Cracking Password Hashes

Passwords are used daily by most people. They protect our valuable information from unauthorized access. Passwords are used on client computing devices, Online services, Wi-Fi, and much more. The purpose of this blog post is to demonstrate how weak passwords hashes can be cracked utilizing various methods and to raise awareness of the risks of using weak passwords.

Plaintext Passwords are converted into hashes for storage. For example, Windows uses NTLM hash while WiFi WPA2 uses PBKDF2 hash type. Password hashes can be obtained by multiple ways. For example, to obtain a Windows password hash, the user needs to either have access to Active Directory or the Windows SAM database. To see how I was able to obtain a password hash from a WPA2 connection, please see my previous blog.

The most common tools for breaking into password hashes are John the Ripper and Aircrack-ng. With these tools, we can perform multiple password hash attacks. Additional tools to be used on this post are crunch and cewl. We will focus on a dictionary attack on a previously captured WPA2 hash.

Dictionary Attacks 

A dictionary attack is an attempt to find a password using a list of possible combinations. One of the most famous dictionary password file is rockyou.txt. We can use rockyou.txt to break password hashes. Additionally, we can also create our own password file utilizing a Linux tool known as Crunch. Crunch is a wordlist generator that includes multiple options to customize password files. We will go through a few samples of Crunch before moving forward. 

Breaking WPA-2 using a custom wordlist with Crunch 

To be able to generate a password list, we need to have some previous information as to what kind of password complexity was used. The following commands can be used with Crunch to generate different types of dictionaries according to its complexities.

If you believe that the password that you are trying to crack is a numeric pin, the following command can be used.

crunch 4 4 123456789

This command will tell Crunch to create a len 4 numeric wordlist starting from 1111 and ending in 9999. We can output these results to a text file with the -o option.

To be able to create lowercase characters digits of length 8, we use the following command:

crunch 8 8 /usr/share/rainbowcrack/charset.txt loweralpha

Instead of typing A through Z, we can select characters from the rabinbowcrack text files.

To see the true power of crunch, we need to do more than just creating wordlists that can be found online. For example, if after some reconnaissance we find that the target victim’s name is John and he has a pet called Frankie, we can make a custom wordlist that starts with Frankie following by random digits. To be able to do this, we use the following command.

crunch 11 11 -t Frankie@@@@ -f /usr/share/rainbowcrack/charset.txt numeric

The above command will create a wordlist with the first characters starting with “Frankie” and ending on different 4 digit numbers. If the victim’s password was “Frankie2018,” we will be able to find it.

Crawling sites for potential passwords with Cewl

In addition to creating a custom wordlist, we can crawl through a site looking for specific keywords to add to a dictionary file. A Linux utiilty that enable us to do this is called Cewl.

Cewl –help show the different options available with this utility

cewl –help

A simple command to create a password file from a website would be:

cewl -w cybercesar.txt -d 7 -m 5

The following output is given:

cat cybercesar.txt

As you can see, Cewl went through my site identifying keywords that can be used to create a dictionary file.

Cewl demonstrate how important it is for users not to share or post keywords on their sites that might be related to their passwords. These keywords may be used in conjuntion with Crunch to potentially create dictionaries that might be able to find the password.

Thankfully, most modern websites should have a firewall that blocks any time of crawler that might be asking for multiple requests. My website firewall automatically blocked my attempt at exceeding multiple requests per minute as shown below:

Firewall on

Website administrators should have a firewall rule that automatically blocks crawlers if they request multiple connections per minute in order to avoid such attacks.

Breaking WPA-2 with rockyou.txt tutorial 

We will dive in on the different methods of cracking a password hash obtained from a two-way handshake on a WPA2 network. Please see my previous blog post with details on how to Obtain a Two-Way Handshake from WPA2 Networks.

For the purpose of this demonstration, I have already included my personal WPA2 password into the rockyou.txt file that I have. Secured passwords should not be in the rockyou.txt file by default. If they are, that means that the password can be easily cracked as we will demonstrate.

There is one simple command to start running the attack using aircrack-ng: 
aircrack-ng -w rockyou.txt -b <bssid> handshake.cap 

After the command is entered, the following screen will appear:

aircrack-ng -w rockyou.txt -b <bssid> handshake.cap 

If aircrack-ng found the password using the dictionary rockyou.txt, then the following window will appear:


As you can see, the password was found in the field “KEY FOUND!. ” 

Performing a dictionary is one of the reasonable solutions in cracking passwords. Another solution is using rainbow tables.

Rainbow Tables

 Rainbow tables are hashes that have been previously cracked and the password is known. Instead of comparing the hash against a password, both hashes are compared. 

Protecting your company

Password Management

Store passwords with salt implemented and strong hash encryption. Passwords should not be stored in plain text on a document. A password manager can help store strong passwords while providing ease of use.

Password Complexity Requirements

Passwords should have a minimum of fourteen characters in length with lower cases, upper cases, symbols, and numbers included. It will be harder to brute force a password that meets these requirements as the number of attempts will grow exponentially.

Password Tests

System Administrators can periodically test Active Directory looking for weak passwords. This will enable them to determine if a user’s password is available on a public word file such as rockyou.txt.

Two Factor Authentication (2FA)

Two Factor authentication enables users to add another layer of defense to their accounts. With 2FA, users can input a temporary token available through a TOTP application. For strongest security, it is important not to use text messages for 2FA as an attacker can create an evil cell tower and have traffic being redirected through him.


Biometrics authenticates a user based on who they are. If biometrics are an option, they should be used. Lastest computing devices such as iPhones and MacBooks have a built-in fingerprint sensor or a face scanner. Additionally, fingerprint sensors are sold separately and can be added to any Windows system.

Leave a Reply

Your email address will not be published. Required fields are marked *