Sunday, June 19, 2011

PACK - Password Analysis and Cracking Kit

I made this video while I was messing around trying to figure out how to get started with the whole making videos thing. PACK stands for Password Analysis and Cracking Kit, and it can be a handy tool to have around. It can be used to analyze your wordlists and provide you with helpful statistics which can show trends. These trends can be used to help you identify the quickest methods for yeilding the highest results. It also has the ability to provide an analysis output of the proposed masks to use or that would be needed, which can be very handy in turning around and inputting into tools in the Hashcat suite. It does not do much else, hope you enjoy none the less...

Wordlists & Password Profiling with CRUNCH, WyD, & CUPP

Today I am going to show you how to use three (3) different tools in Linux (Backtrack 5) for creating targeted wordlists to help speed up and increase the chance of success for your dictionary attacks. I will be covering the use of CRUNCH for pure wordlist generation, and then I will cover the use of WyD and CUPP which use password profiling techniques to create targeted wordlists to narrow your attacks. I will provide the written walk through here with a video at the end. Let's begin with CRUNCH...

++++++++++++++++++++++++++++CRUNCH - WORDLIST GENERATOR+++++++++++++++++++++++++++++

CRUNCH is a wordlist generator based on the user specified character set. It takes the character set designated by the user and generates all combinations and permutations possible into a nice new wordlist for you to use in your dictionary/bruteforce tools. It supports lower and upper alpha-numeric as well as special character set and also has the ability to break the output into multiple files based on the number of lines or designated file size. It also has the ability to pause and resume which is helpful when generating very large wordlists that may take some time to fully compile. You can download the latest version from the sourceforge homepage, which is located here:

You will need to download and extract using the following methods:
               COMMAND: tar -zxvf crunch-3.0.1.tgz
               COMMAND: cd crunch-3.0.1/
               COMMAND: make && make install
Crunch can be used to create great wordlists and with the proper sytnax can even be piped directly into brute-forcing tools, for example AirCrack and CowPatty can use the piped output for Wireless password cracking (I highly suggest CowPatty if you are dealing with large wordlists due to restrictions in AirCrack on the number of keys that can be processed).

Basic syntax of CRUNCH looks like this (See MAN Pages for details):
./ crunch <min-len> <max-len> [-f /path/to/charset.lst charset-name] [-o  wordlist.txt]
      [-t [FIXED]@@@@] [-s startblock] [-c number]

Breakdown of Syntax:
o   min-len = minimum length string to start at (REQUIRED)
o   max-len = maximum length string to end at.  (REQUIRED)
o   charset = defines the char set to use (If you leave it will use lower case alpha only.
§  NOTE: If you want to include the space character in your character set you must enclose your character set in quotes, like so: "abc ". If you want to use char set files you can reference the -t argument below or just paste it in (check my Hashcat tutorial for full char sets you can use, or reference the charsets.lst that install s with Crunch in default directory).
o   -b = number[type: kb/mb/gb] - which specifies the size of the output file (no space between the number and type (50kb/50mb/50gb).
§  NOTE: only works if -o START is used and the output files will be in the format of starting letter-ending letter for example: ./crunch 4 5 -b 20mib -o START will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt, wcydu-zzzzz.txt
o   -c <number> = Is similar to -b above but breaks the files based on the number of lines to write to the output file. It also requires -o START to be used
§  NOTE: The output files will be in the format of starting letter-ending letter for example: ./crunch 1 1 -f /pentest/password/crunch/charset.lst mixal- pha-numeric-all-space -o START -c 60 will result in 2 files: a-7.txt and 8-\ .txt The reason for the slash in the second filename is the ending character is space and ls has to escape it to print it (so Yes you will need to put in the \ when specifying the filename because the last character is a space)
o   -f </path/to/charset.lst> <charset-name> = Allows you to specify a character set from the charset.lst
o   -i = Inverts the output so instead of aab,aac,aad you get baa,caa,daa
o   -o <wordlist.txt> = defines the file to write output to
o   -p <charset> OR -p <word1 word2...> = This tells the tool to not generate words that have repeating characters and produces a much smaller wordlist, generally only helpful if you know the password policy doesn't allow this
o   -q <filename.txt> = tells the tool to read from filename.txt and perform permutations based on what is read from file. This can not be used with the -s or -t arguments below
§  NOTE: it also ignores the min and max length arguments despite the fact that they must still be included as part of the sytax to run properly
o   -r = this tells the tool to resume where it left off, although you have to make you re=start it with the exact same command that was last used with the addition of the -r at the end (does not work with -s in original command so just remove it when resuming)
o   -s <startblock> = this defines the string to start running crunch on
o   -t <@*%^> = this is helpful for someone who may have been shoulder surfing and knows some of the characters but not all, as this argument allows you to specify a pattern and define positions to replace (and how to replace), for example:
o   -t *^ssw@rd%
§  __ssw_rd_ = the fixed letters
§  @ will insert lower aplha (a-z)
§  * will insert upper alpha (A-Z)
§  % will insert numbers (0-9)
§  ^ will insert symbols (!@#$%^&*)
·        Eventually this would work the word P@ssword1 into our final output which would help us find the password needed for this example
o   -z <gzip|bzip2|lzma> = This will tell crunch to compresses the output from the -o option using the chosen method (gzip/bzip2/lzma).

