6 Tools to Perform Credential Attack [100% Working]


CompTIA PenTest PT0-002

Credential attacks are a type of cybersecurity threat that focuses on one thing: gaining unauthorized access to systems or networks. Attackers do this by finding weak spots in the authentication process that they can exploit, giving them a free pass through security measures. They usually target credentials like usernames and passwords that belong to legitimate users. Once these credentials are obtained, the attacker has full reign over everything – including deploying malware, stealing data, or other malicious activities.
It’s a scary thought because it’s so simple. If you can get in unnoticed, what’s going to stop you? It becomes difficult for anyone else to detect or prevent any activity once an attacker is inside the system.

DISCLAIMER:
This article is intended for educational purposes only. The tools and techniques discussed herein should be used in a legal, ethical manner, exclusively for security research or within authorized penetration testing activities. Unauthorized use of these tools against networks, systems, or applications without explicit permission can lead to legal consequences and ethical violations.

 

Different Types of Credential Attacks

1. Password Spraying

Rather than waste time trying to guess a bunch of different passwords for one account at a time, this technique focuses on finding users who have the same password. By locating just one person with an extremely common password (like Winter2021), it’s possible to target hundreds if not thousands of accounts. The advantage here is you’re less likely to trip any alarms by triggering multiple account lockouts all at once. It’s also much faster to go through 1,000 accounts with one guess than it is making 100 guesses for each account individually using different common words in a dictionary. You may need some good luck and intelligence behind your guesses about how people think when creating passwords naturally. But at least you won’t be wasting your time attempting to solve an unsolvable puzzle.

 

2. Brute-Force and Dictionary Attacks

This method involves running through every combination imaginable until you find the right one that lets you in from outside the system's walls. For example, say you wanted access to Account A: You’d first try a single letter that could be the username or password required before submitting your request again with aa instead. Then ab instead of aa… And so on until you’ve exhausted every possible option in order from thereon out.. The upside is it’s really simple and guarantees eventual success as long as you don’t run out of time before then (which most likely would take quite literally forever). The downside is it’s incredibly inefficient and will almost certainly trigger an avalanche of automatic security defenses before you’re even close to being done.

A variation of this involves targeting a list of the most commonly used words for passwords and trying each one in order. You’ll get in faster, but there’s a chance your target’s password isn’t on that list at all. If you don’t have it, there’s no way to find out what it is unless you try every possible combination manually. Even if you do succeed quickly though, you’re still going to look pretty suspicious accessing thousands of accounts from one source or within minutes of each other.

 

3. Hash Cracking

Instead of trying their luck guessing passwords or attempting to force their way into a user's account, hackers can also focus their efforts on obtaining the hashed versions stored in databases first. In case the term “hash” is unfamiliar: it refers to an algorithm that takes input data and spits out strings of fixed lengths. So once they have this string -- which represents the original password without directly revealing what it is -- they can run through a series of techniques until they arrive back at the actual word itself. A few popular methods include brute-force attacks (same deal as above), dictionary attacks (also same deal as above), and precomputed tables like rainbow tables (which contain sufficiently long chains). The kind that will work best depends largely on the specific measures implemented by whoever thought up the hash in the first place.

NOTE:
You may need username and password database which you will use to perform credential attack on target host. I have prepared a list of bad username from flurdy/bad_usernames and password from danielmiessler/SecLists and stored them as part of username.txt and password.txt respectively. I will be using this list to demonstrate the usage of different credential attack tools in this tutorial.

 

Different Tools to Perform Credential Attack

1. Hydra

Hydra, often known as thc‐hydra, is a brute‐force dictionary attack tool that is designed to work against a variety of protocols and services, including SSH, http/https, SMB, and even databases. Basic Hydra usage is simple:

hydra [options] <hostname> <service> <username> <password> <additional options>

Where:

  • [options] include general options like -v for verbose mode, -f to stop after the first login/password pair is found, -s to specify the port if it's not the default port, and more.
  • <hostname> is the IP address or domain name of the target.
  • <service> is the protocol or service you're attempting to brute-force (e.g., ssh, ftp, http).
  • <username> and <password> are placeholders for the file or specific credential you are testing.

Some common options are:

  • The -L option is used to specify a file that contains a list of usernames.
  • The -P option is used to specify a file that contains a list of passwords.
  • The -l option is used for a single username, and -p for a single password.

FTP Login Attempt with Username List and Password List

hydra -L username.txt -P password.txt ftp://10.10.1.11

In this example, Hydra attempts to log into an FTP server at 10.10.1.11 using a list of usernames (username.txt) and a list of passwords (password.txt).

