Passwords remain one of the most common means of authentication despite the rise of multi-factor authentication and biometrics. Unfortunately, weak passwords continue to be a major vulnerability for organizations.
Dozens of high-profile password breaches over the years have put billions of real-world passwords into hackers' hands. This availability of massive password lists combined with the power of modern password cracking tools makes brute forcing seem like a viable strategy. But for online services that limit failed login attempts, password spraying and targeted wordlist attacks are much more efficient.
This lab will provide practical skills in password guessing and cracking techniques using tools like Hydra, Hashcat, and custom scripts. You will learn how to:
The insight gained from the attacker perspective will help identify tangible weaknesses in password security configurations and policies. Hands-on experience cracking passwords will motivate using passphrases, enabling multi-factor authentication, and improving defensive practices against the same attacks learned offensively.
Let's get started with compromising some default credentials!
It's alarming how often default passwords remain unchanged in production environments. Vendor hardware often ships with default passwords that are easily discoverable online. Router manufacturers like Cisco and Juniper are notorious for this. Attackers can take advantage of this negligence by simply trying known default passwords across many services and devices.
Common defaults to check include:
Leaving defaults in place is just asking for trouble. This lazy practice grants attackers easy initial access.
In this exercise, we'll check for default SSH credentials using a provided list of common defaults and blank passwords. It only takes one overlooked default to get in!
It seems the company administrator had Cheeto dust on their fingers when they should have changed a default password, and totally forgot to do it. They had their reasons.
Type xhydra on the command line to open the xHydra GUI and then use it to make a command with the following parameters:
Now open the Passwords Tab. We will configure Hydra to try account names as passwords, try an empty password. This type of attack will run very fast, which makes it efficient to run first.
Note: No need to change the Password or Username fields.
Now go to the Start tab and click the Start button to launch the attack.
Notice that the full Hydra command is displayed at the bottom of the xHydra window, although it can't be copied. When the Debug checkbox is active, the full command will be displayed in the Output window and can be copied to the clipboard for easy access. Debug mode clutters up the output significantly, so toggle it off once the command is copied by deleting the -d parameter.
Optional Step: Copy the command from the Output window, then open a new terminal window and paste it there. Do not copy anything before the word hydra, and with -d removed the command ends up looking like this:
hydra -s 22 -L /home/phv/password_lab_wtw/1_default_accounts.txt -e ns -t 16 192.168.1.3 ssh
The parameters in this command are all sourced from the configurations you made in xHydra except for -t (number of threads) which is 16 by default. You can see a complete list of parameters using: hydra -h
Each parameter sourced from the xHydra GUI are explained below:
-s the port to attack
-L specifies which userlist to use
-e ns will make Hydra try a blank (or null) password (n) and also try the username as a password (s)
For upcoming exercises you may use xHydra to construct the commands or use the command line directly.
Now that we've compromised some accounts using default credentials, let's move on to guessing weak passwords. Even strong password policies can't prevent users from making poor choices. It is always a good step to start with the most common weak passwords, as discovered in real world password breaches.
Organizations often follow a common naming convention for user accounts which can be used to deduce user account names, when given certain information.
Take a look at Honeypot Corp's main website and see if you can figure out all six usernames we will use for this exercise. Notice how any email addresses are formatted to determine how to construct the username. You are making a list of Unix account names, so there will be no @ in the username. https://phvwtw.com/password-lab/honeypot
Put the usernames in a file and save it to: /home/phv/password_lab_wtw/users.txt. with the following command:
gedit /home/phv/password_lab_wtw/users.txt
Pres CTRL + S to save the file (Or click save in the top right)
Take a few moments to further peruse the corporate website and see if you can find any information about their password complexity rules.
Knowing the complexity rules allows guesses to be more specific which can make our attacks run faster.
We will be using a prebuilt wordlist of weak passwords included in Kali located at: /usr/share/wordlists/metasploit/adobe_top100_pass.txt
Although this list only contains 100 entries, we will filter out all the passwords that we know won't work (due to the complexity requirements) with this command:
grep -E ".*[a-z]+.*" /usr/share/wordlists/metasploit/adobe_top100_pass.txt | grep -E ".*[0-9]+.*" | grep -v -E ".*[A-Z]+.*" > /home/phv/password_lab_wtw/adobe_top100_pass_filtered.txt
Each part of the command is explained below:
grep -E ".*[a-z]+*" /usr/share/wordlists/metasploit/adobe_top100_pass.txt
Searches for lines containing at least one lowercase letter
| grep -E ".*[0-9]+*"
Pipes the output to search for lines with at least one number
| grep -v -E ".*[A-Z]+*"
Pipes again to exclude lines with uppercase letters using -v
> /home/phv/password_lab_wtw/adobe_top100_pass_filtered.txt
Saves the filtered results to a new file
By chaining together grep searches with regex, we quickly filter the wordlist to only include passwords that match the discovered complexity policy. This makes guessing significantly more efficient! We will use this technique of filtering a password list later on in the lab.
Run the following command in a terminal window:
hydra -s 22 -L /home/phv/password_lab_wtw/users.txt -P /home/phv/password_lab_wtw/adobe_top100_pass_filtered.txt -t 16 192.168.1.3 ssh
Remove user accounts from the user list file as you identify their passwords. This will reduce the time subsequent attacks take to run. Run the following command to edit users.txt:
gedit /home/phv/password_lab_wtw/users.txt
Now that we've seen how weak, easy-to-guess passwords can be exploited, let's look at cracking passwords that are more complex. Stronger passwords present more of a challenge, but are not impossible to compromise with the right techniques.
In this exercise, we'll take what we know about how users create memorable passwords and use that to make intelligent guesses. Personal details like pets or hobbies often find their way into passwords. Even without specific personal knowledge, passwords based on the company name or location are very common.
Powerful tools like Hashcat allow automating the creation of mutated wordlists tailored to the target. Its rules engine can quickly generate password variations based on the types of passwords users are likely to choose. This expands our guessing capability exponentially compared to manual attempts. By chaining multiple rules together, we can create comprehensive yet focused wordlists to throw against even strong passwords. Let's put this into action starting with making some initial guesses.
Users tend to make passwords that are easy for them to remember, such as passwords involving their spouse's name, kids, or hobbies. Unfortunately, these passwords are also easy to guess if you know information about the user.
If you don't know personal details about the users, you might try their company name or location (hint hint), which is also easy for users to remember. Using a company name for a password is clearly a bad idea, but users might try to make it more "secure" by replacing letters with numbers. Not secure enough though, and we can use this to our advantage!
With these hints in mind, consider the content on the corporate website, including the password complexity rules you discovered, and how that could be helpful in constructing this guess.
Now think of up to three gueses. Keep it to lowercase characters only. No numbers or symbols are necessary. Got it? Great!
Add one line per guess a new file named 3_guess.txt with the following command:
gedit /home/phv/password_lab_wtw/3_guess.txt
Hashcat has an entire mask language to generate derivatives of any given input. Execute the following command to create "leet speak" derivatives of your guess using a Hashcat rule.
hashcat --force /home/phv/password_lab_wtw/3_guess.txt -r /usr/share/hashcat/rules/unix-ninja-leetspeak.rule --stdout | sort -u > /home/phv/password_lab_wtw/3_1337words.txt
This command takes your small input wordlist of guesses, mutates each guess into their leetspeak derivatives, de-dupes the result (sort -u), and saves the final mutated list to a new file. Take a look at the generated wordlist file to get an understanding of what this hashcat rule did to your guesses:
gedit /home/phv/password_lab_wtw/3_1337words.txt
Now let's run our attack using our newly created wordlist. Mwah-hah-hah!!! If you identify at least one account, you can move on to the next step. If you're up for a challenge you can try to identify all three that are possible.
hydra -s 22 -L /home/phv/password_lab_wtw/users.txt -P /home/phv/password_lab_wtw/3_1337words.txt -t 16 192.168.1.3 ssh
After the attack finishes, remember to remove any user accounts identified from the user file:
gedit password_lab_wtw/users.txt
The glorious thing is that any number of hashcat rulesets can be daisy chained together and the result can be very powerful. To get a handle on what is possible, let's combine the 1337words.txt file with another Hashcat rule called best64, which will chop up each input string in various ways following patterns that real world users follow. Let's execute the command below:
hashcat --force /home/phv/password_lab_wtw/3_1337words.txt -r /usr/share/hashcat/rules/best64.rule --stdout | sort -u > /home/phv/password_lab_wtw/3_1337_b64_words.txt
This command takes the leet mutated wordlist, applies more mutation rules (best64.rule), de-dupes the result (sort -u), and saves the final list to a new file. Now, take a look at the output and consider if maybe some of your passwords have followed any of the patterns displayed here:
gedit /home/phv/password_lab_wtw/3_1337_b64_words.txt
Now let's examine tactics for cracking very long passwords. Length is one of the most important factors in password strength, so accounts protected by long passwords are a greater challenge to compromise. Each additional character exponentially increases the possible combinations that must be guessed.
