Everyone knows that any password is a special secret word or phrase that the user uses to quickly authenticate in the services of various software components.
With its help, you can get personal access to personal information, financial information, various transactions and more. A password is a strong protection in the world of digital reality that helps prevent unauthorized access to personal information and data.
What is the password cracking process?
Password cracking is a special procedure for methodically guessing the encrypted word or phrase that an attacker is trying to retrieve from a centralized database. These actions are usually applied in 2 cases:
- When you need to recover a forgotten password;
- When you need to find out the password of another user of the system without his knowledge for illegal actions with his credentials.
As far as QA is concerned, the password cracking process is usually used to check the security of an application, finding the maximum number of existing vulnerabilities in its system.
In the current realities of the development of the IT community, many programmers set themselves the goal of creating special algorithms that could crack the set passwords in the shortest time intervals. More than half of the tools presented in this programming segment are guided by the login based on the maximum number of allowed word and letter combinations.
If the hacker has a very complex password (the structure of which consists of a special combination of numbers, letters and special characters), then breaking it can take from several hours to a couple of weeks. There are also special programs with built-in password dictionaries, but the success of using such tools is lower, since with the simultaneous selection of a combination, key queries are saved in the application, and this takes some time.
Lately, a lot of password cracking programs have been created. All of them, naturally, have their own strengths and weaknesses.
Next, let’s talk in detail about the 10 most popular web password testing tools.
It is a very popular remote tool for the password cracking process. According to its developers, Brutus can easily be considered the most high-quality and efficient tool for finding the right password.
This is a completely free product that comes exclusively for the Windows operating system. By the way, the first release of this software was carried out back in 2000.
The program supports protocols:
- HTTP (standard authentication);
- HTTP (форма HTML/CGI);
- Telnet and other types (e.g. IMAP, NNTIP).
The functionality of the product also allows the user to independently create the necessary types of authorization. Brutus performance is designed for simultaneous connection of up to 60 requests. There are parameters to pause and stop the request. In other words, it is possible to stop the attack or postpone its continuation. Although this product has not been updated for a long time, it can rightfully be considered a very effective and efficient web-based tool for testing password strength.
Another very popular tool for cracking hashes, which is based on the process of replacing temporary memory, which makes it fundamentally different from other similar tools. If we consider in more detail, the process of exchanging temporary memory is a kind of computational operation in which the required password is determined based on the selected hashing algorithm. All calculation results are stored in a special table. As soon as such a table is considered complete, you can try to crack the password. By the way, such a hacking strategy is considered to be more effective than the processes of brute-forcing text combinations.
RainbowCrack developers have taken care of their customers. Users don’t need to create tables from scratch. The product initially provides for tables in LM, NTLM, MD5 and Sha1 formats.
By the way, there are also several paid tables that can be purchased on the official developer website ( http://project-rainbowcrack.com/buy.phphttp://project-rainbowcrack.com/buy.php ). RainbowCrack operates on both Linux and Windows OS’s.
Quite a popular web product that is used for password cracking processes based on a brute-force search of possible combinations. The Wfuzz program can easily be used not only as a password cracker, but also as a means of finding hidden directories and scripts. It also includes the process of identifying a variety of injection types, from SQL to LDAP, within selected web applications.
Basic features and functionality of the product:
- The ability to create injections from several points at the same time;
- Data output in color HTML format;
- Search by headlines, mail;
- Support Multiple Proxy Support, Multi-Threading;
- Selection of combinations via POST and Get requests;
- Cracking cookies.
№4 Cain and Abel
A fairly popular tool for cracking established passwords, with which you can solve extremely complex problems. The key feature of the product is that it can only be used for the Windows operating system.
It can function as a network analyzer, crack passwords using a dictionary attack, record VoIP conversations, find password boxes, decode encrypted files, and analyze route protocols.
The tool is not designed to find bugs or vulnerabilities. Its task is solely the process of finding weaknesses in the security protocol in order to guess the encrypted password. The product is entirely aimed at professional test teams, network administrators, network security professionals and cyber forensics.