EXAMPLE: ./crunch 4 4 abc123 -b 1mb -o START
               Generates all possibilities of 4 characters in length (min is set to 4 and max as well)
using the charset of abc123, with defined output file size of not to exceed 1mb
EXAMPLE: ./crunch 1 4 abc123 -b 1mb -o START
               Generates all possibilities from 1 to 4 characters in length (min is set to 1 and max
              is set to 4) using the charset of abc123, output files not to exceed 1mb

NOTE: You can use a quick "cat filename.txt" to check what words are created and inserted into the file, or "wc -l <filename.txt>" to list the word count. If you look at the above shots you can see how you can split the file output based on size, which is impacted by the length designated and char set used. You should be able to figure it out from here. 
+++++++++++++(TUT) Who's Your Daddy Password Profiler (WYD)++++++++++++++++
OK, so that covers CRUNCH and how we use it to create a raw wordlist with every possibility, but this may take a while to attack how can we increase our chances for dictionary attack? We can use the Who's Your Daddy password profiling tool, a.k.a. WyD, to aid us in creating a much narrower wordlist more targeted at the individuals or members of our target site. It and the next tool CUPP are brought to us by the great folks over at Social Engineer [dot] Org. The Who's Your Daddy Password Profiler is a great tool to have in your arsenal, as it can be used to scrape information from web content and the files found on websites to extract usable information that can be used in creating more effective wordlists for dictionary attacks. You can download it from the SE site, found here:
The supported file types that it is capable of scraping info from include: plain, html, php (partially, as html), doc, pdf, mp3, ppt, jpeg, odt/ods/odp, and anything unknown with MIME type text/plain will be processed with strings
As usual you will need download and extract the files in order to get starte, like so:
               COMMAND: tar -xvf wyd-0.2.tar.tar
               COMMAND: cd wyd-0.2/
To start WyD and see the options that we have available, simply type this:
               COMMAND: perl
You may be asking: OK but how do I actually use this thing? Don't you worry; I will show you...We will need to use a common Linux tool called WGET to retrieve our entire victim's website. This tool is typically available by default in almost all Linux distros, so you should not have any problems. You can research this on the side as it has tons of options I can't go into here. For now just follow these steps to make a new folder and then move into it so we can recursively download the web content from our target site, like this:
               COMMAND: mkdir /victim-site
               COMMAND: cd victim-site/
               COMMAND: wget -r
WGET will take a while to get everything but once it is done you can find the results in the victim-site/ folder you ran the WGET command from. Now in order to create a custom wordlist using WyD you will need to use the following command:
               EXAMPLE: perl -o /path/to/ouput/file -t -b -e file/OR/path/to/victim-site/
               COMMAND: -o victim-wordlist.txt -t -b -e /home/SkyWalker/victim-site/