6 Tools to Perform Credential Attack [100% Working]

SSH Brute-Force with Single Username and Password List

hydra -l admin -P password_list.txt ssh://192.168.1.2

Here, Hydra tries to brute-force an SSH login for the username admin using a list of possible passwords (password_list.txt) against the target 192.168.1.2.

HTTPS POST Form Brute-Force

hydra -l user -P pass.txt 192.168.1.4 https-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

This attempts to brute-force a login form over HTTPS where the login path is /login, with username and password as form parameters, and an incorrect login attempt includes the word "incorrect". It uses a single username (user) and a list of passwords (pass.txt), with verbose output enabled (-V).

 

2. Network Mapper (Nmap)

Nmap, or the Network Mapper, is a tool that serves as a discovery, scanning, and auditing network system. Nmap’s core function doesn’t include brute-force attacks. However, it has a scripting engine (NSE) that lets users write scripts for multiple tasks which includes among many others vulnerability detection and network discovery. Brute-forcing passwords is also included.

In order to use Nmap for brute-force attacks you need to append --script to the option followed by the specific script you want to use. Some of them are SSH, FTP, HTTP and more.

nmap -p <port> --script <script-name> --script-args userdb=<user-list>,passdb=<pass-list> <target>
  • -p <port> specifies the port number(s) on which the target service is running.
  • --script <script-name> indicates the NSE script to use for the brute-force attack. For example ssh-brute for SSH services.
  • --script-args lets you pass arguments to the NSE script (userdb for list of usernames / passdb for list of passwords)
  • <target> is the IP address or hostname of your target system

SSH Brute-Force Attack

nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1

This command attempts to brute-force SSH logins on port 22 of the target 192.168.1.1, using users.txt as a list of usernames and passwords.txt as a list of passwords. If you don't pass --script-args for user and password database then nmap will use default sets of usernames and passwords. These defaults are built into the script itself or rely on Nmap's built-in lists for common usernames and passwords.

6 Tools to Perform Credential Attack [100% Working]

FTP Brute-Force Attack

nmap -p 21 --script ftp-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.2

Similar to the SSH brute-force example, this command targets FTP services on port 21, attempting to log in with combinations from users.txt and passwords.txt.

6 Tools to Perform Credential Attack [100% Working]

HTTP Form Brute-Force Attack

nmap -p 80 --script http-form-brute --script-args "form-path=/login.html, userdb=users.txt, passdb=passwords.txt, form-submit='Log+In', user-field=uname, pass-field=passw" 192.168.1.3

This example demonstrates how to brute-force a login form on a web application. It specifies the path to the login form, the file with usernames, the file with passwords, the names of the form fields for the username and password, and the form submission button's label.

 

3. Medusa

Medusa is a super-fast, massively parallel, modular login brute-forcer. It supports many protocols including SSH, SMB, POP3, SMTP, FTP, and HTTP(S). The aim is to support as many services which allow remote authentication as possible.

Basic Syntax:

medusa -h <target host> -u <username> -p <password> -M <module>
  • -h <target host> : Specifies target host's IP address or hostname
  • -u <username> : Single username for login attempt
  • -U <user list> : File containing usernames to use for login attempts.
  • -p <password> : Single password for login attempt
  • -P <password list> : File containing passwords to use for login attempts.
  • -M <module> : Type of service to attack (e.g., ssh, ftp)

For example, to perform a brute-force attack on an FTP service with a list of usernames and passwords, the command would be:

medusa -h 10.10.1.11 -U username.txt -P password.txt -M ftp
6 Tools to Perform Credential Attack [100% Working]

 

4. Patator

Patator is another tool that can be used for brute-force attacks on enumerations of SNMPv3 usernames, VPN passwords, and other types of credential attacks. You can download Patator from https://github.com/lanjelot/patator. It's written in Python and is designed to be a versatile tool for a wide range of brute force attacks or testing scenarios. Unlike single-purpose brute-force tools, Patator is modular, making it capable of adapting to different network services and testing needs.

Patator is invoked by calling its main script followed by the module you want to use, like ftp_login for FTP servers or http_fuzz for HTTP services. Each module then takes its own set of arguments and options.

patator <module_name> host=<IP> user=<USER> password=<PASSWORD_LIST> 0=<USER_LIST> 1=<PASSWORD_LIST> -x ignore:code=401
  • <module_name>: The name of the module you're using (e.g., ftp_login, ssh_login).
  • host=<IP>: The target's IP address or hostname.
  • user=<USER> and password=<PASSWORD_LIST>: Credentials to attempt. Lists are specified for brute-force attempts.
  • 0=<USER_LIST> and 1=<PASSWORD_LIST>: Specifies the paths to the user and password lists for brute-force attacks.
  • -x ignore:code=401: An example of how to ignore certain responses (in this case, HTTP 401 Unauthorized responses).

