Credential attacks are a type of cybersecurity threat that focuses on one thing: gaining unauthorized access to systems or networks. Attackers do this by finding weak spots in the authentication process that they can exploit, giving them a free pass through security measures. They usually target credentials like usernames and passwords that belong to legitimate users. Once these credentials are obtained, the attacker has full reign over everything – including deploying malware, stealing data, or other malicious activities.
It’s a scary thought because it’s so simple. If you can get in unnoticed, what’s going to stop you? It becomes difficult for anyone else to detect or prevent any activity once an attacker is inside the system.
Different Types of Credential Attacks
1. Password Spraying
Rather than waste time trying to guess a bunch of different passwords for one account at a time, this technique focuses on finding users who have the same password. By locating just one person with an extremely common password (like Winter2021), it’s possible to target hundreds if not thousands of accounts. The advantage here is you’re less likely to trip any alarms by triggering multiple account lockouts all at once. It’s also much faster to go through 1,000 accounts with one guess than it is making 100 guesses for each account individually using different common words in a dictionary. You may need some good luck and intelligence behind your guesses about how people think when creating passwords naturally. But at least you won’t be wasting your time attempting to solve an unsolvable puzzle.
2. Brute-Force and Dictionary Attacks
This method involves running through every combination imaginable until you find the right one that lets you in from outside the system's walls. For example, say you wanted access to Account A: You’d first try a single letter that could be the username or password required before submitting your request again with aa instead. Then ab instead of aa… And so on until you’ve exhausted every possible option in order from thereon out.. The upside is it’s really simple and guarantees eventual success as long as you don’t run out of time before then (which most likely would take quite literally forever). The downside is it’s incredibly inefficient and will almost certainly trigger an avalanche of automatic security defenses before you’re even close to being done.
A variation of this involves targeting a list of the most commonly used words for passwords and trying each one in order. You’ll get in faster, but there’s a chance your target’s password isn’t on that list at all. If you don’t have it, there’s no way to find out what it is unless you try every possible combination manually. Even if you do succeed quickly though, you’re still going to look pretty suspicious accessing thousands of accounts from one source or within minutes of each other.
3. Hash Cracking
Instead of trying their luck guessing passwords or attempting to force their way into a user's account, hackers can also focus their efforts on obtaining the hashed versions stored in databases first. In case the term “hash” is unfamiliar: it refers to an algorithm that takes input data and spits out strings of fixed lengths. So once they have this string -- which represents the original password without directly revealing what it is -- they can run through a series of techniques until they arrive back at the actual word itself. A few popular methods include brute-force attacks (same deal as above), dictionary attacks (also same deal as above), and precomputed tables like rainbow tables (which contain sufficiently long chains). The kind that will work best depends largely on the specific measures implemented by whoever thought up the hash in the first place.
Different Tools to Perform Credential Attack
1. Hydra
Hydra, often known as thc‐hydra, is a brute‐force dictionary attack tool that is designed to work against a variety of protocols and services, including SSH, http/https, SMB, and even databases. Basic Hydra usage is simple:
hydra [options] <hostname> <service> <username> <password> <additional options>
Where:
[options]
include general options like-v
for verbose mode,-f
to stop after the first login/password pair is found,-s
to specify the port if it's not the default port, and more.<hostname>
is the IP address or domain name of the target.<service>
is the protocol or service you're attempting to brute-force (e.g., ssh, ftp, http).<username>
and<password>
are placeholders for the file or specific credential you are testing.
Some common options are:
- The
-L
option is used to specify a file that contains a list of usernames. - The
-P
option is used to specify a file that contains a list of passwords. - The
-l
option is used for a single username, and-p
for a single password.
FTP Login Attempt with Username List and Password List
hydra -L username.txt -P password.txt ftp://10.10.1.11
In this example, Hydra attempts to log into an FTP server at 10.10.1.11
using a list of usernames (username.txt
) and a list of passwords (password.txt
).
SSH Brute-Force with Single Username and Password List
hydra -l admin -P password_list.txt ssh://192.168.1.2
Here, Hydra tries to brute-force an SSH login for the username admin
using a list of possible passwords (password_list.txt
) against the target 192.168.1.2
.