Breakdown of the above, which I commonly use when running this:
o   -o /path/to/output/file = tells it to send everything to file instead of printing to the screen via STDOUT. This file will become our potential wordlist (or wordlists if the -t argument is also used).
o   -t = this will tell it to create separate files based on each file type find that the tool uses to extract data from for profiling. This can only be used with the "-o" option referenced above, and will create as many output files as types found/used. 
§  NOTE/EXAMPLE: file is 'victim.txt' and there are words found in PDF, plain-text, JPEG and HTML files, you will find the following output files if used: 'victim.txt.pdf', 'victim.txt.jpeg', 'victim.txt.plain' and 'victim.txt.html'.
§  -b = this will tell the tool to disable the removal of non-alpha characters from the start of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.
o   -e = this will tell the tool to disable the removal of non-alpha characters from the end of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.
o   <filename> OR /path/to/directory/ = this defines where WyD will work its magic
ERRORS: If you experience any errors due to missing perl modules:
·        Ignore them and WyD will still run, but it will run without any modules that had errors. Not the end of the world but not the best we can do either.
·        Install the missing perl modules that are referenced in the error notes. In order to do this take note of the modules (and associated websites) that are referenced in the errors.
§  If you want to search via the web here is a great place to check details on any perl packages, and links to other helpful info:

That sums up Wyd, so now I will show you how we can make use of our findings from WyD with the help of CUPP to take things a step further and increase our chances even further for our dictionary attack.
++++++++++CUPP - Common User Passwords Profiler TUTORIAL+++++++++++++++++

CUPP stands for Common User Passwords Profiler, and is a great tool to add to any security testers collection and pairs strongly with the WyD tool covered above. It is a Python tool than can be used for password profiling to strengthen your dictionary attacks by creating targeted dictionaries, or wordlists, to use in attacks.
A weak password might be very short or only use alphanumeric characters, making decryption simple as you will find it in almost any of the common wordlists you can find with a quick Google Search. Another type of weak password that can be easily cracked is one that can be easily guessed. Typical passwords that people commonly use might consist of things like pets names, family, girlfriends/boyfriends, birthdays, and other important date/events, or common things people obsess about like God, sex, love, and money. You will find a lot of these items in common passwords but building a smaller wordlist to work with can sometimes save you a lot of time. CUPP will help to generate a wordlist for you based on what Social Engineering [dot] Org calls "predicting specific target passwords by exploiting human vulnerabilities". You will need to download the file from here:
You can extract it using the usual commands:
               COMMAND: tar -xvf cupp2.tar.tar
               COMMAND: python –h
Now you will have two ways to use this tool. You can either use the interactive menu or you can parse results from WyD (which was covered above). I will start with the overview of how to use it for parsing WyD results and then I will cover interactive mode.
OK, assuming you have already used the WyD tool discussed above then you can also use CUPP to parse the results and work its magic. In order to do this you will need to use the following syntax at the console:
               COMMAND: python -w /path/to/file/<filename-from-WyD-output>

To check how many words were created:
               COMMAND: wc -l output-wordlist.txt

In order to bring up interactive mode you will simply start the CUPP tool and use the "-i" argument to prompt for interactive mode ("python -i"). The tool will ask you a series of questions about your victim, and then use that information to help create a targeted wordlist you can use. When it is done asking you the basic questions you will also have a chance to choose any "extras", like having it also add special characters to the end of the words it creates. It can also add numbers to the end as well as performing an l337 permutation. Once it is done it will create a text file in the CUPP folder labeled by your answer to the first interactive question.
This wraps up my tutorial/overview of few helpful password profiling tools which will certainly aid in creating custom wordlists to facilitate faster dictionary attacks and with higher success rates. I have also included a video of everything below for those of you who enjoy visual learning. I hope you have enjoyed things this week and please stay tuned for more to come in the future, and remember to ensure you have a strong password for all your safe keepings. If you have any questions or suggestions on anything covered today please leave a comment and let me know or shoot me an email or PM. Until next time...


