Password Cracking Overview

Password cracking, or offline brute force attacks, is an effective way of gaining access to unauthorized resources. Various applications and systems make use of cryptographic algorithms to hash or encrypt data. Doing so prevents the storage of plaintext information in data at rest and disclosure of transmitted data in man-in-the-middle (MITM) attack scenarios. Password cracking attacks attempt to recover the original data by performing brute force attacks against various algorithms and divulge the cleartext password.

Weak and reused passwords are two major factors that can determine the success of this attack. Additionally, attackers can create fine-tuned wordlists and use rules to mutate the passwords based on the target application or environment. A variety of open-source tools exist to facilitate password cracking. This module will focus on the popular tool Hashcat, a potent and useful tool for performing password cracking attacks against a wide variety of algorithms.

Password cracking is an extremely beneficial skill for a penetration tester, red teamer, or even those on the defensive side of information security. During an assessment, we will often retrieve a password hash that we must attempt to crack offline to proceed further towards our goal. A mastery of password cracking techniques coupled with the Hashcat tool, will arm us with a skill set that applies to many information security areas.