How to Crack Passwords in Linux

How to Crack Passwords in Linux

What Do I Need?

  • Any Dedicated or Virtual Server
  • Kali Linux

What is Password Cracking?

It’s massively important that passwords are difficult to remember or guess. Why? To stop people or bad actors from gaining access to your top secret stuff, whatever it may be.

Passwords that are difficult to remember can also reduce the security of a system transversely as most users might need to write down or electronically store the password using an insecure method. Or, more commonly, some users are more likely to reuse the same password for everything.

Password cracking is the process of recovering passwords from data that’s been stored or transmitted electronically by a computer system in a scrambled form. A common approach is to repeatedly guess the password and check them against an available cryptographic hash of the password – otherwise known as ‘brute-force attack’. Password cracking can not only take quite some time, it’s also computationally expensive to accomplish at scale. The time to crack a password is directly related to its Bit strength. Bit strength is the measure of a password’s entropy as well as the details of how the password is actually stored. Most methods for password cracking require a powerful computer to produce many candidate passwords, or rainbow tables, against which each password is checked.

  1. Hydra
    1. Hydra is an application for cracking ‘login’ and supports many protocols, or vectors, to attack. For example, cisco auth, cisco enable, cvs, ftp, http and https-form get, http and https-form post, proxy, imap and irc, etc, etc.
    2. To open go go to ‘Applications’ > ‘Password Attacks’ > ‘Online Attacks’ > ‘hydra’.
      How to Crack Passwords in Linux
    1. The ‘hydra’ terminal window will open:
      How to Crack Passwords in Linux
    1. For this example, we’ll brute force attack the FTP service of a virtualized machine that’s been made exploitable using ‘Metasploit’, which has the ip address ‘192.168.1.101’:
      How to Crack Passwords in Linux
    1. Kali Linux being the awesome operating system that it is includes a number of useful things to experiment with. It has a word list with the extension ‘list’ in the path:
      usr/share/wordlist/metasploit

      How to Crack Passwords in Linux

    1. Use the following command with the ‘-V’ switch to find username and password:
      hydra -l /usr/share/wordlists/metasploit/user -P 
      /usr/share/wordlists/metasploit/ passwords 
      ftp://192.168.1.101 -V

      How to Crack Passwords in Linux

    1. The username and password are found out to be ‘msfadmin:msfadmin’.
      How to Crack Passwords in Linux
  1. Johnny
    1. Johnny is a graphical user interface for one of the most popular password cracking tools, ‘John the Ripper’. It’s generally used for cracking weak or weaker passwords.
    2. To open go to ‘Applications’ > ‘Password Attacks’ > ‘johnny’.
      How to Crack Passwords in Linux
    1. For this example, we’re going to extract and unscramble the password of the local virtual machine with the following command. This will create a crackable file on the operating system’s desktop:
      cat /etc/passwd > Desktop/crack && cat /etc/shadow >> Desktop/crack

      How to Crack Passwords in Linux

    1. Click ‘Open Passwd File’ from the ‘Johnny’ GUI.
    2. Click ‘OK’ and all of the files available files and users to be cracked will be shown.
      How to Crack Passwords in Linux
    1. Click ‘Start Attack’.
      How to Crack Passwords in Linux
    1. Again, wait a moment as this bit can take some time depending on the speed of your machine.
    2. After the attack is complete, click the button on the left panel that’s marked ‘Passwords’, and all cracked passwords will be unshaded in the main dialog.
      How to Crack Passwords in Linux

Conclusion

These are only a couple of the amazing tools available to Linux users for password cracking and wordlist exploration. For example, if you’re someone more into command line interfaces (CLI) you could use ‘John’, which is the command line version of ‘Johnny GUI’. You could also explore an amazing piece of software called ‘Rainbowcrack’ that focuses on the use of large dictionary files as a vector for large-scale, high-impact brute force attacks of the targeted passwords.

How To Set up a VSFTPD Server on a CentOS 7 VPS or Dedicated Server

Brief Description FTP is usually insecure exposing clear-text passwords, userna
2 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How To Set up a VSFTPD Server on an Ubuntu 16.04 VPS or Dedicated Server

Brief Description FTP data is usually insecure since information (usernames, pa
2 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to use phpMyAdmin to develop a website (without MySQL experience)

Brief description A web developer who is not well versed into coding websites f
2 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Install MySQL on a Windows Web Server Running Apache

This tutorial will show you how to install the MySQL database on a Windows serve
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top