PS – I originally did the write up for installing and running things on Cygwin, but then I shot the video using it on Linux. It works either way, although there are less problems and full functionality of all tools in Linux. Here is the VIDEO for those that are interested:

How to Install CONKY on Backtrack 5

Today's I will show you how to install Conky on Backtrack 5 (with my first video release) and will share my configuration file so you can get started easily. This is a very cool tool that allows you to hook into Linux API and create your own custom system monitor - that looks super cool too! I will start from the beginning and walk you through basic steps and will use my preconfigured conf file to show what the final product can look like. I will leave it to you to investigate further and tweak it to fit your needs, it is fully customizable so you will have fun. If it gets to messy just remove the configuration file and start over.

Here is the video:

Steps to follow at home:
     apt-get install conky

NOTE: You may need "sudo" in front if you are not on Backtrack

Now you will need to go into "/etc/conky/conky.conf" to make the necessary edits to define what we want to monitor and how we want it all to look. Here are the steps:
     cd /etc/conky
     gedit conky.conf

Customize as you would like, but here is what mine looks like after lots of time on Google and reading through the conky docs. You should be fine with this setup and if you are at all familiar with linux you should be able to edit the conky.conf details (default or below) to your liking by simply changing interface names or colors, etc...Hope you have enjoyed, and stay tuned for more video series to come in the near future.

Laters, H.R

PS - Here is what the content of my conky.conf file looks like (just copy and paste the below over existing content and save):
# Conky, a system monitor, based on torsmo
# Any original torsmo code is licensed under the BSD license
# All code written since the fork of torsmo is licensed under the GPL
# Please see COPYING for details
# Copyright (c) 2004, Hannu Saransaari and Lauri Hakkarainen
# Copyright (c) 2005-2010 Brenden Matthews, Philip Kovacs, et. al. (see AUTHORS)
# All rights reserved.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <>.
alignment bottom_left
background no
border_width 1
cpu_avg_samples 2
default_color red
default_outline_color red
default_shade_color red
draw_borders no
draw_graph_borders yes
draw_outline no
draw_shades no
use_xft yes
xftfont DejaVu Sans Mono:size=12
gap_x 5
gap_y 60
minimum_size 5 5
net_avg_samples 2
no_buffers yes
out_to_console no
out_to_stderr no
extra_newline no
own_window yes
own_window_class Conky
own_window_type desktop
stippled_borders 0
update_interval 1.0
uppercase no
use_spacer none
show_graph_scale no
show_graph_range no
wireless_essid wlan0
wireless_mode wlan0
wireless_bitrate wlan0
wireless_ap wlan0
wireless_link_qual wlan0
wireless_link_qual_max wlan0
wireless_link_qual_perc wlan0
wireless_essid mon0
wireless_mode mon0
wireless_bitrate mon0
wireless_ap mon0
wireless_link_qual mon0
wireless_link_qual_max mon0
wireless_link_qual_perc mon0
${scroll 16 $nodename - $sysname $kernel on $machine | }
${color grey}Uptime:$color $uptime
${color grey}Frequency (in MHz):$color $freq
${color grey}Frequency (in GHz):$color $freq_g
${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4}
${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4}
${color grey}CPU Usage:$color $cpu% ${cpubar 4}
${color grey}Processes:$color $processes  ${color grey}Running:$color $running_processes
${color grey}File systems:
 / $color${fs_used /}/${fs_size /} ${fs_bar 6 /}
${color grey}Networking:
Up:$color ${upspeed eth0} ${color grey} - Down:$color ${downspeed eth0}
${color grey}Name              PID   CPU%   MEM%
${color lightgrey} ${top name 1} ${top pid 1} ${top cpu 1} ${top mem 1}
${color lightgrey} ${top name 2} ${top pid 2} ${top cpu 2} ${top mem 2}
${color lightgrey} ${top name 3} ${top pid 3} ${top cpu 3} ${top mem 3}
${color lightgrey} ${top name 4} ${top pid 4} ${top cpu 4} ${top mem 4}
${color grey}$hr
SYSTEM ${hr 2}
${color grey}Nodename:$color $nodename
${color grey}Current Time:$color $time
${color grey}Uptime:$color: $uptime_short
${color grey}Kernal Version:$color $kernel
${color grey}$hr
CPU ${hr 2}
${color grey}CPU:$color $freq_g Ghz
${color grey}CPU temp:$color $acpitemp C
${color grey}CPU use:$color $cpu % $alignc${cpubar 8}
${color grey}Processes:$color $running_processes/$processes
${color grey}$hr
MEMORY ${hr 2}
${color grey}Memorey usage: $mem/$memmax
$color $memperc % $alignc${membar 8}
${color grey}$hr
WIRELESS ${hr 2}
${color grey}IP:$color ${addr wlan0}
${color grey}Signal:$color ${wireless_link_qual_perc wlan0}
${color grey}Down:$color ${downspeed wlan0} Kb/s ${alignr}Up: ${upspeed wlan0} Kb/s
${downspeedgraph wlan0 15,50 ffffff ffffff} ${alignr}${upspeedgraph wlan0 15,50 ffffff ffffff}$color
Total: ${totaldown wlan0} ${alignr}Total: ${totalup wlan0}
${color grey}$hr
MON0 ${hr 2}
${color grey}IP:$color ${addr mon0}
${color grey}Signal:$color ${wireless_link_qual_perc mon0}
${color grey}Down:$color ${downspeed mon0} Kb/s ${alignr}Up: ${upspeed mon0} Kb/s
${downspeedgraph mon0 15,50 ffffff ffffff} ${alignr}${upspeedgraph mon0 15,50 ffffff ffffff}$color
Total: ${totaldown mon0} ${alignr}Total: ${totalup mon0}

