Πανεπιστήμιο Κύπρου – Τμήμα Πληροφορικής
(Χειμερινό Εξάμηνο 2014)
ΕΠΛ 475: Ασφάλεια Δικτύων Η/Υ & Πληροφοριών
Εργαστήριο 8
IST Research Labs
Cyber Security Lab
Password Crackers: Types, Process and Tools
Password cracking is a term used to describe the penetration of a network, system, or resource with or
without the use of tools to unlock a resource that has been secured with a password.
Password cracking tools may seem like powerful decryptors. However, in reality they are little more
than fast, sophisticated guessing machines. When a password is entered and saved on a computer it is
typically encrypted, the encrypted password becomes a string of characters called a “hash” and is
saved to a password file. Real encrypted passwords cannot be reverse-decrypted. Cracking programs
precompute the password encryption algorithm on a given input (a wordlist called dictionary or
randomly generated strings of characters) and compare the results with a user’s hashed password. If
the hashes match then the password has successfully been guessed or “cracked”. This process is
usually performed offline against a captured password file so that being locked out of the account is
not an issue, and guessing can go on continuously. Such bulk encryption is quite processor intensive
but some weaknesses inherent in hashing algorithms, which are left as they are for the purpose of
backward compatibility, can make the process less time consuming. Thus, revealing the passwords is
simply a matter of CPU time and dictionary size.
Types of password breaking
Finding out someone’s password does not always involve using a cracking program; it can often be as
easy as finding where the user may have their password written down, or through social engineering.
Here are some of the more technical techniques used in password cracking:

Dictionary attack
A simple dictionary attack is usually the fastest way to break into a machine. A dictionary file (a
text file full of dictionary words) is loaded into a cracking application, which is run against user
accounts located by the application. Each word in a dictionary as a password and encrypting it and
then comparing the resulting hashes to the hashes in the password file being cracked. Because the
1
majority of passwords are often simple words chosen by the user, running a dictionary attack is
often sufficient to do the job. Dictionaries often include most common names for people and pets
and can typically riffle through birth dates for the last 70 years.

Brute force attack
A brute force attack is the most comprehensive form of attack, though it may often take a long time
to work depending on the complexity of the password. The program will begin trying any and
every combination of numbers and letters and running them against the hashed passwords. Some
brute force attacks can take a week depending on the complexity of the password. Passwords that
are composed of random letters numbers and characters are most vulnerable to this type of attack.

Hybrid attack
Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or
symbols to the search words to successfully crack a password. Many people change their
passwords by simply adding a number to the end of their current password. The pattern usually
takes this form: first months password is "cat"; second months password is "cat1"; third months
password is "cat2"; and so on.
Cracking Process
Conceptually the easiest way to crack passwords is to generate character sequences working through
all possible 1 character passwords, then two character, then three character, etc. This is the brute force
attack previously mentioned. It could start at any specific length password. Theoretically any possible
password can be found this way but generally there is not sufficient computing power and time
available to accomplish this. Password cracking lends itself well to parallel processing on multiple
machines with major gains as more machines are applied to the problem. Someone with access to
many machines during off-hours at a company or educational institution may be able to apply lots of
computing power.
Probably the most important factor in brute force cracking of passwords is how many passwords need
to be examined to cover all possible passwords. Two factors determine this. They are the length of the
password and the number of characters in the character set from which the passwords are formed. The
number of possible passwords is the number of characters in the character set raised to the power
represented by the password length. For example, the number of possible three character passwords
formed by 26 letters is 26 cubed. For a word of any meaningful length, like more than 5 characters, the
word and its other forms is an extremely small subset of all the possible combinations of the same
number of the characters in the word. In other words, the longer the passwords to be cracked, the larger
the advantage of a dictionary based attack will be compared to a brute force attack.
Since brute force is not likely to identify any but the weakest passwords, the intruder's best chance is to
identify techniques that are computationally efficient compared to brute force techniques and have a
reasonable chance of cracking some of the passwords in the collection of accounts and password
hashes in their possession. By applying what is known about how users select passwords, an intruder
can tremendously increase the odds in their favor of finding passwords. With the right techniques,
some poor passwords can be cracked in under a second.
2
As mentioned earlier, encrypted passwords cannot be reverse-encoded, passwords encrypted by
standard methods (like DES) can be revealed through a comparative process. The process works as
follows:
1. You obtain a dictionary file, which is really no more than a flat file (plain text) list of words
(commonly referred to as wordlists).
2. These words are fed through any number of programs that encrypt each word. Such encryption
conforms to the DES standard.
3. Each resulting encrypted word is compared with the target password. If a match occurs, there is
better than a 90 percent chance that the password was cracked.
The real power of dictionary attacks come from understanding the ways in which most people vary
names and dictionary words when attempting to create a password. By applying all the common
transformations to every word in the electronic list and encrypting each result the number tested
passwords multiplies rapidly. Every "clever" way of manipulating words to hide their origin is know to
the cracking tools. For example, such cracking programs often subject each word to a list of rules. A
rule could be anything, any manner in which a word might appear. Typical rules might include