To download the product, just use the link – http://www.oxid.it/ca_um/
№5 John the Ripper
Quite a popular free tool, with the help of its functionality, you can crack passwords in web products running Linux, Windows and Mac OS X operating systems. It quickly finds weak passwords and decrypts them.
There is a separate licensed build for professional test teams and network administrators. You can also customize the target functionality for a specific operating system. You can use the following link to download the product – http://www.openwall.com/john/
№6 THC Hydra
Very high quality software for instant password cracking when entering a secure network. In comparison with similar tools, the product demonstrates simply phenomenal performance indicators. If desired, the functionality of the product can be supplemented with new modules with a subsequent increase in productivity.
The program is available on Windows, Linux, Free BSD, Solaris and Mac OS X operating systems.
Interacts with such protocols:
- Asterisk, AFP, Cisco AAAA, Cisco auth, Cisco enable,
- CVS, Firebird, FTP, HTTP, HTTP-FORM-GET, HTTP-FORM-POST,
- HTTP-GET, HTTP-HEAD, HTTP-PROXY,
- HTTPS-FORM-GET, HTTPS-FORM-POST, HOST, HTTPS-GET,
- IMTPS-POST, IC, MS-SQL, MYSQL, NCP, NNTP,
- Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP,
- Rexec, Rlogin, Rsh, SAP/R3, SIP, SMTP, SMTP, SMTP Enum, SNMP,
- SOCKS5, SSH (v1 и v2), VOCMP, Telecum (VMS, XSMP, V2, SSH.
The tool can be downloaded from the link – https://www.thc.org/thc-hydra/
What is noteworthy is that all developers can independently participate in improving this software by providing their personal best practices and technical solutions through the support service.
This program is as similar as possible to the above-described web product. According to its creators, Medusa is a multifunctional and fast tool for “brute” force logging into a secure system.
Supports the following protocols:
- HTTP, FTP, CVS, AFP,
- IMAP, MS SQL, MYSQL,
- NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin,
- SMB, rsh, SMTP, SNMP, SSH, SVN,
- VNC, VmAuthd и Telnet.
This is a command line tool, which means that before using it directly, it is advisable to study the most popular commands and operations. The potential effectiveness of the software depends entirely on the ability to connect to the network. In a local network, up to 2000 passwords can be simultaneously checked in one second.
The software functionality also allows parallel attack. Let’s say you need to hack multiple email accounts in parallel. With Medusa, all you need to do is provide a list of potential names and submit a task with potential passwords.
For a more detailed acquaintance with the capabilities of the product, follow the link – http://foofus.net/goons/jmk/medusa/medusa.html
You can download this tool at – http://www.foofus.net/jmk/tools/medusa-2.1.1.tar.gz
Completely free rainbow table password cracker for Windows. This software is very popular in this operating system, but it can also be used with Linux and Mac OS.
You can download the product by following the link – http://ophcrack.sourceforge.net/
You can download tables here – http://ophcrack.sourceforge.net/tables.php
In fact, this is a common alternative to the above software. The basis of operation is the process of cracking passwords in the Windows operating system based on hashes. It uses network servers, Windows workstations, primary domain controllers, and Active Directory.
The product has 2 release versions – 2006 and 2009. There are parameters for setting audit passwords for temporary requests. You can also configure decryption by day, month or year.
You can download this tool at the link – http://www.l0phtcrack.com/
A specialized generator for cracking passwords for Wi-Fi networks. Its capabilities include the process of analyzing encrypted wireless packets with subsequent cracking based on a specific algorithm.
Supplied for Linux and Windows operating systems.
Detailed instructions for working with the program – http://www.aircrack-ng.org/doku.php?id=getting_started
To download the product use the link – http://www.aircrack-ng.org/
A password is what any web product and component should make as secure as possible from unauthorized access. All of the above tools that any professional QA team providing security testing services should have are eloquent proof that there are no passwords that cannot be cracked.
But at the same time, given the capabilities of these products, in practice it is possible to build very good protection that could incorporate the most advanced security techniques.
Knowledge and repeated use of these tools will help to conduct a high-quality security audit of the software and check how and by what means you can achieve maximum security in the modern realities of the development of the IT world.