Thursday, June 9, 2011

How to Setup WORKING THCHydra and Cygwin Environment on Windows 7

UPDATED: Now includes video for getting XHYDRA working on Backtrack 5 at the bottom!

Today I will show you how to setup the parallel threaded multi-protocol cracker known as THCHydra to work under a Windows 7 environment. In order to pull this off properly we will need to setup a Cygwin environment on our Windows machine, as there is NO supported .EXE file for Windows to make this magically work (probably a virus if you find one or it is very outdated). Cygwin is like a Linux emulator for Windows, in that it creates a Linux API environment within your windows environment to provide a lot of Linux API functionality (not 100% but close). This is done through the cywin1.dll which allows you to run many programs not originally designed for Windows (i.e. Linux programs like THChydra). The catch is that you can't just run any Linux program you want; you have to build or compile everything you will want to use from source to get it to work in Cygwin environment properly (and even then it is not guaranteed it will work if it was never designed for Windows/Cygwin). OK with that out of the way, we can begin...
What you need:
·        Latest version of Cygwin, available here:
·        Latest source for THCHydra (currently v6.3), available here:
o   NOTE: If you are using Linux or already have Cygwin installed and just want intro to THCHydra and how to compile properly just skip the Cygwin steps and move straight to the bottom where we focus on THChydra.

|       Steps to Install Cygwin and create environment:      |
You need to start by downloading the Setup.EXE file from the main site listed above. Just double click on this when you are ready to get started. This will open the initial setup for Cygwin environment, which by default only includes the basic items needed. You can search through them and choose the ones you want/need or choose simply to include everything if you have the space and want to avoid having to troubleshoot missing items later. For example, if for example you wanted to also compile C++ programs you would need to make sure you included the  gcc-g++ package and some kind of text editor like Vi or Nano. When running setup.exe, clicking on categories and packages in the package installation screen will provide you with the ability to control what is installed or updated. Another option is to install everything by clicking on the Default field next to the All category. If you have low bandwidth this could take some time as it downloads most of the packages from Internet (like SVN), so go have lunch and a beer, smoke or whatever your fancy and come back in a bit. This is what the process should look like for you upon opening the first time through completion with Desktop shortcut created:

