Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Basic Cracking

We've seen in the last part of the exercise that passwords cannot be stored in plain text but rather as hashes. Here we assume a scenario in which an attacker manages to get their hands on a list of hashed passwords, e.g. through a data breach. The attacker will then want to revert hashes into the original passwords: this is called cracking the passwords.

Here we are going to see a couple of guided examples for two password cracking techniques: the dictionary and the bruteforce attacks.

Dictionary Attack

The dictionary attack consists in using a database of existing words that could be used as passwords, and hashing them all with the hope to find a hash that matches the one we try to crack.

Our goal here is going to revert the following MD5 hash into the original password:

basichash01.txt

For the dictionary attack we also need a list of words to hash. For that we can download a list of words known to have been used as passwords:

wget https://olivierpierre.github.io/comp60261/lab1/include/dictionary.txt

You can open and explore dictionary.txt: it contains the list, with one word per line. The file contains 10K passwords, we'll see that with the power of today's computers, with weak passwords/hashing techniques, it can be actually quite fast for an attacker to try every word in that list.

To perform the dictionary attack and the list of words dictionary.txt, we'll use a tool named hashcat.

If hashcat is not already installed on your machine you can do so as follows:

mkdir -p ~/Software
wget https://hashcat.net/files/hashcat-7.1.1.7z -O ~/Software/hashcat-7.1.1.7z
cd ~/Software && p7zip -d hashcat-7.1.1.7z
echo "alias hashcat=~/Software/hashcat-7.1.1/hashcat.bin" >>  ~/.bashrc
source ~/.bashrc

Adapt these steps to your environment (e.g. you may use a different shell).

To start the cracking process with hashcat, proceed as follows:

hashcat -m 0 -a 0 -o cracked.txt basichash01.txt dictionary.txt

The parameters passed are:

  • -m 0 indicates the type of hash is cracked, here we use 0 for MD5 (see the hashcat man page/wiki for the list of hashes supported and their ID)
  • -a 0 indicates the type of attack performed, here 0 refers to the dictionary attack. To see the other types check out hashcat's man page or wiki.
  • -o cracked.txt is the output file where hashcat will write the password value if found.
  • basichash01.txt contains the hash to crack.
  • dictionary.txt is our dictionary.

Here the process should be relatively quick, and after hashcat returns you should find the password in the output file.

Checking the Correctness of Cracked Passwords

To check that you have cracked the correct passwords, go to this website: https://comp60261.uom.pierreolivier.eu.

Locate the item corresponding to the hash we focused on here, basichash01, and enter the password in the text field. A green check mark ✅ will confirm you have the right password, e.g.:

If you entered the wrong password you will rather see a red cross ❌. This website can be used to download all binaries/hashes, and verify the correctness of all passwords extracted/cracked in this exercise.

Bruteforce Attack

The bruteforce attack is one of the simplest and most exhaustive methods used for password cracking. In this approach, an attacker attempts to guess the correct password by systematically trying every possible combination of characters until the correct one is found. Because the search space explodes quickly with medium to long passwords, this method is only useful for cracking weak passwords, i.e. passwords with a small number of not-so-diverse characters (e.g. only lowercase letters).

Here we will attempt to crack the following MD5 hash:

basichash02.txt

hashcat can also be used for bruteforce attack:

hashcat -m 0 -a 3 -o cracked.txt basichash02.txt "?a?a?a?a?a"

The parameter passed are:

  • -m 0: MD5 hash.
  • -a 3: bruteforce attack.
  • -o cracked.txt: output file.
  • basichash02.txt the hash to crack.
  • The last parameter "?a?a?a?a?a" defines the key space to explore. Here we use the token ?a repeated 5 times to instruct hashcat to explore words made of combinations of 5 characters.

Here again, hashcat should return quickly with the cracked password present in cracked.txt. Make sure to verify you have the right password for basichash02 here.

Lesson Learned: Strong Passwords

The ease with which we cracked these two simple passwords allows us to understand some of the modern recommendations for setting strong passwords:

  • Length: to protect against bruteforce attacks, the password should not be too short: the longer, the better. This increases the size of the key space and makes bruteforce attacks exponentially more costly in time.
  • Complexity: to protect also against bruteforce attacks, the password should contain different types of characters: uppercase and lowercase letters, numbers, as well as symbols. This also increases the size of the key space.
  • Unpredictability: don't use dictionary words, names, dates, personal information, or obvious patterns, to protect against dictionary attacks.

To confirm this, generate the MD5 hash of a strong password, verifies that it is not present in dictionary.txt (i.e. dictionary attack based on that database cannot succeed) and launch a bruteforce attack:

echo -n "Fwu23#Xwp>" | md5sum    
01e5f04a5dd8fce05c6f553af94bf746  -

echo "01e5f04a5dd8fce05c6f553af94bf746" > hash3.txt

hashcat -m 0 -a 3 -o cracked.txt hash3.txt "?a?a?a?a?a?a?a?a?a"

After hashcat starts running wait a few seconds then press Enter, and the software should report about its progress and estimated time left. It should be somewhere around 300+ years. Press q to exit the search process.

Submission

Fill in the corresponding lines in the CSV file on the submission git repository, i.e.:

basichash01,password-for-basichash01-here
basichash02,password-for-basichash02-here