What is the password cracking process?
Password cracking is a special procedure for methodically guessing an encrypted word or phrase that an attacker is trying to obtain from a centralized database. These actions are usually used in 2 cases:
- When you need to recover a forgotten password;
- When you need to find out the password of another system user without his knowledge for illegal actions with his credentials.
In the QA realm, the password cracking process is typically used to test the security of an application by finding as many existing vulnerabilities in its system as possible.
In today's realities of development of the IT community, many programmers have set themselves the goal of creating special algorithms that could crack established passwords in minimal time intervals. More than half of the tools presented in this segment of programming focus on logging into the system based on the maximum number of valid word and letter combinations.
If a hacker has a very complex password (the structure of which consists of a special combination of numbers, letters and special characters), then cracking it can take from several hours to a couple of weeks. There are also special programs with built-in password dictionaries, but the success rate of using such tools is lower, since while simultaneously selecting a combination, key queries are stored in the application, and this takes some time.
Recently, a lot of programs have been created to crack passwords. All of them, naturally, have their strengths and weaknesses.
Next, we’ll talk in detail about the 10 most popular web tools for testing passwords that are relevant in 2019.
What is password hacking?
In the field of cybersecurity and cryptography, password cracking plays a very important role. It is the process of password recovery to compromise or restore the security of a computer or system. So, why do you need to learn password cracking programs? For peaceful purposes, you can use password hacking to recover forgotten passwords from online accounts, and this is also used by system administrators for prevention on a regular basis.
In most cases, brute force is used to crack passwords. The software generates various password options and reports if the correct one was found. In some cases, a personal computer can produce millions of options per second. The program for cracking a password on a PC checks all options and finds the real password.
The time required to crack a password is proportional to the length and complexity of that password. Therefore, it is recommended to use complex passwords that are difficult to guess or guess. Also, the brute force speed depends on the cryptographic function that is used to generate password hashes. Therefore, it is better to use Bcrypt for password encryption rather than MD5 or SHA.
Here are the main password guessing methods used by attackers:
- Dictionary attack - the attack uses a file that contains a list of words. The program checks each of the words to find the result;
- Bruteforce attack - instead of using a dictionary, you can try all combinations of given characters;
- Rainbow Table Attack - The attack uses pre-computed hashes and is therefore faster.
There are other methods of cracking passwords based on social engineering, but today we will focus only on attacks without user interaction. To protect against such attacks, you need to use only complex passwords. Now let’s look at the best password cracking tools of 2020. This list is published for informational purposes only and we in no way encourage you to hack other people’s personal data.
Can any password be hacked?
Password is this set of characters. Any combination can be selected, the only difference is how much time it will take. But, of course, this is a very significant difference. How to crack a password that contains 10 characters? From 10 characters you can create so many combinations that even a super-powerful computer, which you, of course, don’t have, can’t sort through in a day. What a day it is. Sometimes you can’t go through combinations even in weeks or months.
What to do? Obviously, there is no need to solve the problem head-on if your password does not consist of one digital character. We will have to look for workarounds, and these paths will be different for each specific case. Let's start with the theory.
RainbowCrack
Website: project-rainbowcrack.com Platform: Unix, Windows
Typically, the hashed version of the password is stored in the public domain and it is known what algorithm this hash was obtained from (for example, MD5), but the reverse conversion is considered too complex an operation, generally requiring searching through all possible combinations - this is the basis for the security of many modern systems. If we have sorted tables of hashes and passwords corresponding to them, we get a system that, using a fast binary search in the table, can obtain the reverse hash-to-password conversion for any existing hashing algorithm.
The main problem: tables of all possible passwords take up too much disk space. Therefore, an original table format is used: hashes are collected into chains of several thousand combinations - each subsequent combination is obtained from the previous one by the next application of the same hashing function. Only the beginning and end of each such chain are recorded in the tables. In order to find a password using such a table, you need to apply the hashing function in exactly the same way to a given hash several thousand times (depending on the length of the chains used) and at the next iteration we obtain a hash that is the end of one of the chains in our tables. Then we run this chain again from the initial hash to the one we need and find the combination preceding our hash - this is the required password.
RainbowCrack allows you to use this approach. The point is that compiling tables takes a lot of time, but password cracking is hundreds of times faster than brute force. RainbowCrack will help you both create tables and use them to crack a hash. By the way, it is not necessary to spend a lot of time compiling tables - you can buy them and partially download them from torrents.
