
cracker.
C. Rainbow Crack
Rainbow Crack is a hash cracker tool that makes use of a
large-scale time-memory trade-off. A common Brute Force
attack tries every possible plaintext one by one, which is time-
consuming for complex passwords, but this tool uses a time-
memory trade-off to do an advance cracking time computation
and store results in “rainbow tables.” Password crackers take a
long time to precompute tables, but this tool is hundreds of
times faster than a Brute Force once it finishes the
precomputation. This attack generates all possible plaintexts
and calculates the corresponding hashes. Then it compares the
calculates hashes with the hash to be decrypted. when the
hashes match each other, the plaintext is found. It is available
for Windows, Linux operating systems and runs on both
command line and user interfaces. It also supports computing
on a multicore processor.
D. Cain and Abel
Cain and Abel is a password recovery tool exclusive to
windows. It allows easy recovery of various kinds of
passwords by sniffing the network; cracking encrypted
passwords using Dictionary, Brute-Force, Cryptanalysis attacks
and network packet sniffing [10]. It relies on an IP to MAC
address resolver, ARP spoofing, and LSA secret dumper. It is
used for WEP cracking, and it provides us with a facility to
record VoIP. It speeds up the packet capture speed by wireless
packet injection.
E. Medusa
Medusa is a password cracking tool which can be used in
Linux and MAC OS X operating systems. This tool focuses on
cracking passwords by Brute Force attack. It can perform rapid
attacks against a large number of protocols, for example,
TELNET, HTTP, HTTPS, databases, and SMB. It uses a
thread based parallel testing, which can be used on multiple
hosts at once. This tool has different modules, and each is
available as an independent file.
IV. TECHNICAL APPROACH
In this section, we will expand more on the technicalities of
THC Hydra, the tool developed by Van Hauser. For the
execution of Hydra following syntax is essential:
hydra -S -l <victims email> -P <path of the file in which the
passwords are stored> -e ns -V -s <port number> <server>
smtp
A. Hydra in FTP Server
To launch an attack on an FTP server the command used is:
hydra -l usernames.txt -P passwordlist.txt ftp://ftpserver1
The -L and -P switches are used to loop through the files
named usernames.txt and passwordlist.txt to create various
combinations of usernames and passwords to try.
0388
Hydra will then generate a result over a period of few
minutes and show us how many attempts were successful while
using all the different possible combinations for passwords.
The authentication login ftpserver1 can be viewed to double
check the success of the Brute Force attack. The attack is
shown above in Figure 2 [9].
B. Hydra in SSH Server
Launching an attack on the SSH server is done in the same
way as the FTP server, the only modifications are the
service://hostname setting is changed to ssh://ftpserver1. To
launch an attack on an SSH server the command used is: hydra
-l usernames.txt -P passwordlist.txt -t 4 ssh://ftpserver1
Here the -t 4 switches are used to adapt the number of
simultaneous authentication attempts to better suit the default
configuration of many SSH services. Launching a Brute Force
Attack on SSH service is slower and more unreliable than
attacking an FTP service. This is because many SSH services
are configured to limit the amount of failed login attempts from
a particular attacking host by default. Example of such is
shown above in Figure 3.The log entry shows that the SSH
server disconnects the user Helga after many failed
authentication attempts. Each time it disconnects, it will add on
to the time taken by the Brute Force algorithm to complete the
task. Despite setting the tries, the Brute Force attack on an SSH
server can be unsuccessful even though we have the
combination of username and password in the list as shown in
Figure 4.
C. Hydra in SMTP Server
Fi
g
ure 2 Exam
p
le of H
y
dra in SSH Server
[
9
]
Figure 5 Unsuccessful Brute Force [9]
Figure 4 Implementation of Hydra for SMTP Server
Fi
g
ure 3 H
y
dra in FTP Server
[
9
]
0389
The Mail servers commonly use SMTP authentication
protocol to identify a valid user before email acceptance for
delivery. There are many standards for SMTP authentication.
We are using AUTH LOGIN method.
This specific authentication method is supported by many
common SMTP servers and therefore it is a good protocol to
use. This protocol is simple and uses just the unencrypted
credentials. Even though this protocol is not very secure, many
of the mail servers support it in their default configurations.
This protocol can be put into use with telnet command aimed
at port 25 on an available mail server. If the currently used
username and password are correct, the server gives us a 2xx
status code. If the username and password are wrong, then the
server gives us a 5xx response code [11]. The command
prompt used to hack into a Gmail server using THC Hydra and
the commands used with description is shown in Figure 5.
This has been accomplished with Windows 10 using STMP
server without disabling any security features of Gmail. Not
disabling the security features of Gmail generates a security
warning which will be sent to the victim's email. It is shown in
Figure 6.
Commands:
x-l: log in or -L FILE login with LOGIN name, or load
several logins from FILE
x-p: PASS or -P FILE try password PASS, or load
several passwords from FILE
x-C FILE: colon separated "login: pass" format,
instead of -L/-P options
x-M FILE: list of servers to attack, one entry per line,
':' to specify port
x-t: TASKS run TASKS number of connects in
parallel per target (default: 16)
x-U: service module usage details
x-h: more command line options (COMPLETE
HELP)
xserver: the target: DNS, IP or 192.168.0.0/24 (this
OR the -M option)
xservice: the service to crack (see below for supported
protocols)
xOPT: some service modules support additional input
(-U for module help)
The different ports and servers that can be used are:
1. Port for Gmail=465
2. Server for Gmail= smtp.gmail.com
3. Port for yahoo=465
4. Server for yahoo=smtp.mail.yahoo.com
5. Port for red mail=587
6. Server for redmail=smtp.live.com
Steps for Execution [12]:
a) Select your target:
You have three options on how to specify the target you
want to attack:
1. A single target on the command line: just put the IP
or DNS address in
2. A network range on the command line: CIDR
specification like "192.168.0.0/24"
3. A list of hosts in a text file: one line per entry.
b) Select your protocol:
Try to avoid Telnet, as it is unreliable to detect a correct or
false login attempt. Use a port scanner to see which protocols
are enabled on the target.
c) Check if the module has optional parameters:
hydra -U PROTOCOL, e.g. hydra -U smtp
d) Select the destination port:
This is optional if no port is supplied the default common port
for the PROTOCOL is used. If you specify SSL to use ("-S"
option), the SSL common port is used by default.