**NOTE**: You can choose to only install the basics and add what you want in later, but to keep things easy and avoid having to trouble shoot to many issues I suggest just pick "ALL". Today's HDDs are getting larger and cheaper so I doubt many will have any issues due to space if you select ALL (mine was 8.29Gb total disk space once completely installed with all packages). If you want to go more advanced and select only what you need feel free, be aware that to use the GUI for THChydra, known as XHYDRA, you will need to ensure you also chose to install the proper Cygwin/X requirements as well as the basics since it relies on x-Server and Cygwin/X consists of X server, X libraries, and nearly all of the standard X clients.
When you are done Setup.EXE saves everything and creates a shortcut on your desktop as well as in the start menu. You can then use the Setup.EXE file any time you want to update or install a new Cygwin package, as once you have gone through the initial install choices it will remember your final configuration options so anytime you run it again it will open and allow you to choose to update your system by selecting additional packages.

Installed and working console should look like this; just double click your shortcut on desktop:
Now you can test it out by issuing a few commands that you wouldn’t normally have use to in Windows that are common Linux commands. Here is a quick view of: "pwd", "cd /", "ls", "ps":
**NOTE: If you are trying to find your main Windows OS drive you need to navigate to it through the "cygwindrive" located in the root folder of Cygwin environment. Here is a quick example:
               EXAMPLE: cd /cygdrive/<drive letter>/Users/<username>/path/location

For me I use the following to get to my main OS desktop area:
COMMAND: cd /cygdrive/c/Users/SkyWalker/Desktop

Now to copy the downloaded hydra tar file from our main OS desktop to our Cygwin desktop use this:
               Example: cp hydra-6.3-src.tar.gz /home/<cygwin-username>
               Mine: cp hydra-6.3-src.tar.gz /home/SkyWalker
                              Then: cd /home/SkyWalker
                              Then: ls (to confirm it was copied to where we wanted it)

This ends our brief overview and review for installing Cygwin, please spend time on the homesite and reading the user guide to figure out all the ins and outs of it. If for some reason you decide you want to remove one of the installed Cygwin packages you will simply need to re-run the Setup.EXE file. Once it is open you simply navigate the list of packages that are already installed, and choose the category you want to edit (or click on the View button). Click on the options until it changes to Uninstall and then choose next to finalize the removal of the desired package (just click till you get there, it goes: Default>Install>ReInstall>UnInstall).

If you want to remove it entirely from your system simply stop all services from running and delete all files, folders and subdirectories as well as any Desktop shortcuts from your machine and from the Setup.EXE install folder and it will be gone.

|          Steps to Compile THCHydra, once Cygwin is operational       |
I have showed you above how you can move the THCHydra tar file from where ever you downloaded it so we can start working with it. Now navigate their using your Cygwin terminal, and we will begin by extracting the contents of the download using the following command:
               COMMAND: tar -zxvf hydra-6.3-src.tar.gz
NOTE: you can add "-C /desired/path/location" to the end of the command to extract it to another location other than where you currently are located
OK, now that it is extracted you will have a new folder called hydra-6.3-src and inside you will find the contents of what was extracted, but we still need to compile it in order to get it working (you can delete the original tar file when we are done extracting). In order to compile the program you will need to use the following commands from the terminal:
               COMMAND:  cd hydra-6.3-src/
               COMMAND:  ./configure
               COMMAND:  make
               COMMAND:  make install (THIS IS ERROR PRONE ON CYGWIN)
NOTE: The last one for make install is not required but allows it to install to the local path environment to avoid always having to navigate to the install folder to use/run. This is mainly for my Linux users as it doesn’t properly work in Cygwin environment due to the default paths being different and errors can be ignored. You can edit this if needed to try and get it working, or simply navigate to the hydra folder before running it each time. If you want to add SSH you need to setup libssh on your machine as well (available at:, and you will also need to add the "-DWITH_SSH1=On" argument to the first make command (i.e. ./configure>make -DWITH_SSH1=On>make install). The default make will also setup the necessary requirements for Xhydra if you have all of the dependencies needed, however I should mention that it is not functional in Cygwin environment due to issues with the GTK+ front end and Cygwin X Server. I previous had XHYDRA working but now seems to fail due to multiple errors but I am not a real programmer and don’t quite have the time to troubleshoot it. If you know anyone that is good with GTK programs then you might be able to fix the errors when it runs under Cygwin/X (just start X Server and then X-terminal and then run ./xhydra at command line in X-terminal to start the GUI. It will appear to be fine until you hit start to run it), until then XHYDRA only works in a 100% real Linux environment.