Extremely fast password recovery using a hash using Rainbow tables.
How to crack a password on a windows computer
Losing your account password at first glance looks like a disaster.
There is no access anywhere - neither to the Internet, nor to system folders. Blue screen with usernames and absolute hopelessness. But it's not all that scary. Hacking a Windows password is actually one of the simplest. All you need is to log into the system in safe mode. You will immediately have access to the Administrator account. This is the most important account from which you can do anything. Change or remove the password in particular.
Reboot the computer, press the key depending on your system. Most often it is F8, sometimes F12. Next, go to the Admin user, to the control panel, depending on the version of your system - go to the password setting menu, find your account, perform the usual steps to change the password, as if you were changing the password yourself and oh-oh - access to your account is in your hands.
Just try not to forget the new password while you reboot the system!
Bypassing the password
In any Windows system, there are several accounts, including Administrator, with which we will conduct our experiment. The only caveat is that the Administrator account is visible only in safe mode. You can, of course, enter it in normal mode, but this will require additional settings and manipulations, which we will not consider in this article.
When you enter Safe Mode, you will be asked to select an account to log in with. You need to select an Administrator. This user may appear differently on computers, such as Admin, Administrator, or Administrator.
In most cases, about 90% no one suspects about it and therefore does not set a password for it. Its possibilities are almost limitless. So, it is with the help of it that we will conduct our experiment on hacking the password of other users of your computer.
So, let's begin.
Hacking a password in Windows XP
We turn on our computer and go into safe mode; in order to enter it you need to use the useful F8.
A window appears asking you to select a user, select “Administrator” and log in to the system. If you are asked for a password, then this method will not work and you will need to use special programs such as ERD Commander. If everything went well, we move on.
Go to the “Start >>> Control Panel” menu.
Find “User Accounts”.
We go to the desired account in which you need to hack or change the password.
Among the five options offered, we choose the one that is in the middle, that is, “Remove password”.
You will be asked: “Are you sure you want to remove your password...?” Click on the “Remove password” button.
We close all open windows and restart our computer. After the reboot, it should start in normal mode and there should be no password - if you deleted it, if you changed it, then you will need to enter a new password.
I can imagine your delight when everything works))).
How to hack a password on a phone
Mobile devices are also competing for the top spot in the ranking of the most frequently forgotten passwords. The amount of private information in such a personal item requires that you treat it with care. Passwords are made more and more complex, and one day the password defeats the owner. You won’t find any safe modes here anymore; your phone or tablet will indifferently display a screen for you to enter your password and it seems like there is no way out. But of course this is not true. In order to determine the hacking method, first determine your system. The most common ones are Android and iOS. We will consider them.
Hack password on android
The first method is simpler. If you have a Google account (and remember its password), then unlocking your phone will be a breeze. First, enter the pattern combinations, you can do it at random, you can try to remember yours (you might guess right). If you don’t guess correctly, the screen will lock and the message “Try a little later” will appear. And below is another one - “Forgot your pattern key?” Here we click on this inscription. You will be redirected to log in to your Google account, and after entering your name and password, you will be given the opportunity to install a new pattern.
Important! This method only works when your account is linked to a device.
The second method is more complicated. Log into Google Play via your computer (using your username and password from your device). Install the Screen Lock Bypass application via the web interface. Then install another application, absolutely any one. The installation will trigger Screen Lock Bypass automatically and the lock screen will be reset. Don't forget to change your password before the next blocking!
The third method is simple, but not desirable. You can reset your device to factory default. Each device has its own reset mechanism (read the instructions), but usually you need to turn off the phone, then simultaneously hold down the volume key and the home key (and sometimes the 3rd key). After which a system menu will appear on the screen in which you need to select the item - Wipe data / factory reset, and then agree with the risks. Next, all data will be deleted from the phone (return to factory settings). Then, after the reset is complete, select Reboot System (reboot the device). Remember that after resetting, all personal data and installed applications will be deleted. The phone or tablet will be the same as you brought it from the store.
Hack password on ios (iphone)
To reset the lock screen in Apple, you will need to connect your device to your computer and enter Recovery Mode. Launch iTunes, and select “restore”, and then set it up as new. Here you will be asked to set a new password or leave the device without a password. You decide.
How to crack a password on a laptop
The process of recovering a password on a laptop is no different from the process of recovering a password on a personal computer. Therefore, feel free to go back two steps and carefully read the instructions for recovering your password in wndows.
