Password is our first defense barrier to protect our accounts from cybercriminals. In addition, each password is useless, if it does not have certain characteristics, it can be easily deciphered. In this sense, it’s not enough to be long, it also depends a lot on the types of characters we use to make it more or less solid. One of the threats we face is that they can be cracked or decrypted with specialized software. In this tutorial, we will learn the best password crackers as well as protect against using them with a strong password.
The first thing we’re going to do is explain the reasons why these types of tools are used. We will also explain briefly how to create our strong password and some tips related to it to increase security. And then we’ll continue with the most popular password crackers.
Why are password crackers being used?
As for the reasons why password crackers are used, there are generally three:
- Conducting penetration tests.
- Cyber criminals to carry out attacks.
- Students and people interested in computer security issues.
When it comes to pentesting tests, it can be said that they are a positive part and will help to improve the safety of the company. Thus, a penetration test or pentest can be defined as an attack on a computer system with the intention of finding its security weaknesses and seeing what data can be accessed. Then, security breaches found during this test are reported to the system owner. In that sense, it is positive as it allows you to assess the potential impact it could have on your business and suggest measures to reduce that risk.
On the other hand, the downside is that the same password cracking tools are used by cyber criminals. A good way to protect yourself is to use a strong password that must contain:
- Big letters.
- Small letters.
- The minimum recommended length is 12 characters.
In addition, other good practices that can improve security include periodically renewing passwords, not using them on other sites, and turning on multi-factor authentication.
The best password cracking tools
An important point is that these tools should only be used in our own infrastructure or where we have the administrator’s permission. Otherwise, it should be noted that it would be illegal.
One of the oldest and still supported password crackers is Brutus . In addition, it is free, its first version dates from 1998 and is available for computers with Windows operating system.
The current version of Brutus includes the following authentication types: HTTP, HTTPS, POP3, FTP, SMB, Telnet and IMAP, NNTP and NetBus can be added.
Among its features we have a multi-stage authentication engine and it allows for 60 simultaneous target connections. It also has a password list, configurable brute force modes, and allows you to pause and resume attacks at the same time we interrupted them.
Cain and Abel
Developed by Kain and Abel is Massimiliano Montoro, it is a proprietary program that was distributed for free. It should be noted that its latest version is from 2014 and it is a product that will not have any more updates, although for some tasks it may still be interesting.
Kain and Abel is a password recovery tool for Microsoft operating system. Thanks to it, we can easily recover various types of passwords by tracking the network, decrypting encrypted passwords through dictionary attacks, brute force attacks and cryptanalysis. In addition, we can also record VoIP calls, decode encrypted passwords, recover wireless network keys, reveal password boxes, detect cached passwords and analyze protocol routing. This program does not exploit any security vulnerability, but rather tries to obtain passwords using conventional techniques.
Another password cracking tool is RainbowCrack, which uses pre-processed tables, called Rainbow, which significantly reduce the time it takes to crack the keys. This program is up-to-date and can be used on both Windows 7/10 and Linux with Ubuntu . Thus, we have Rainbow LM, NTLM, MD5, SHA1, SHA256 tables and configurable hashing algorithms.
It should also be noted that generating these tables takes a lot of time and effort, both by human and CPU. For this reason, both free and paid tables are created. Thanks to them, you can avoid the need to process them personally and therefore RainbowCrack will be ready for use from the very beginning.
Jan the Ripper
John the Ripper can be defined as an open source password audit and recovery tool. Note that it is available for various operating systems such as Windows, MacOS, and Windows. This software supports hundreds of encryption and hashing types, including user passwords on Unix, macOS, and Windows versions. Also, comment that it is current and supported software. In addition, we can say that it is reliable because open source is available to everyone.
wfuzz is another password cracker that we can use. In this sense, this software is designed to carry out brute force attacks on web applications. In this way, it can be used to search for hidden resources on servers, as well as to brute force against login forms and carry out various injection attacks (SQL, XSS, LDAP etc.) to gain access to the server.
Another positive thing is that it is an updated software. In addition, Wfuzz is more than a web content scanner and can be used for:
- Protect our web applications by finding and exploiting vulnerabilities in those web applications.
- It offers a completely modular structure and makes it easy to co-author even the newest Python developers.
With Aircrack-NG , we get a complete set of tools for assessing the security of Wi-Fi networks. This software is famous for being one of the most effective when it comes to cracking and obtaining Wi-Fi network passwords. Thanks to this, it is able to crack WEP and WPA PSK ciphers (WPA 1 and 2).
It works by intercepting enough packets and analyzing them, then decrypting your wireless network passwords. This program is up-to-date and mainly works on Linux, although it can also be used on Windows, macOS, FreeBSD, and more.
This hash software is one of the best password hash cracker, it is designed to reverse the password hash to get the hidden key. It is also compatible with over 200 different protocols, so it is able to obtain, using all kinds of techniques, any type of password that we want to guess.
Hashcat is commonly used as a complement to other similar password recovery programs.
Medusa is another password cracker that we can use to crack passwords. It is a fast, modular, parallel brute force tool. Note that it supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd, and Telnet.
The important note is that Medusa is a command line utility. This means that in order to use it we have to learn its commands, so using the software is not easy. On the other hand, its performance depends on network connectivity. Thanks to this, it is able to test 2000 passwords per minute on the local network.
Ophcrack is a free Windows password cracker based on Rainbow tables. Thanks to the use of this type of table, the tool is very efficient.
In addition, it has a graphical interface and is cross-platform and can be used on Windows, Linux, Unix and Mac operating system. On the other hand, it is compatible with Rainbow free and paid tables, and is capable of cracking the keys of any modern Windows system, starting with XP. It also has a brute force module for simple passwords.
Thanks to the password cracking tools we saw in this tutorial, we were able to run penetration tests with them.