Here's a simple example of using Patator to brute-force an SSH login:

patator ssh_login host=10.10.1.11 user=FILE0 0=msuser.txt password=FILE1 1=mspassword.txt -x ignore:mesg='Authentication failed.' 
  • This command attempts to log into an SSH server at 10.10.1.11 using usernames from msuser.txt and passwords from mspassword.txt.
  • The -x ignore:mesg='Authentication failed.' part tells Patator to ignore output containing 'Authentication failed.' as it's a normal part of brute-forcing.
6 Tools to Perform Credential Attack [100% Working]

To brute-force a login form on a website:

patator http_fuzz url=http://192.168.1.100/login method=POST body='username=FILE0&password=FILE1' 0=usernames.txt 1=passwords.txt -x ignore:fgrep='Login failed'
  • This attempts to POST to a login form at http://192.168.1.100/login with usernames and passwords from the respective files.
  • The -x ignore:fgrep='Login failed' option tells Patator to ignore responses containing 'Login failed'.

 

5. Hashcat (Hash Cracking)

Unlike hashing, encryption is reversible. By using a key, encryption allows plaintext data to be encrypted into ciphertext and decrypted back to plaintext.

  • Symmetric key encryption relies on the same cryptographic key to both encrypt and decrypt the data.
  • Asymmetric key encryption uses two different keys for both encryption and decryption. The secret key is only known by the author, and the public key is shared to anyone wishing to decrypt the messages. This is mostly found in client-server models for authenticating access using digital certificates (X.509) or a public key infrastructure (PKI).

Common Hashing and Encryption Algorithms are explained in below table:

Algorithm Type Name Output Size Characteristics Common Uses
Hashing MD5 128 bits Fast, but considered cryptographically broken and unsuitable for further use. Legacy applications, checksums (with caution).
  SHA-1 160 bits Faster than SHA-2, but vulnerabilities (e.g., collision attacks) render it unsuitable for security-sensitive applications. Legacy applications, checksums (with caution).
  SHA-256 256 bits Part of the SHA-2 family, it's secure and widely used. Cryptocurrency (Bitcoin), SSL certificates, security applications.
  SHA-3 Variable The latest member of the Secure Hash Algorithm family, offering enhanced security features. General security applications, digital signatures.
Encryption AES 128, 192, or 256 bits Symmetric key encryption that is fast and secure. The standard for encryption. Secure file storage, SSL/TLS, disk encryption.
  DES 56 bits Now considered insecure due to its short key length. Legacy systems (replaced by AES).
  3DES 168 bits An improvement over DES, but slower than AES and less secure than AES-256. Legacy systems, transitioning to AES.
  RSA Variable Asymmetric key encryption, secure but computationally intensive. Digital signatures, SSL/TLS certificates, secure email.

Passwords may be sent over the wire or stored in hashed format. You may intercept one or more of these hashes while pursuing other network attacks, for example, with Responder. Unlike password spraying, you do not risk account lockouts or alert triggers by cracking a hash offline. 

Hashcat is a password recovery tool that’s become very popular in the cybersecurity world for its ability to crack hashed passwords and comes with Kali Linux and other penetration testing Linux distributions. You can also download it from https://hashcat.net/hashcat. It supports all sorts of algorithms such as MD5, SHA-1, and SHA-256. Hashcat has both CPU and GPU hardware support which allows it to process large quantities of hash values very quickly.

When you use Hashcat, it’ll take the hash value of a password from a database (this generally comes from obtaining an audit) and then compare it with other hash values generated by potential passwords taken from wordlists or brute-force lists. Once there’s a match, we know we’ve found the original password. The different modes Hashcat offers are:

  • Straight: Basic dictionary attack.
  • Combination: Two dictionaries are combined.
  • Brute-force: We try everything at once.
  • Hybrid: Dictionary and brute force attacks combined together.
  • Rule-based: Mutation rules applied to dictionaries.

The basic command structure for Hashcat looks like this:

hashcat [options] <hashfile> <wordlist>
  • [options] holds plenty of flags and settings such as what mode to attack with or what type of hash we’re working with.
  • <hashfile> is the file containing the target hash or hashes
  • <wordlist> is just the file holding some potential passwords.