HTTPS POST Form Brute-Force
hydra -l user -P pass.txt 192.168.1.4 https-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
This attempts to brute-force a login form over HTTPS where the login path is /login
, with username
and password
as form parameters, and an incorrect login attempt includes the word "incorrect". It uses a single username (user
) and a list of passwords (pass.txt
), with verbose output enabled (-V
).
2. Network Mapper (Nmap)
Nmap, or the Network Mapper, is a tool that serves as a discovery, scanning, and auditing network system. Nmap’s core function doesn’t include brute-force attacks. However, it has a scripting engine (NSE) that lets users write scripts for multiple tasks which includes among many others vulnerability detection and network discovery. Brute-forcing passwords is also included.
In order to use Nmap for brute-force attacks you need to append --script
to the option followed by the specific script you want to use. Some of them are SSH, FTP, HTTP and more.
nmap -p <port> --script <script-name> --script-args userdb=<user-list>,passdb=<pass-list> <target>
-p <port>
specifies the port number(s) on which the target service is running.--script <script-name>
indicates the NSE script to use for the brute-force attack. For example ssh-brute for SSH services.--script-args
lets you pass arguments to the NSE script (userdb for list of usernames / passdb for list of passwords)<target>
is the IP address or hostname of your target system
SSH Brute-Force Attack
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1
This command attempts to brute-force SSH logins on port 22 of the target 192.168.1.1
, using users.txt
as a list of usernames and passwords.txt
as a list of passwords. If you don't pass --script-args
for user and password database then nmap will use default sets of usernames and passwords. These defaults are built into the script itself or rely on Nmap's built-in lists for common usernames and passwords.
FTP Brute-Force Attack
nmap -p 21 --script ftp-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.2
Similar to the SSH brute-force example, this command targets FTP services on port 21, attempting to log in with combinations from users.txt
and passwords.txt
.
HTTP Form Brute-Force Attack
nmap -p 80 --script http-form-brute --script-args "form-path=/login.html, userdb=users.txt, passdb=passwords.txt, form-submit='Log+In', user-field=uname, pass-field=passw" 192.168.1.3
This example demonstrates how to brute-force a login form on a web application. It specifies the path to the login form, the file with usernames, the file with passwords, the names of the form fields for the username and password, and the form submission button's label.
3. Medusa
Medusa is a super-fast, massively parallel, modular login brute-forcer. It supports many protocols including SSH, SMB, POP3, SMTP, FTP, and HTTP(S). The aim is to support as many services which allow remote authentication as possible.
Basic Syntax:
medusa -h <target host> -u <username> -p <password> -M <module>
-h <target host>
: Specifies target host's IP address or hostname-u <username>
: Single username for login attempt-U <user list>
: File containing usernames to use for login attempts.-p <password>
: Single password for login attempt-P <password list>
: File containing passwords to use for login attempts.-M <module>
: Type of service to attack (e.g., ssh, ftp)
For example, to perform a brute-force attack on an FTP service with a list of usernames and passwords, the command would be:
medusa -h 10.10.1.11 -U username.txt -P password.txt -M ftp
4. Patator
Patator is another tool that can be used for brute-force attacks on enumerations of SNMPv3 usernames, VPN passwords, and other types of credential attacks. You can download Patator from https://github.com/lanjelot/patator. It's written in Python and is designed to be a versatile tool for a wide range of brute force attacks or testing scenarios. Unlike single-purpose brute-force tools, Patator is modular, making it capable of adapting to different network services and testing needs.
Patator is invoked by calling its main script followed by the module you want to use, like ftp_login
for FTP servers or http_fuzz
for HTTP services. Each module then takes its own set of arguments and options.
patator <module_name> host=<IP> user=<USER> password=<PASSWORD_LIST> 0=<USER_LIST> 1=<PASSWORD_LIST> -x ignore:code=401
<module_name>
: The name of the module you're using (e.g.,ftp_login
,ssh_login
).host=<IP>
: The target's IP address or hostname.user=<USER>
andpassword=<PASSWORD_LIST>
: Credentials to attempt. Lists are specified for brute-force attempts.0=<USER_LIST>
and1=<PASSWORD_LIST>
: Specifies the paths to the user and password lists for brute-force attacks.-x ignore:code=401
: An example of how to ignore certain responses (in this case, HTTP 401 Unauthorized responses).