What can you do to prevent your password from being hacked?
As you can see, hacking a password is not difficult only if it is on your device and you have access to other accounts. A stranger cannot log into iTunes or Google Play, so all you need is to set a simple password that can be easily guessed by brute force. Do not write down or leave your password in a visible place, and change your passwords monthly.
How to crack the administrator password
First method: In order to hack the administrator password, log into the command line from a different account. Type the command “control userpasswords2” and press enter. A window with account users will open - select the one you need and uncheck the “require password entry” checkbox. That's it - the administrator account is now passwordless.
Second method: Restart the computer in safe mode (you need to press F8 or F12 while the PC is booting and select the menu item - boot with command line support. As soon as the command line appears, write: “CD WINDOWS” and press “Enter”. Then type: “rename *.pwl *.abc” and press “Enter” or “rename *.pwd *.abc” and press “Enter" depending on your version of windows. After restarting the computer, the administrator password will be reset.
Third method: Reboot the computer in safe mode (you need to press F8 or F12 while the PC is booting and select the menu item - boot in safe mode with command line support. Next, select any administrator account that is not protected by passwords (or the password for which you need known).After loading the command line, enter: “net user username password” and press “Enter”. That’s it, the job is done, restart the computer and enjoy it to your health.
PS: “username” is replaced with the real username on this computer, “password” is replaced with the real password.
L0phtCrack
Website: www.l0phtcrack.com Platform: Windows
And this program is already purposefully designed for auditing passwords in Windows. L0phtCrack recovers Windows passwords using their hashes obtained from a local machine, a server on the network, a domain controller or Active Directory. The program has a built-in sniffer that can intercept encrypted hashes locally. However, in addition to Windows hashes, the program can also handle Unix Shadow hashes perfectly.
To recover a password, various attacks are used: dictionary, brute force, hybrid method. In the latter case, you can set the settings for password mutation: for example, dana to Dana99. The developers were not too lazy to simplify the procedure for selecting a password: now, right at the start of the program, a special wizard appears, which consistently finds out what exactly you want to do.
Interesting fact. After being acquired by Symantec in 2006, support and development of the program died out, however, the development guys bought their development back in May of this year and released LC6. The latest version works perfectly under 64-bit systems, taking advantage of multiprocessor and multi-core systems. Unfortunately, the developers ask almost three hundred bucks for using L0phtCrack , although they provide a trial period without restrictions. But the tool has free analogues, for example, the console Pwdump (www.foofus.net/fizzgig/pwdump/), as well as ophcrack (ophcrack.sourceforge.net), which is used to crack Rainbow tables.
Windows and Unix password recovery using its hash.
Online password recovery services
Instant decryption
www.tmto.org www.xmd5.org/index_en.htm md5.benramsey.com www.md5decrypter.com www.cmd5.com www.md5encryption.com www.thepanicroom.org/index.php?view=cracker www.panpan .org/2006/md5asp/HOME.ASP www.bisix.tk md5pass.info hash.insidepro.com/index.php?lang=rus The last one is the site of the PasswordsPro password brute force program, a fairly large database, easy to use.
NOT instant decryption
rainbowtables.net - you need to contact the administration by e-mail milw0rm.com/cracker/insert.php www.hashchecker.com/?_sls=add_hash - quota 3 hashes per day
Paid services
passcracking.com Very good service, large databases, after registration the search is carried out in all available ones. There is also a paid search service, payment via SMS. hashcracking.info In my personal opinion, this is the best and deserves special attention. In addition to the fact that it searches the database for passwords (instant decryption), it adds those not found to a special password queue. The brutter installed on the server moves along that queue from top to bottom. (12 tables in total. CharSet=az,0-9 password lengths: 1-8 characters. Hit probability: 97.80%. Maximum password search time for one hash: 12 minutes) If you want the password to be searched as quickly as possible, you can specify the price for it. The queue is sorted by price. The balance can be replenished by writing to the administration and transferring money, for example via WebMoney. But there is one interesting feature. In addition to the main brutter, all users of the service can participate in the search; for this, there is a special page where all hashes are displayed, sorted by price. If the brute force was unable to guess the password, but one of the users succeeded, then the amount for the found password goes to that user. Supports MD5, MySQL, MySQL5, SHA-1 PS As it is written on all services: “Cracking other people’s passwords is bad”
