In this series
on password cracking, I have been attempting to develop your skills
in the age-old art of password cracking. Although it might seem like a simple
and straightforward exercise, those of you who have attempted password cracking
know that there are many subtleties to this art.
In many
of our password cracking disciplines, we often need to use a wordlist that will
essentially attempt thousands of potential passwords per second. This is often
referred to as a dictionary attack, even though we need not rely solely on
dictionary words. These wordlists may have any combination of characters and
words in an attempt to crack a complex password offline.
Sometimes
we may have indications of the target's choice password or password components
which may come from our knowledge of the target, e.g. girlfriend, neighbor,
friend, etc. It could be their name, children's names, a pet's name, birthday,
or job. We may also know the organization's password policy (e.g. minimum 8
characters, uppercase and lowercase, etc.).
In these
cases, we may be able to generate a custom wordlist that reflects our knowledge
of the target or the organization's password policy.
Kali Linux has
built into it a tool called "crunch" that enables us to create a
custom password-cracking wordlist that we can use with such tools like Hashcat, Cain and Abel, John the
Ripper, Aircrack-ng,
and others. This custom wordlist might be able to save us hours or days in
password cracking if we can craft it properly.
Let's
get started with crunch and generate some custom wordlists to crack passwords
in our favorite password cracking tool.
Step 1:
Fire Up Kali & Open Crunch
Let's
start by firing up Kali and opening crunch by going to Applications -> Kali
Linux -> Password Attacks -> Offline Attacks -> crunch.
This
will open the crunch screen like that below.
Unlike
many other hacking applications, crunch doesn't provide us with much info in
its opening screen. I believe that's because crunch, although relatively simple
to work with initially, has so many sophisticated options that the developer
has put much of the information in man pages.
Step 2:
The Crunch Syntax
The
basic syntax for crunch looks like this:
kali > crunch <min> max<max>
<characterset> -t <pattern> -o <output filename>
Now,
let's go over what's included in the syntax above.
·
min = The minimum password
length.
·
max = The maximum password
length.
·
characterset = The character set to be
used in generating the passwords.
·
-t
<pattern> =
The specified pattern of the generated passwords. For instance, if you knew
that the target's birthday was 0728 (July 28th) and you suspected they used
their birthday in their password (people often do), you could generate a
password list that ended with 0728 by giving crunch the pattern @@@@@@@0728.
This word generate passwords up to 11 characters (7 variable and 4 fixed) long
that all ended with 0728.
·
-o
<outputfile> =
This is the file you want your wordlist written to.
Step 3:
The Crunch Manual
Let's go
to the man pages for crunch by typing:
kali > man crunch
This should open the manual pages for crunch
like that below. The developers of crunch have packed these pages with a lot of
info on how to get the most out of crunch.
If we
page down a bit in these man pages, we will come to this page (notice at the
bottom, it says we are at line 70).
At the
top we see the -f switch. This switch allows us to choose the character set we
want to use to generate our wordlist. The syntax is:
-f /path/to/charset.lst <charactersetname>
Here we
tell crunch where the charset.lst is with the full path and then select a
particular character set from that list. In Kali, the charset.lst is at:
/usr/share/rainbowcrack/charset.lst
Step 4:
Create Some Simple Wordlists
Let's
start by generating some simple wordlists for password cracking. Let's assume
that we know the company has passwords between 4 and 8 characters. We can
generate all the possibilities in crunch by typing:
kali > crunch 4 8
Where
the first number (4) is the shortest word length and the second (8) is the
longest word length.
When we
execute this statement, crunch estimates how large the file will be (1812 GB)
and then begins to generate the list.
What if
we knew that the target always used number passwords between 6 and 8
characters? We could generate a complete list of password possibilities meeting
this criteria and send them to a file in the root user's directory called
numericwordlist.lst by typing:
kali > crunch 6 8 1234567890 -o
/root/numericwordlist.lst
If we
knew that the target's birthday was July 28 and they likely used that date
(people often use their birthdates in their passwords to make it easier to
remember) at the end of a ten character password? We could generate all the
possibilities of ten-character passwords that end with 0728 and send the output
to a file in the root user's directory named birthdaywordlist.lst, by typing:
kali > crunch 10 10 -t @@@@@@0728 -o
/root/birthdaywordlist.lst
The @
sign is use to represent a wildcard of all possibilities, while the literals
"0728" represent the fixed values.
Step 5:
Complex Wordlists with Crunch
One of
the beauties of crunch is the ability to select a specific character set or
create your own character set for generating your password list. If we know the
likely character set the target is using for their password, we can select the
character set to generate our password list. We can find the choice of
character sets at:
/usr/share/rainbowcrack/charset.txt
Now, if
we know that our target is using an eight character password with only
alphabetic characters, we can generate a list of all the possibilities in
crunch with the command:
kali > crunch 8 8 -f
/usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
This
will generate all the 8-character passwords using only the alphabetic
characters (no numbers or special characters) and storing them in a file called
alphawordlist.lst in the root user's directory.
When
cracking passwords, there are multiple methods of cracking unknown passwords.
These include dictionary, rainbow table, brute force and others. If we know
that parameters of the password or know something about the target and their
possible passwords (birthday, pet names, spouse, etc.), crunch can be a very
useful tool for generating specific wordlists to be used in a dictionary-like
attack.
You can get more detail about Crunch at :
ReplyDeletehttp://adaywithtape.blogspot.in/2011/05/creating-wordlists-with-crunch-v30.html