For demonstration, let's use "hello123" as our example password. We will generate sha256sum for hello123 and store it in a file:

echo -n "hello123" | sha256sum

Save the generated checsum into a file:

echo 27cc6994fc1c01ce6659c6bddca9b69c4c6a9418065e612c69d110b3f7b11f8a > sample_hash.txt

Create a text file named wordlist.txt that contains possible passwords, including "hello123". You can do this using a text editor or the command line. For example:

echo -e "password123\nhello123\n12345678" > wordlist.txt

This creates a file with three possible passwords, one of which is the correct password for the hash we generated.

Run Hashcat with the following command:

hashcat -m 1400 -a 0 -o cracked.txt sample_hash.txt wordlist.txt

Here’s what each option means:

  • -m 1400: Sets the mode to SHA-256 hash.
  • -a 0: Specifies a straight attack mode (using a wordlist).
  • -o cracked.txt: Outputs the results to a file named cracked.txt.
  • sample_hash.txt: The file containing your target hash.
  • wordlist.txt: Your wordlist file.
NOTE:
To get the list of supported algorithm and mapping modes you can use hashcat --help for more details.
6 Tools to Perform Credential Attack [100% Working]

After Hashcat completes its run, check the cracked.txt file to see if the password was cracked. Use the command:

6 Tools to Perform Credential Attack [100% Working]

If successful, you’ll see the hash followed by the cracked password, indicating Hashcat found the matching password in your wordlist.

Now one of the important factor here is identifying the hash as if you use incorrect hash mode then hashcat will fail to crack the hash. For example in the same hash file I created abaove, if I try to crack using -m 500 i.e. for MD5 then it is going to fail.

Hashfile 'sample_hash.txt' on line 1 (27cc69...4c6a9418065e612c69d110b3f7b11f8a): Separator unmatched
No hashes loaded.

To identify the hash value you can use hashid which can help you identify different encryption formats. As you can see in below screenshot, hashid has given a list of possible encryption type for the provided hash value:

6 Tools to Perform Credential Attack [100% Working]

 

6. John the Ripper (Hash Cracking)

John the Ripper or John is a powerful software designed for cracking passwords. It’s able to identify password hash types and contains a customizable cracker. It can be used against a range of encrypted password formats, most commonly those using several crypt password hash types found in Unix systems.

The tool operates in different modes, including wordlist (dictionary), brute force, and incremental mode.

  • Wordlist Mode: A file containing potential passwords is used by this mode.
  • Brute Force Mode: This mode attempts every possible combination of characters.
  • Incremental Mode: Password guesses are made in a more systematic way, based on character frequency and position.

In Kali Linux john is installed by default, you can check the version of installed tool:

└─# john --help   
John the Ripper 1.9.0-jumbo-1+bleeding-aec1328d6c 2021-11-02 10:45:52 +0100 OMP [linux-gnu 64-bit x86_64 AVX2 AC]

For demonstration purposes, we'll create a simple hash. Let's say we have a password hello123 that we want to hash using SHA-256. You can generate this hash using:

echo -n "hello123" | sha256sum

Create a file named hash.txt and paste your hash there. For John to understand it, you need to specify the hash type as it doesn't directly support raw hashes without knowing the format. For raw SHA-256, you can format it like this in the file:

hello123:$SHA256$27cc6994fc1c01ce6659c6bddca9b69c4c6a9418065e612c69d110b3f7b11f8a

However, note that for real-world scenarios, you're likely to encounter hashes in the context of their use, such as in /etc/shadow for Unix password hashes, which John can directly process.

Let's use a simple wordlist to crack this hash. Create a file named wordlist.txt and add several possible passwords, including hello123.

└─# cat wordlist.txt 
password123

12345678
123456
password
hello123
qwerty

Run John using this wordlist:

john --format=raw-sha256 --wordlist=wordlist.txt hash.txt
6 Tools to Perform Credential Attack [100% Working]

After John successfully cracks the hash, you can view the results with:

john --show hash.txt
6 Tools to Perform Credential Attack [100% Working]

This will display the cracked passwords alongside their corresponding usernames or identifiers.

To process hashes stored in the /etc/shadow file using John the Ripper, you typically need to extract the relevant hashes and possibly use unshadow, a utility that combines the /etc/passwd and /etc/shadow files to create a format that John can process more easily. The /etc/passwd file contains user account information, and /etc/shadow contains the password hashes but in a secure, privileged-access-required manner.

unshadow /etc/passwd /etc/shadow > combined.txt

With the combined.txt file ready, you can now run John the Ripper against it. If you don’t specify a wordlist with the --wordlist option, John will default to using its "incremental" mode, which attempts to brute-force the passwords. We have to specify the format using --format=crypt.

john --format=crypt combined.txt
6 Tools to Perform Credential Attack [100% Working]

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment