This module introduces the fundamentals of password cracking, with a focus on using
Hashcat effectively. During security assessments, we often run into times when we need to perform offline password cracking for everything from the password hash of a password-protected document to password hashes in a database dump retrieved from a SQL Injection attack or a variety of different hash types retrieved during the course of a penetration test of an Active Directory environment. Cracking a password hash may be necessary for furthering access during an assessment or demonstrating to a client that their password policy needs to be enhanced by cracking password hashes and reporting on metrics such as password complexity and password re-use. In this module, we will cover:
- An intro to password cracking
- An overview of
- Cracking common hashes
- Creating custom wordlists
CREST CPSA/CRT-related Sections:
- All sections
CREST CCT APP-related Sections:
- All sections
This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Medium" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Introduction to Networking
- Linux Fundamentals
Password Cracking Overview
Password cracking, or offline brute force attacks, is an effective way of gaining access to unauthorized resources. Various applications and systems make use of cryptographic algorithms to hash or encrypt data. Doing so prevents the storage of plaintext information in data at rest and disclosure of transmitted data in man-in-the-middle (MITM) attack scenarios. Password cracking attacks attempt to recover the original data by performing brute force attacks against various algorithms and divulge the cleartext password.
Weak and reused passwords are two major factors that can determine the success of this attack. Additionally, attackers can create fine-tuned wordlists and use rules to mutate the passwords based on the target application or environment. A variety of open-source tools exist to facilitate password cracking. This module will focus on the popular tool
Hashcat, a potent and useful tool for performing password cracking attacks against a wide variety of algorithms.
Password cracking is an extremely beneficial skill for a penetration tester, red teamer, or even those on the defensive side of information security. During an assessment, we will often retrieve a password hash that we must attempt to crack offline to proceed further towards our goal. A mastery of password cracking techniques coupled with the
Hashcat tool, will arm us with a skill set that applies to many information security areas.