Here's a simple example of using Patator to brute-force an SSH login:
patator ssh_login host=10.10.1.11 user=FILE0 0=msuser.txt password=FILE1 1=mspassword.txt -x ignore:mesg='Authentication failed.'
- This command attempts to log into an SSH server at
10.10.1.11
using usernames frommsuser.txt
and passwords frommspassword.txt
. - The
-x ignore:mesg='Authentication failed.'
part tells Patator to ignore output containing 'Authentication failed.' as it's a normal part of brute-forcing.
To brute-force a login form on a website:
patator http_fuzz url=http://192.168.1.100/login method=POST body='username=FILE0&password=FILE1' 0=usernames.txt 1=passwords.txt -x ignore:fgrep='Login failed'
- This attempts to POST to a login form at
http://192.168.1.100/login
with usernames and passwords from the respective files. - The
-x ignore:fgrep='Login failed'
option tells Patator to ignore responses containing 'Login failed'.
5. Hashcat (Hash Cracking)
Unlike hashing, encryption is reversible. By using a key, encryption allows plaintext data to be encrypted into ciphertext and decrypted back to plaintext.
- Symmetric key encryption relies on the same cryptographic key to both encrypt and decrypt the data.
- Asymmetric key encryption uses two different keys for both encryption and decryption. The secret key is only known by the author, and the public key is shared to anyone wishing to decrypt the messages. This is mostly found in client-server models for authenticating access using digital certificates (X.509) or a public key infrastructure (PKI).
Common Hashing and Encryption Algorithms are explained in below table:
Algorithm Type | Name | Output Size | Characteristics | Common Uses |
---|---|---|---|---|
Hashing | MD5 | 128 bits | Fast, but considered cryptographically broken and unsuitable for further use. | Legacy applications, checksums (with caution). |
SHA-1 | 160 bits | Faster than SHA-2, but vulnerabilities (e.g., collision attacks) render it unsuitable for security-sensitive applications. | Legacy applications, checksums (with caution). | |
SHA-256 | 256 bits | Part of the SHA-2 family, it's secure and widely used. | Cryptocurrency (Bitcoin), SSL certificates, security applications. | |
SHA-3 | Variable | The latest member of the Secure Hash Algorithm family, offering enhanced security features. | General security applications, digital signatures. | |
Encryption | AES | 128, 192, or 256 bits | Symmetric key encryption that is fast and secure. The standard for encryption. | Secure file storage, SSL/TLS, disk encryption. |
DES | 56 bits | Now considered insecure due to its short key length. | Legacy systems (replaced by AES). | |
3DES | 168 bits | An improvement over DES, but slower than AES and less secure than AES-256. | Legacy systems, transitioning to AES. | |
RSA | Variable | Asymmetric key encryption, secure but computationally intensive. | Digital signatures, SSL/TLS certificates, secure email. |
Passwords may be sent over the wire or stored in hashed format. You may intercept one or more of these hashes while pursuing other network attacks, for example, with Responder. Unlike password spraying, you do not risk account lockouts or alert triggers by cracking a hash offline.
Hashcat is a password recovery tool that’s become very popular in the cybersecurity world for its ability to crack hashed passwords and comes with Kali Linux and other penetration testing Linux distributions. You can also download it from https://hashcat.net/hashcat. It supports all sorts of algorithms such as MD5, SHA-1, and SHA-256. Hashcat has both CPU and GPU hardware support which allows it to process large quantities of hash values very quickly.
When you use Hashcat, it’ll take the hash value of a password from a database (this generally comes from obtaining an audit) and then compare it with other hash values generated by potential passwords taken from wordlists or brute-force lists. Once there’s a match, we know we’ve found the original password. The different modes Hashcat offers are:
- Straight: Basic dictionary attack.
- Combination: Two dictionaries are combined.
- Brute-force: We try everything at once.
- Hybrid: Dictionary and brute force attacks combined together.
- Rule-based: Mutation rules applied to dictionaries.
The basic command structure for Hashcat looks like this:
hashcat [options] <hashfile> <wordlist>
[options]
holds plenty of flags and settings such as what mode to attack with or what type of hash we’re working with.<hashfile>
is the file containing the target hash or hashes<wordlist>
is just the file holding some potential passwords.
