As everyone knows, a password is a secret word or phrase that is used for the authentication process in various software components.
People use it to get access to personal and financial information, different procedures and so on. A password is a reliable protection in IT sphere which helps to preclude unauthorized access to personal data.
What Is Password Cracking?
Password cracking is a special process of guessing an enciphered word or phrase which a hacker tries to get from the central database. Such a process is used in two cases:
- When there’s a need to recover a forgotten password;
- In order to know another user’s password without his/her consent for illegal actions with his/her account data.
In the QA sphere, password cracking is often used to check the security of an application and find as many system vulnerabilities as possible.
Today with fast developing of IT many programmers have been trying to create special algorithms which could crack any password in less time. Most of the tools in such a sphere are focused on the logging via a maximum number of words and letter combinations.
If the hacker faces a complex password (which consists of a combination of numbers, letters, and special characters) then it can take hours or weeks to crack it. Also, there’re special programs with built-in password dictionaries but the success of their usage is less because it saves key requests into the app while guessing a combination, and this takes some time.
In recent years, specialists have created a lot of password cracking programs. Of course, each of them has its own advantages and disadvantages.
Further, we’ll talk about 10 most popular tools for password testing which are relevant in 2019.
It is one of the most popular remote password cracking tool. According to its developers’ opinion, Brutus is the most qualitative and effective tool for guessing a correct password.
This product is completely free and is only available for Windows OS. As an aside, the first release of this product was in 2000.
The program supports:
- HTTP (basic authentication);
- HTTP (HTML form/CGI);
- Telnet and other types (for example, IMAP, NNTP).
Also, the product’s functionality allows a user to create necessary types of authentication. Its productivity was developed for 60 simultaneous requests.
Brutus has a resume and load options. In other words, you can stop the attack or postpone it. Despite the fact that this product hasn’t been updated for a long period it is still considered as an effective and useful tool for password strength testing.
It’s another popular hash cracking tool based on the temporary memory tradeoff which makes it different from similar tools.
If we analyze it more in detail, the process of temporary memory tradeoff is some kind of calculating operation when the necessary password is identified by using a selected hash algorithm.
Once the table is filled in, you can start cracking the password. As an aside, such a cracking strategy is considered more effective than a simple text combination attack.
Developers of RainbowCrack have taken care of their clients. The users don’t need to create tables from the very beginning. The product initially has tables in LM, NTLM, MD5 and Sha1 formats.
Moreover, there’re some tables on a paying basis that one can buy on the official developers’ site (http://project-rainbowcrack.com/buy.phphttp://project-rainbowcrack.com/buy.php). The RainbowCrack is available for Linux and Windows operating systems.
This is one more well-known web product which is used for password cracking process, based on a brute-force approach of possible combination attack. The Wfuzz program can be easily used as a password cracker and as a tool to find hidden catalogs and scripts.
This program can also identify different kinds of injections such as SQL and LDAP etc. inside the selected web applications.
Main features and functionality of this product:
- Capability to create injections simultaneously from several points;
- Data output in colored HTML;
- Search by headers and post;
- Multi-Threading and Multiple Proxy Support;
- Combination attack through POST and Get requests;
- Cookies cracking.
#4 Cain and Abel
It is another popular password cracking tool which helps to solve quite difficult tasks. The product’s key feature is that the program is only available for Windows OS.
Also, it can act as a network analyzer, crack the password with the help of dictionary attack, record the VoIP conversations, find the password boxes, decode the encrypted file, analyze routing protocols.
This tool wasn’t developed to find any errors or vulnerabilities. Its main task is to find the weakness in security protocol in order to guess the encrypted password. It was made for professional testing teams, network administrators, network security professionals, and forensic cyber specialists.
You may download this product here: http://www.oxid.it/ca_um/
#5 John the Ripper
This is a well-known free tool that helps to crack passwords in web products on such operating systems as Linux, Windows, and Mac OS X. It may quickly find weak passwords and decipher them.
There’s a licensed version for professional testing teams and network administrators. Also, you can set an objective function for a certain operating system.
Use the following link to download this tool: http://www.openwall.com/john/
#6 THC Hydra
It is qualitative software for fast password cracking while logging on the secure network. This product has high-performance indicators comparing with similar tools. You can easily add new modules to its functionality with the following performance improving.
The program is available for the next operating systems: Windows, Linux, Free BSD, Solaris, and Mac OS X.
It supports the following protocols:
- Asterisk, AFP, Cisco AAAA, Cisco auth, Cisco enable,
- CVS, Firebird, FTP, HTTP, HTTP-FORM-GET, HTTP-FORM-POST,
- HTTP-GET, HTTP-HEAD, HTTP-PROXY,
- HTTPS-FORM-GET, HTTPS-FORM-POST, HOST, HTTPS-GET,
- IMTPS-POST, IC, MS-SQL, MYSQL, NCP, NNTP,
- Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP,
- Rexec, Rlogin, Rsh, SAP/R3, SIP, SMTP, SMTP, SMTP Enum, SNMP,
- SOCKS5, SSH (v1 и v2), VOCMP, Telecum (VMS, XSMP, V2, SSH.
In order to download this tool follow the link: https://www.thc.org/thc-hydra/.
What’s remarkable is that all developers can participate in the improvement of this software by giving their own technical solutions via support.
This program is very similar to the previous web product. According to its developers, Medusa is the multifunctional and fast tool for brute-force attack into the protected system.
- HTTP, FTP, CVS, AFP,
- IMAP, MS SQL, MYSQL,
- NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin,
- SMB, rsh, SMTP, SNMP, SSH, SVN,
- VNC, VmAuthd, and Telnet.
It’s a command-line tool so you must learn the most important commands and actions before using the program. The potential software effectiveness completely depends on the ability to connect to the network. You can test simultaneously up to 2000 passwords per second in the local area network.
Software functionality also allows performing a parallel attack. Let’s imagine that you need to crack several email accounts simultaneously. You just have to specify a list of the potential names and put the task with potential passwords with the help of Medusa.
Read more about product’s functionality here: http://foofus.net/goons/jmk/medusa/medusa.html
You can download this tool here: http://www.foofus.net/jmk/tools/medusa-2.1.1.tar.gz
It is a completely free password cracking tool on the basis of rainbow-table for Windows. It’s very popular software in this operating system but also it can be used in Linux and Mac OS.
In order to download the product, follow the link: http://ophcrack.sourceforge.net/
And download tables here: http://ophcrack.sourceforge.net/tables.php
In fact, this is a simple alternative to the previous software. The basis of its functionality is the password cracking process in Windows OS based on hashes. In these purposes, specialists use network servers, active Windows workstations, primary domain controllers and Active Directory.
The product was released in 2006 and 2009. There’s an option to set the password audit according to temporary requests. Also, you can set a breakdown by day, month or year.
You can download this tool here: http://www.l0phtcrack.com/
It is a Wi-Fi generator program for password cracking. It can analyze encrypted wireless packages with the subsequent cracking on the basis of some algorithm.
It is available for Linux and Windows OS.
Read more about this program here: http://www.aircrack-ng.org/doku.php?id=getting_started
Download the product here: http://www.aircrack-ng.org/
Password is the thing that has to make any web product and component completely protected from unauthorized access. Any professional QA team which provides security testing services must have all these tools. Such programs prove that there’re no passwords that can’t be cracked.
But at the same time, according to these products’ capabilities, one is able to make really good protection, which could include the most advanced security methodologies.
If you know and constantly use these tools, you can perform a security audit of your software and check the way how to get complete security in the modern world of IT-technologies.