Now let us confirm we did not waste our time for nothing, check successful installation by issuing the following command to bring up the help menu and see all of the available options:
               COMMAND: ./hydra -h

I will not go into great detail as the user guide is chalked full of details and there are already a lot of other tutorials on the net the cover how to use it, but not a lot on how to get it working on Windows (which is why I wrote this article). In order to get you started I will show you a quick example of cracking password on a basic home router user/pass for my network with Hydra (I am using a spare Netgear home router for this test), it goes a little something like this...

COMMAND: hydra -l admin -P /path/to/wordlist/passwords.txt -e ns -t 15 -f -s -vV http-get -m /

Here is how it breaks down:
·        the "-l" defins the username to use for all attempts
·        the "-P" defines password to use or the path to use for wordlist to read passwords while attacking
·        the "-e ns" instructs Hydra to attempt check for valid NULL connection (meaning blank or no password used)
·        the "-t x" defines the thread count to be used, or how many tasks at once (where x = a number)
·        the "-f" instructs Hydra to exit upon finding the first set of valid credentials or user/pass combo
·        the "-s" instruct Hydra to use SSL for connection
·        the "-vV" simply puts Hydra into verbose mode so you see what is going on while it is running
·        "" is being used as the IP address we are targeting (simply change to fit your need)
·        the "http-get"  defines the method or protocol to use for attacking (see below for full list of protocols)
·        the "-m /" is defining where to target the attacks at, or the page to try and crack

You can see above it found the password (P@ssword1) for the username admin. You can search the user guide or Google if you need further explanations on how to use it or how to target other protocols, but that should atleast give you enough to get started. I must also note some important pieces of information that you should be aware of when cracking over the network with Hydra. First, if the password is not in your dictionary you will never find it (Period - the end!). Secondly, there are going to be some basic limitations that will impact your time, for example the maximum number of attempts possible per connection, protocol being attacked/used, bandwidth, size of word list and CPU power. These factors can all impact overall time it takes to exhasut all possibilities. The "-t" argument referenced aboved can be used to change the parallel thread count being used to help speed things up, but dont set it too high or will have the reverse affect.  Here are some common max limits for attempts per connection, from the tools creators: telnet=4, ftp=6, pop3=1, amd imap=3, and here is the list of all supported protocols (as of the writing of this tutorial) so have fun cracking as the possibilities are limited only by your imagination:
               AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, 
              SSH(v1 and v2), Subversion, Teamspeak (TS2), TELNET, VMware-Auth, VNC and XMPP.
A key tip to helping stay secure is to always use a VPN connection when testing to help hide your IP, but Proxies are also a great thing to use. If you need a list of up to date working proxies please see my page dedicated to this here: Once you have identified the proxy you will be using you can incorporate it into THCHydra when testing.
If you are using the http/www service for cracking then you need to use the following argument in your command you are using:

               COMMAND: ./hydra -m /dir/ -l dumbuser -P /path/to/your/passlist http -HYDRA_PROXY_HTTP=""
If you are using any other service for cracking then you will need to use this format instead (very similar but notice the end of the argument changes from HTTP to CONNECT):

