Scribd
Upload
82 views12 pages

Password Attacking Tools Overview

Uploaded by

samra zakir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views12 pages

Password Attacking Tools Overview

Uploaded by

samra zakir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Information IT DEPARTMENT,

UNIVERSITY OF THE PUNJAB,

Security
JHELUM CAMPUS

REPORT
PASSWORD ATTACKING TOOLS

PRESENTED BY :
Iqra Azam BSCS-F23-M02
Khadija Azhar BSCS-F23-M16
Nayyab Raza BSCS-F23-M18
Areesha Azam BSCS-F23-M26
Batool Zakir BSCS-F23-M14
Insha Ishrat BSCS-F23-M38
Laveeza Nasir BSCS-F23-M39
Zara Zareen BSCS-F23-M41
Password Attacking Tools
1. Introduction
In the field of Information Security, protecting user accounts and passwords
is one of the most critical tasks. Passwords act as the first line of defense
against unauthorized access to systems, applications, and sensitive data.
However, weak or easily guessable passwords can be exploited by attackers
using different password-cracking techniques. Password attacking tools are
software programs designed to test the strength of passwords by
performing attacks such as dictionary attacks, brute-force attacks, and
hybrid attacks.

These tools can be used by ethical hackers and penetration testers to


evaluate system security and identify weak credentials before malicious
attackers exploit them. At the same time, they can also be misused for
illegal purposes. This makes understanding password attacking tools an
important part of cybersecurity studies.

2. Available Password Attacking Tools


There are several popular tools used for password attacks. Some of the
widely used ones include:

1. John the Ripper


- A fast and flexible password cracker.
- Supports dictionary and brute-force attacks.
- Works with various operating systems like Linux, macOS, and Windows.

2. Ophcrack
- A Windows password cracker that uses rainbow tables.
- Efficient for cracking simple and medium-strength Windows passwords.
- Has both free and professional versions.
3. Cain and Abel
- A Windows-based tool used for password recovery and sniffing.
- Supports brute force, dictionary, and cryptanalysis attacks.
- Not maintained anymore but still widely studied.

4. Medusa
- A command-line based login brute-forcing tool.
- Supports multiple protocols like HTTP, FTP, MySQL, RDP, and more.

5. Hydra (THC-Hydra)
- A very fast and flexible online password-cracking tool.
- Supports over 50 protocols including FTP, SSH, Telnet, HTTP, RDP, and
SMB.
- Runs efficiently on Linux and is often used in penetration testing.

3. Demonstration of Hydra Tool


Hydra, also known as THC-Hydra, is a powerful open-source tool used for
performing brute-force and dictionary-based password attacks. It is pre-
installed in Kali Linux but can also be installed on other Linux distributions.

Installation
Hydra is usually pre-installed in Kali Linux. If not, it can be installed with:

sudo apt-get update


sudo apt-get install hydra

Basic Usage
Hydra’s syntax is:

hydra -l <username> -P <password_list> <protocol>://<target>

Example 1: Brute Force on SSH


hydra -l admin -P /usr/share/wordlists/[Link] ssh://[Link]
- -l admin → specifies the username.
- -P [Link] → wordlist containing possible passwords.
- ssh://[Link] → target IP with SSH service.

Example 2: FTP Attack


hydra -L [Link] -P [Link] [Link]
- -L [Link] → list of usernames.
- -P [Link] → list of passwords.
- [Link] → target FTP service.

Hydra will try combinations until it finds valid credentials.

4. Working:
To better understand and operate Hydra, we can first explore its manual by
using the command man hydra. This provides a detailed guide on all
available options and syntax. If Hydra is not pre-installed, it can be added to
the system with the command sudo apt-get install hydra. In real-world
scenarios, before running Hydra, it is important to analyze the network
request tab (for example, in a browser developer tool) to identify
parameters such as username, password, and other request fields that
Hydra will target.

A practical case is Instagram’s login system, which secures passwords using


RSA encryption. When a user attempts to log in, Instagram takes the
entered password, appends extra data like version and timestamp, and
then encrypts this string using Instagram’s public RSA key. The encrypted
output is Base64 encoded and sent as the enc_password field. Since RSA
encryption uses padding, each encryption attempt looks different even for
the same password. Additionally, because Instagram frequently rotates its
public keys and keeps its private key undisclosed, it is impossible to decrypt
or directly recreate the enc_password value.

For efficiency, instead of repeatedly typing long Hydra commands, a script


or text file containing the command can be created and executed directly in
the terminal. This makes testing faster and more manageable. Since
decrypting Instagram’s encrypted passwords is not feasible, an alternative
approach is to compare them against plaintext password lists using tools
like Hydra or custom Python scripts, thereby attempting to match valid
login credentials.

5. Results:
 Command to install hydra:
 Hydra command that we will run to get the password of the
[Link] Hydra command starts with the tool name, then uses -l to
specify the username and provides the path to the password file. The
number of attempts (e.g., 64) depends on the size of the password list.
The option -s 443 sets the HTTPS port, followed by the target website
(Instagram) and the POST request method. Finally, it includes the
username and password parameters used in Instagram’s login form so
Hydra can insert the credentials correctly.:

 To identify the parameters required for Hydra, we first open


Instagram’s login page and attempt a login. Then, by inspecting the
Network tab in the browser’s developer tools, we can view the request
section. This request shows all the parameters that are sent during the
login process, including the username and password fields along with
additional values. These parameters are then used in the Hydra
command to correctly simulate the login attempt.
 In this picture, you can see that Instagram does not send plain
passwords; instead, it protects them using RSA encryption. Before
transmission, the app or browser combines the password with extra
data like version and timestamp, encrypts it with Instagram’s public RSA
key, and then converts it into Base64 text as the enc_password field.
Since RSA uses padding and Instagram frequently changes its public
keys while keeping the private key secret, each encryption looks
different and cannot be decrypted or recreated directly. This means
Hydra cannot use a simple password list and would require the same
encryption process to match passwords correctly.

 We use a wordlist file whose passwords are converted into Instagram’s


encrypted enc_password format before testing.
 Python script that we will use to convert normal password file to
encrypted file. Password encryption 1:

 Password encryption 2:
 This would be the encrypted passwords according to the Instagram’s
encryption [Link] running the script, the resulting file would be
the final file:

 After running Hydra, the results show the password in encrypted form.
Since decryption is difficult, we instead use a Python script to directly
match the encrypted passwords with our plaintext password list that
has been converted into the same encrypted format.

 This is the script to match our given encrypted password:


 Final result after matching our encrypted password:

 So finally, our password is:


6. Advantages and Disadvantages
Advantages
- Supports many protocols: Works with SSH, FTP, HTTP, RDP, SMB, and
more.
- Fast and efficient: Can test many password attempts per second.
- Widely available: Open-source and included in security distributions like
Kali Linux.
- Flexible: Supports dictionary and brute-force attacks with custom
wordlists.
- Useful for penetration testing: Helps security professionals identify weak
accounts.

Disadvantages
- Illegal misuse: Can be used by attackers for unauthorized access.
- Resource-intensive: Brute-force attacks can consume time and processing
power.
- Not effective against strong passwords: Long and complex passwords take
very long to crack.
- Detection risk: Continuous login attempts may trigger security alerts and
lockouts.
- Requires technical knowledge: Beginners may find it difficult to use
properly.

7. References
1. Kali Linux Official Documentation – [Link]
2. THC-Hydra GitHub Repository – [Link]
hydra
3. John the Ripper Official Page – [Link]
4. Ethical Hacking Tutorials – [Link]
5. Security Cheat Sheets – [Link]

You might also like