V. PROTECTION AGAINST PASSWORD CRACKING
We can always add another layer of protection to our
passwords by using the methods like strengthening your
password, Salting, Hybridized authentication and a few
general to-dos which are mentioned below:
A. Strengthening your password
xStrengthen your password so that it has a minimum
of 8 characters.
xUse both small and capital letters in your password.
xUse a special character in your password like: @, #...
xChanging your passwords monthly, even
occasionally, is a good practice.
xUse a personal algorithm to create a password.
Following these guidelines should strengthen your password
and increase the time it requires to crack the password.
Figure 6. Security Warning in Gmail
0390
B. Salting
Salting refers to adding a few bits of information called
salt to a password before it is hashed [13][15], to make it a
little bit more difficult to crack. These salts prevent the
attacker from using the rainbow table to decrypt the
password hashes. Even though salting is pretty easy and
straight, it is pertinent that we do it in the right order.
For example, for every password, a different salt should be
created so that a rainbow table will not be created for the
set of passwords. A large salt value is preferred to a
smaller one, and all the salt values should be randomly
generated [14].
C. Hybridized Authentication
Password form of authentication can be combined with
any other forms of authentication such as fingerprinting,
face detection, tokens, cards, etc. thereby making the
cracking tools less effective.
D. General To-Do’s
xUpdate your OS and other software frequently. This
keeps hackers from accessing your computer through
vulnerabilities in outdated programs.
xDownload up-to-date security programs, including
antivirus and anti-malware software, anti-spyware,
and a firewall.
xDestroy all traces of your info on hardware you plan
on selling.
xDo not use open WIFI; it makes it too easy for
hackers to steal your connection and download illegal
files. Protect your WIFI with an encrypted password,
and consider refreshing your equipment every few
years.
xDon’t link accounts. If you want to comment on an
article and you are prompted to sign in with Twitter
or Facebook, do not go behind the door.
“Convenience always lessens your security posture,”
xWe need to use different passwords for different
accounts, even though it is easy to just use one
password for all accounts it just makes you more
vulnerable.
VI. CONCLUSION
In this paper, we introduced the topic of cybersecurity,
passwords and their cracking in general. This was followed by
a discussion on numerous potential attacks and their
executions. Implementation of attacks through numerous
available tools was discussed briefly. Later sections of this
paper mostly revolve around the application of THC Hydra as a
tool for hacking the Gmail account - it was underpinned with
several executed examples on servers, like FTP, SSH, and
SMPT. In the end, a subsection dedicated to Do’s and Don’ts
provides useful information regarding the precautionary
approach for securing the email account.
REFERENCES
[1] Bryan Degro, “Software crackers” [online]. Available:
http://web.eng.fiu.edu/~aperezpo/DHS/Std_Research/Researchpaper.pdf
[Accessed: 20th January 2018]
[2] Password Cracking Sam Martin and Mark Tokutomi at
https://www2.cs.arizona.edu/~collberg/Teaching/466-
566/2012/Resources/presentations/2012/topic7-final/report.pdf
[3] Y.S. Dandass, "Using FPGAs to parallelize dictionary attacks for
password cracking," in Hawaii International Conference on System
Sciences, Proceedings of the 41st Annual, Hawai, 2008, pp. 485-485
[4] C. Yiannis, "Modern Password Cracking: A hands-on approach to
creating an optimised and versatile attack.," Surrey, Thesis 2013.
[5] Blog - https://hackertarget.com/brute-forcing-passwords-with-ncrack-
hydra-and-medusa/
[6] Informationtechnology,https://security.stackexchange.com/questions/37
9/what-are-rainbow-tables-and-how-are-they-used [online], Accessed:
10th February 2018
[7] Webroot.https://www.webroot.com/blog/2017/03/21/common-social-
engineering-attacks/
[8] Fossbytes - https://fossbytes.com/best-password-cracking-tools-2016-
windows-linux-download/ [oniline]. Accessed 10th February 2018
[9] Robert svenson – From hacking to report writing.[online].
[10] A. E. .Mohamed. (2013, January) Password Cracking Using Cain &
Abel. [Online]. http://resources.infosecinstitute.com/passwordcracking-
using-cain-abel/
[11] Nitesh Dhanjani, Justin Clarke – Network security tools: writing,
hacking and modifying security tools
[12] B.Groza, "Analysis of a Password Strengthening Technique and Its
Practical Use," in 2009 Third International Conference on Emerging
Security Information, Systems and Technologies, Athens, Glyfada,
2009, pp. 292-297
[13] M. Abadi, T. Mark A. Lomas, and R. Needham, "Strengthening
passwords," digital Systems Research Center, Palo Alto, California,
Technical Note September 1997.
[14] U. Mamber, "A simple scheme to make passwords based on one-way
functions much harder to crack. Computers & Security, 15(2), 171-
176.," Computers & Security, vol. 15, no. 2, pp. 171-176, 1996.
[15] The State of Modern Password Cracking by Christopher Camejo.
[online].https://www.rsaconference.com/writable/presentations/file_uplo
ad/pdac-w05_the_state_of_modern_password_cracking_final.ppt.pdf
0391