Sunday, 12 February 2012



 Following is list of some well known and powerful password cracking tools that usually each and every hacker has in his/her toolkit. Since they are best sooner or later we will cover all of them on this blog.
Whenever they will be covered you'll find click here link to read more about that tool. For now lets take our first time eye on those tools.

L0phtCrack


L0phtCrack was developed by L0pht Heavy Industries to reveal the security flaws in Windows authentication system. Now it lists out itself as one of the best Windows based password hacking tools. Its popularity is so high that nearly every password dumping tool dumps password in L0phtCrack compatible format or has option to dump password for L0phtCrack. It attempts to crack Windows password from hashes which can be obtained from standalone computers, networked devices or active directories. It supports various methods to attack for getting valid password including dictionary based attack, rainbow tables, hybrid attacks and even brute force. If used with proper hardware there's no way any password can withstand its might. The best part it is that it now supports cracking Linux and UNIX password too. You can download and use it for 15 days as trial.

John The Ripper

Currently known as best password cracker available. It is command line tool. Officially it supports several Operating Systems including several versions of Linux and UNIX and practically all versions of Windows. If your OS is not supported you can download source files and compile it to get a working tool. The best part of compiled source is that it is optimized to work better on your system. Its primary purpose is to detect weak UNIX, Linux and Windows based password. Both free and pro versions are available and they both are equally good. Please note that many anti-virus programs usually consider password cracking tools as virus or Trojans and John The Ripper doesn't fall in exception. I would better advice you to use this tool on a system without Anti-Virus program.

Brutus


Brutus is network brute force attacking tool. It is windows only tool but can also be used with many versions of Linux with help of Wine and Crossover. It works against network service of remote systems and tries to get password using dictionary based, hybrid and brute force attack. Officially it supports several protocols including HTTP, POP3, FTP, SMB, TELNET, IAMP, NTP and many more. Even if any protocol is not supported protocol support plug-ins are available. Its free but source code is not available.

THC Hydra


Whenever you need a brute force attacker for remote system THC Hydra is always a tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Officially Windows system is not supported but you can run it in Cygwin a UNIX emulator for windows.

Rainbow Crack


The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the cracking-time computation in advance and store the results in so-called "rainbow tables". It does take a long time to precompute the tables but RainbowCrack can be hundreds of times faster than a brute force cracker once the precomputation is finished.

Solar Winds Engineers Toolset


Not only one of the best enumeration and networking monitoring tool Solar Winds also stands out to be tool that can be used as awesome password auditing tool. It has more than 20 system monitoring tools along with identification of weak user accounts and password. A must have tool for every Windows administrator.

Cain And Abel


We usually boast that all cool password cracking tools are available for UNIX only but this falls in exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VOIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Limits on the number of password guesses

An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner. [7] The username associated with the password can be changed to counter a denial of service attack.

Rate at which an attacker can try guessed passwords


The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed.[6]
Many systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common, an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value. Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks.

Factors in the security of a password system


The security of a password-protected system depends on several factors. The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes. See password strength, computer security, and computer insecurity.
Nowadays it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to avoid bystanders reading the password. However, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.[4]
Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.[5] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.
Here are some specific password management issues that must be considered in thinking about, choosing, and handling, a password.

Memorization and guessing


The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.[1] Passwords which are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.[2]
In The Memorability and Security of Passwords,[3] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "algorithm" for generating obscure passwords is another good method.
However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' --> '3' and 'I' --> '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.

Password


A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.
The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword. Sentries would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.
Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.
Authentication by password is less secure than authentication which uses cryptographic protocols. Passwords might be stolen, spoofed, or forgotten.