Passwords can exceed the minimum requirements. The accounts with stronger passwords usually have more privileges which make them more useful once compromised, which is why we will now specifically target privileged users with strong passwords.
Some of you may have noticed one password from exercise 2 is composed of characters that are all adjacent on a keyboard (1qaz2wsx). Passwords like this can be very resistant to traditional guessing/cracking methods, but this pattern can be leveraged to dramatically limit the key space of all possible characters.
These types of passwords have many benefits:
Administrators who may be required to change passwords often and/or have more strict complexity requirements are prone to use passwords like this. There are just a lot of perks if you're an admin.
We have prepared a script called Keyboard.groovy which we will use to filter keyboard pattern passwords from other password lists.
Open a terminal and issue the following command:
groovy /home/phv/password_lab_wtw/Keyboard.groovy /usr/share/wordlists/rockyou.txt 15 /home/phv/password_lab_wtw/patternPasswords.txt
Rockyou.txt is included in Kali and is full of real-world passwords from an old breach. The command will find every password in rockyou.txt with a minimum length of 15 that follows adjacent keys on a keyboard, resulting in 98 lines.
Let's filter that down to 20 lines with some Regex:
grep -E ".*[a-z]+.*" /home/phv/password_lab_wtw/patternPasswords.txt | grep -E ".*[0-9]+.*" | grep -v -E ".*[A-Z]+.*" > /home/phv/password_lab_wtw/patternPasswords_filtered.txt
Now let's get those admin accounts!! Issue the following command and watch magic happen:
hydra -s 22 -L /home/phv/password_lab_wtw/users.txt -P /home/phv/password_lab_wtw/patternPasswords_filtered.txt -t 16 192.168.1.3 ssh
Congrats! You hacked all the things :-)
You may also pass Keyboard.groovy a directory full of lists and combine all the patterns found into one file. For example, this command will take all the included metasploit lists in Kali and make one file containing all pattern passwords 8 characters or longer.
groovy /home/phv/password_lab_wtw/Keyboard.groovy /usr/share/wordlists/metasploit/ 8 /home/phv/password_lab_wtw/metasploitPatternPasswords.txt Take a look at the output file and notice how these compare to the pattern passwords from rockyou.txt.
gedit /home/phv/password_lab_wtw/metasploitPatternPasswords.txt
If you happen to have gigabytes worth of password lists and would like to find all the Keyboard patterns found in them, feel free to make your own wordlists using this method!
This code is up on github and can be cloned with the following command: git clone https://github.com/AreYouKraken/Keyboard.git
Included in that github repo is a keyboard pattern list generated from over 50GB of real world passwords called passwordPatternArchive.txt.
Through learning common password attack techniques, we can apply these lessons to improve our password hygiene and security:
Following these best practices will dramatically reduce your susceptibility to real-world password attacks. No security is perfect, but making yourself a more difficult target than other users greatly improves your odds.
With frequent large-scale data breaches, there is a good chance some of your passwords have been compromised without your knowledge. To take proactive steps before your accounts are hijacked, you can check if your passwords have been exposed in known breaches.
Many password manager tools and technology providers offer this type of breach monitoring within their platforms:
Although the techniques taught in this lab are useful for compromising credentials, the knowledge gained can significantly improve password security and defense against these same attacks when applied appropriately.
Performing password guessing and cracking first-hand provides valuable insights into common password patterns and weaknesses. This enables stronger password policies through:
Overall, the attacker perspective learned in this lab is immensely helpful for defending against password attacks. Hands-on experience cracking passwords leads to creating stronger ones. Just as these tools and techniques can compromise credentials in minutes, applying the same knowledge defensively can prevent you or your company from being the next victim.