4. PASSWORD CRACKING TOOLS
• John the Ripper
• Aircrack-ng
• RainbowCrack
• Cain and Abel
• THC Hydra
• HashCat
• Crowbar
• OphCrack
• Etc.
5. JOHN THE RIPPER
OVERVIEW
• First stable release in May 2013, Version 1.8
• Initially developed for the Unix operating
system, it now runs on fifteen different
platforms.
• It uses Brute force & Dictionary attack
• It has 3 modes. Single, Incremental & Wordlist
6. TYPES
• 1. John the Ripper Pro -Linux and Mac OSX
• 2. John the Ripper Official –All Platforms
• 3. John the Ripper Community Enhanced –All
Platforms
13. HYDRA
OVERVIEW
Developed by Van Hauser from The Hacker’s Choice and David Maciejak
• Uses a dictionary attack or brute force methods to test for weak or "simple“
passwords.
• Platforms : Linux, Mac OS, Windows/Cygwin etc.
• Its more famous because it can support around 30 protocols like ftp, http, https
etc.
• Other tools like Medusa and Ncrack provide similar speed.
• It is available as a GUI also (even though a little difficult to get in windows).
14. INSTALLING HYDRA
• Linux based
Many have them pre-installed, else $ apt-get install hydra e $ apt-get install hydra $
apt-get install hydra-gtk
• Windows
Download hydra zip file
Install Cygwin
Compile hydra using cygwin
19. HYDRA COMMAND SYNTAX
• Syntax: hydra fir-I LOGIN -L FILE] [p PASSI-P FILE]] I [C FILE]] [e nsr] [0 FILE] [t TASKS] [M
FILE [T TASKS]] 1w TIME] [W TIME] 14] [5 PORT] [x MIN:MAX:CHARSET] [SuvV46]
[service://servertPORTNOPT]] [v/ -V]
• Simplified basic syntax: hydra —1/-L <user> -p/-P <passwords> <IP address> <protocoI><form
parameters> <failed login message>
• -I/-L LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
• -p /-P PASS or -P FILE try password PASS, or load several passwords from FILE
• <IP address> is the host address.
• <protocol> is the protocol used in that page.
• <form parameters> is the parameters when brute forcing web forms
• <failed login message> is the message you get, when you enter invalid usernames and passwords.
20. CONCLUSION
• Password Cracking Depends on
• Attacker’s strengths
• Attacker’s computing resources
• Attacker’s knowledge
• Attacker’s mode of access [ physical or online]
• Strength of the passwords How often you change your passwords?
• How close are the old and new passwords?
• How long is your password?
• Have you used every possible combination alphabets, numbers and special characters?
• How common are your letters, words, numbers or combination?•
• Have you used strings followed by numbers or vice versa, instead of mixing them
randomly?