For demonstration, let's use "hello123" as our example password. We will generate sha256sum for hello123 and store it in a file:
echo -n "hello123" | sha256sum
Save the generated checsum into a file:
echo 27cc6994fc1c01ce6659c6bddca9b69c4c6a9418065e612c69d110b3f7b11f8a > sample_hash.txt
Create a text file named wordlist.txt
that contains possible passwords, including "hello123". You can do this using a text editor or the command line. For example:
echo -e "password123\nhello123\n12345678" > wordlist.txt
This creates a file with three possible passwords, one of which is the correct password for the hash we generated.
Run Hashcat with the following command:
hashcat -m 1400 -a 0 -o cracked.txt sample_hash.txt wordlist.txt
Here’s what each option means:
-m 1400
: Sets the mode to SHA-256 hash.-a 0
: Specifies a straight attack mode (using a wordlist).-o cracked.txt
: Outputs the results to a file namedcracked.txt
.sample_hash.txt
: The file containing your target hash.wordlist.txt
: Your wordlist file.
hashcat --help
for more details.After Hashcat completes its run, check the cracked.txt
file to see if the password was cracked. Use the command:
If successful, you’ll see the hash followed by the cracked password, indicating Hashcat found the matching password in your wordlist.
Now one of the important factor here is identifying the hash as if you use incorrect hash mode then hashcat will fail to crack the hash. For example in the same hash file I created abaove, if I try to crack using -m 500
i.e. for MD5 then it is going to fail.
Hashfile 'sample_hash.txt' on line 1 (27cc69...4c6a9418065e612c69d110b3f7b11f8a): Separator unmatched No hashes loaded.
To identify the hash value you can use hashid which can help you identify different encryption formats. As you can see in below screenshot, hashid has given a list of possible encryption type for the provided hash value:
6. John the Ripper (Hash Cracking)
John the Ripper or John is a powerful software designed for cracking passwords. It’s able to identify password hash types and contains a customizable cracker. It can be used against a range of encrypted password formats, most commonly those using several crypt password hash types found in Unix systems.
The tool operates in different modes, including wordlist (dictionary), brute force, and incremental mode.
- Wordlist Mode: A file containing potential passwords is used by this mode.
- Brute Force Mode: This mode attempts every possible combination of characters.
- Incremental Mode: Password guesses are made in a more systematic way, based on character frequency and position.
In Kali Linux john
is installed by default, you can check the version of installed tool:
└─# john --help John the Ripper 1.9.0-jumbo-1+bleeding-aec1328d6c 2021-11-02 10:45:52 +0100 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
For demonstration purposes, we'll create a simple hash. Let's say we have a password hello123
that we want to hash using SHA-256. You can generate this hash using:
echo -n "hello123" | sha256sum
Create a file named hash.txt
and paste your hash there. For John to understand it, you need to specify the hash type as it doesn't directly support raw hashes without knowing the format. For raw SHA-256, you can format it like this in the file:
hello123:$SHA256$27cc6994fc1c01ce6659c6bddca9b69c4c6a9418065e612c69d110b3f7b11f8a
However, note that for real-world scenarios, you're likely to encounter hashes in the context of their use, such as in /etc/shadow
for Unix password hashes, which John can directly process.
Let's use a simple wordlist to crack this hash. Create a file named wordlist.txt
and add several possible passwords, including hello123
.
└─# cat wordlist.txt password123 12345678 123456 password hello123 qwerty
Run John using this wordlist:
john --format=raw-sha256 --wordlist=wordlist.txt hash.txt
After John successfully cracks the hash, you can view the results with:
john --show hash.txt
This will display the cracked passwords alongside their corresponding usernames or identifiers.
To process hashes stored in the /etc/shadow
file using John the Ripper, you typically need to extract the relevant hashes and possibly use unshadow
, a utility that combines the /etc/passwd
and /etc/shadow
files to create a format that John can process more easily. The /etc/passwd
file contains user account information, and /etc/shadow
contains the password hashes but in a secure, privileged-access-required manner.
unshadow /etc/passwd /etc/shadow > combined.txt
With the combined.txt
file ready, you can now run John the Ripper against it. If you don’t specify a wordlist with the --wordlist
option, John will default to using its "incremental" mode, which attempts to brute-force the passwords. We have to specify the format using --format=crypt
.
john --format=crypt combined.txt