How Hackers Take Your Encrypted Passwords & Crack Them



You may have asked yourself, "How do hackers take my password, if the website owner can't?" The answer is simple. When a website stores your login password for the site, it is run through a cryptographic hash function before it enters the database.

So how are hackers getting these passwords?

When a website is breached and has their database stolen, the password hashes will be in there. A hacker will analyze the hashes, and see which hash type they are, and then bruteforce them. Bruteforcing is when you systematically cycle through each letter in a letterset until it matches a password. A letter set can be all lower-case, symbols, or anything the hacker wants. So the hacker bruteforces until they find a hash that matches yours, resulting in "guessing" your password.

I'm going to show you how to do this on both Windows and Linux.

Step 1: Cracking MD5 on Windows

On Windows, we're going to need to download and install Cain & Abel. Cain is part of the software suite, and is a AIO (All-In-One) Windows hacking tool. We will be using its bruteforce function to crack MD5 hashes.

Hash a Word

Let's hash the word "cowsay" using Miracle Salad's MD5 hash generator.
We get the following as a result:
0f606505ce5a8e34d306f707067786ef

Bruteforce with Cain

I'm going to show you in a Tutorial how to crack the hash of the word "cowsay". Follow closely!

 



See how quick and easy that was? Load the hash, click dictionary attack, and wait. This was on a single core processor in a Virtual Machine, so imagine what it would be like on a powerful computer with GPU's.

Step 2: Cracking MD5 on Linux

On Linux, cracking hashes is a bit different. We will be using JTR (John the Ripper). Linux is a bit faster at cracking hashes, as you will see in the video a bit later.

Installation
  1. First, download JTR from here.
  2. Extract with tar zxvf john-1.7.8.tar.gz
  3. Navigate to the john directory
  4. Install with ./configure && make && sudo make install
Bruteforce with John

I'm going to crack the hash of the word "cowsay" again, but this time with JTR.
Commands will be listed below, if you miss any.

 



Commands:
  • nano hash (inject hash into file and save)
  • john --format=raw-md5 hash
  • john --format=raw-md5 --show hash

Step 3: Protect Yourself from Password Cracking

Check out my previous guide on keeping passwords strong and safe. The same rules apply here. Keep your passwords longer than 12 characters, and use symbols. It greatly increases the time it takes to crack.



Do you have questions, comments, or suggestions? Feel free to post a comment! 




Subscribe to Saint Andrew's Paradise
Liked this post?

Subscribe to "Saint Andrew's Paradise" and get all new tricks, tools and regular updates to your inbox!

    




Share your views...

0 Respones to "How Hackers Take Your Encrypted Passwords & Crack Them"

Post a Comment

Subscribe to: Post Comments (Atom)
 

About Me

Saint Andrew is a computer science student. Saint Andrew is a founder of the blog Saint Andrew's Hacking Paradise.

His mission and the aim of this blog is to make the reader aware of the existing threats and describe them in comprehensible way.

"Saint Andrew's Hacking Paradise" is a place to Learn, Understand and Explore the facts of computer technology.

You are always welcome to contact us to suggest ideas, tips, or to ask questions.

© 2011 Saint Andrew's Hacking Paradise

This blog run on iThesis Theme & hosted by Blogger