Alternate upper- and lowercase lettering.
Spell the word forward and then backward, and then fuse the two results (for example:
cannac).
Add the number 1 to the beginning and/or end of each word.
Naturally, the more rules one applies to the words, the longer the cracking process takes. However,
more rules also guarantee a higher likelihood of success.
Tools of the trade
One of the most popular tools is L0phtCrack (current version L0phtCrack 6). L0phtCrack is a tool
that allows an attacker to take encrypted Windows passwords and convert them to plaintext. Window
passwords are in cryptographic hashes and cannot be read without a tool like L0phtCrack. L0phtCrack
6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions,
multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use
password auditing and recovery software available. It works by attempting every alphanumeric
combination possible to try to crack passwords. L0phtCrack can also append a user specified number
of characters to the end of the dictionary words. It works through the entire character set and appends
every combination to each dictionary word; this includes all the letter sequences as well as digits and
symbols. Other similar cracking program is John the Ripper.
3
Figure 1: L0phtCrack 6 GUI.
Another commonly-used tool is a protocol analyzer (better known as a network sniffer, such as
Wireshark), which is capable of capturing every piece of data on the network segment to which it is
attached. When such a tool is running in promiscuous mode, it can "sniff" everything going around on
that segment such as logins and data transfers. This can seriously damage network security allowing
attackers to capture passwords and sensitive data, especially if they are sent in clear text.
4
Figure 2: Captured POP3 traffic with Wireshark protocol analyzer
Goals of the Cracker
The goal of the cracker is to obtain the root account password on UNIX systems and administrator
accounts on Windows-based systems. Since the cracker presumably already has some degree of access
to the target machine (cracking can only be performed when the attacker already possess the password
hashes), it's not likely that unprivileged accounts will be of much value to the intruder but the
techniques for obtaining passwords are the same regardless of the target account.
Example: Web site home page defacing
A fairly common and simple example of external password cracking: defacing a Web site's home page.
It takes little effort and is usually accomplished by simply exploiting an Internet Information Server
(IIS) that has its permissions set incorrectly. The attacker simply goes to a workstation and tries to
attack the IIS server with an HTML editing tool. When trying to attach over the Internet to the site, the
attacker uses a password generator tool, such as L0phtCrack, which launches a brute force attack
against the server.
5
Resources

Hacking Exposed: Network Security Secrets & Solutions, Osborne publishing

http://docs.rinet.ru/LomamVse/ch10/ch10.htm

http://www.atstake.com/products/lc

http://neworder.box.sk/

http://www-106.ibm.com/developerworks/security/library/s-crack/

http://www.securityfocus.com/

http://www.password-crackers.com/

http://www.insecure.org/

http://www.hideaway.net/home/public_html/index.php
Appendix
List of Password Crackers available for download:
http://neworder.box.sk/codebox.links.php?&key=pwdcrax
Programs: Underground password crackers
(Unix)
Crack by Alec Muffett
CrackerJack by Jackal
John the Ripper by Solar Designer
Pcrack (PerlCrack; Current Version Is 0.3) by Offspring and Naïve
Star Cracker by the Sorcerer
Killer Cracker by Doctor Dissector
Hellfire Cracker by the Racketeer and the Presence
PC UNIX Password Cracker by Doctor Dissector
Merlin by Computer Incident Advisory Capability (CIAC) DOE
(Other types)
ZipCrack by Michael A. Quinlan
Decrypt by Gabriel Fineman
NetCrack by James O'Kane
PGPCrack by Mark Miller
Password NT by Midwestern Commerce, Inc.
6