Assignment 11: Password Cracking Techniques (Educational

Purposes) & Report

Introduction

Password cracking refers to the process of recovering passwords from data that has been stored
or transmitted in a hashed or encrypted format. While malicious actors exploit this for unethical
purposes, security professionals, such as ethical hackers and penetration testers, study these
techniques to identify vulnerabilities and strengthen system security.

This report focuses on password cracking methodologies, including dictionary attacks, and
explores password hashing techniques using tools like Hashcat for educational purposes.
Additionally, it highlights the importance of implementing strong password policies to prevent
breaches.

Password Cracking Methodologies

There are several approaches to password cracking, each differing in complexity, success rate,
and computational demand. Below are the common methodologies:

1. Dictionary Attacks
A dictionary attack leverages a precompiled list of potential passwords, typically common or
leaked ones, to attempt access to a system. The attacker uses software to hash each entry
in the dictionary and compare it against the hashed password. If a match is found, the
password is cracked.

Example: A hacker might use a dictionary file containing "password123", "qwerty", and
other commonly used passwords to try and crack a weak password.

Limitations: This attack is only effective if the password exists in the dictionary, making it
futile against strong, random passwords or those using complex characters.

2. Brute Force Attacks

In a brute force attack, every possible combination of characters is tried until the correct
password is found. While this is a guaranteed method, it is extremely time-consuming,
especially as password complexity increases (longer passwords with upper/lowercase
letters, numbers, and special characters).

Limitations: The time required increases exponentially with password length and
complexity, making this approach impractical for strong passwords.

3. Rainbow Table Attacks

A rainbow table is a precomputed table of hash values for common passwords. Rather than
hashing each possible password during the attack, rainbow tables allow quick lookups of
hashed values. If the hash of a password is present in the table, it can be reversed to obtain
the plain text password.

Limitations: The use of "salt" (random data added to the password before hashing) can
mitigate the effectiveness of rainbow table attacks, as the hash values will differ for the
same password across different users.
 4. Hybrid Attacks
A hybrid attack combines dictionary and brute force attacks by using a dictionary and then
appending or prepending numbers and symbols to the words. This increases the probability
of success against users who modify simple passwords, such as adding "123" at the end.
5. Phishing and Social Engineering
These are indirect methods where the attacker tricks the user into divulging their password
through fraudulent emails, messages, or websites. While not a "cracking" technique in the
traditional sense, it is often the simplest and most effective method.

Password Hashing Techniques

When a user creates a password, systems do not store the plain text password. Instead, the
password is processed through a hashing function, resulting in a fixed-length string that represents
the password in an irreversible manner. Popular hashing algorithms include:

• MD5 (Message Digest Algorithm 5): An older hash function that produces a 128-bit hash
value. It is no longer considered secure due to vulnerabilities to collision attacks.
• SHA-1 (Secure Hash Algorithm 1): Produces a 160-bit hash value but is also deemed
insecure due to collision vulnerabilities.
• SHA-256 and SHA-512: More secure versions of the SHA family, commonly used today
due to their resistance to most cracking methods.
• bcrypt: A password hashing function designed to be slow and computationally expensive,
which helps defend against brute force attacks.
• PBKDF2 (Password-Based Key Derivation Function 2): Combines password hashing
with salting and multiple iterations to increase difficulty in cracking.
• Argon2: The winner of the Password Hashing Competition (PHC), designed to resist GPU
cracking and side-channel attacks.

Utilizing Hashcat to Understand Password Hashing

Hashcat is a powerful open-source tool used for password recovery. It supports various hash
algorithms, including MD5, SHA-1, SHA-256, bcrypt, and others. For educational purposes, we
can explore how Hashcat processes password hashes and the complexity of cracking different
types of hashes. Here’s a brief explanation of how Hashcat works in a typical setup:

1. Password Hash Input

Users provide a hash to Hashcat, which represents a password encoded with a specific
hashing algorithm (e.g., SHA-256).
2. Attack Mode Selection
Hashcat offers different attack modes:
o Straight Mode: Uses a predefined wordlist (like in a dictionary attack).
o Brute Force Mode: Tries all possible combinations.
o Combinator Mode: Combines multiple wordlists.
o Mask Mode: Uses a pattern-based approach where certain characters are
substituted systematically.
3. Cracking Process
Hashcat will compute hashes for each password attempt using the specified hashing
algorithm and compare the computed hash to the provided target hash. If a match is found,
the password is considered cracked.

Example Command (without cracking a real password):

 bash
Copy code
hashcat -m 1000 hash.txt wordlist.txt

This command tells Hashcat to use the NTLM hash type (mode 1000) and attempt to match
passwords in wordlist.txt with the hash in hash.txt.

4. Performance Consideration
The computational cost of the hashing algorithm significantly affects how quickly Hashcat
can attempt password recovery. Algorithms like bcrypt, which are deliberately slow, make
brute-force attacks less practical, whereas MD5 can be cracked much faster.

The Importance of Strong Password Policies

Strong password policies are critical in defending against password cracking attempts. A strong
password policy should:

1. Require Complex Passwords

Passwords should include a mix of uppercase, lowercase, numbers, and special characters
to increase entropy. This makes brute-force and dictionary attacks much more difficult.
2. Enforce Minimum Length
Longer passwords increase the number of possible combinations exponentially, making
brute-force attacks impractical.
3. Implement Multi-Factor Authentication (MFA)
Even if a password is cracked, multi-factor authentication adds an additional layer of
security by requiring a secondary form of verification (e.g., a code sent to the user’s mobile
phone).
4. Use Password Hashing with Salting
Storing passwords using secure hash functions like bcrypt, Argon2, or PBKDF2, combined
with a unique salt, makes rainbow table and other hash lookup attacks ineffective.
5. Password Expiration and Rotation
Regularly updating passwords can limit the window of opportunity for attackers, particularly
if they gain access to older password dumps.

References

1. Hashcat Manual: https://hashcat.net/wiki/

2. OWASP: Password Storage Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
3. NIST Guidelines on Passwords: https://pages.nist.gov/800-63-3/sp800-63b.html

This report offers a detailed understanding of password cracking techniques for educational
purposes and emphasizes the importance of strong password policies to ensure robust security.