               COMMAND: ./hydra -m LH -l dumbuseradmin -P sam.dump smbnt -HYDRA_PROXY_CONNECT=""

If you need to enter credentials to use your proxy then you would add this to the end of either option:
               COMMAND: HYDRA_PROXY_AUTH="user:pass"
                              COMMAND: ./hydra -m LH -l dumbuseradmin -P sam.dump smbnt -HYDRA_PROXY_CONNECT="" -HYDRA_PROXY_AUTH="user:pass"

A strong word list is also very helpful when it comes to cracking, so try to keep manageable word lists or use tools to help create narrowed down word lists for better, or more targeted, results. THCHydra comes with the PW-INSPECTOR tool which can be used to trim a wordlist down based on password policy or known details. I like to use the word list tools provided by the Hashcat team as well as a tool called Shmoosh2x64.exe. The Hashcat team has a set of tools to help with expanding, sorting, and splitting wordlists and the shmoosh tool helps to combine multiple wordlists while also sorting out duplicates so you get a new wordlist that is full of unique words. I suggest playing with them all as they can all come in handy in various occasions, and all have been documented on their respective sites if you need help with the proper command syntax to use (Google is your friend). If you need to find a good wordlist just search around Google as there are many out there, and I also highly suggest tools like CeWL, CUPP (Common User Passwords Profiler), or WyD (Who's Your Daddy Password Profiler) which can be used to spider sites to help create wordlists based on unique words found on the site that you can then turn around and use to performing bruteforce attacks with (as mentioned above start focused if you can and then broaden your search/attempts to increase your effectiveness).

Hopefully this tutorial has showed you how you can get the latest version of THCHydra working under a Windows 7 environment. This should be another great tool to add to your collection and along with my previous post on the Hashcat tools you should be covered now for all of you password cracking needs, both local and remote. I may cover some word list techniques down the road to complete the series and create a triple threat. I also hope this tutorial helps to ignite some creativity in others to think outside the box for what tools are available to them and how they can be used.
Enjoy, and until next time...

UPDATE - Here is a VIDEO of showing how to get XHYDRA working under Backtrack 5:

Saturday, June 4, 2011

Cracking Password Hashes with CPU & GPU Power

UPDATE: New video at bottom...

Today I am going to tell you about a kick ass tool for cracking hashes on Windows platform that is capable of leveraging the power of your CPU or even better the power of your GPU(s)...or BOTH. I am even going to use a few pictures for a first, hope you like it. The genius developers behind Hashcat and oclHashcat just released a new version which puts everything in a nice streamlined GUI that is very simple to use and works with both NVidia (CUDA) and ATI (OpenCL) cards, or just plain old CPU power. If you're a console junkie they still have those versions available independently for download as well. You can find them all here: You can choose the one you want from the options on the left, but today I am going to be covering the wonderful new GUI that was just released (hashcat-gui_v0.4.2). I highly suggest you wonder the Hashcat site after you read through this as it is full of knowledge and well written overviews and examples. For now, I will cover some basics...

The entire suite of tools together with CPU and GPU is very powerful which helps to exponentially speed up the time to recovery and are capable of cracking the following types of hashes:
·        MD5 (and MANY variations)
·        SHA1 (and variations)
·        MySQL
·        SSHA-1
·        MD4
·        NTLM
·        Domain Cached Credentials (DCC)
·        MSSQL
·        SHA256
·        SHA-512
·        Oracle 11G
·        DES(Unix)

A few other highlights worth mentioning are that it does not require any installation (can run from USB) and it is FREE and also works on both 32 and 64 bit operating systems. The tool set is also capable of working under Linux and the console versions come pre-loaded with Backtrack 4 and 5 but I am excited and focused on the latest GUI release so I won’t be covering those as I am tired of typing out the commands (hence my excitement). The latest GUI wraps all of the previous console releases under one roof (hashcat, oclHashcat, oclHashcat-plus, and oclHashcat-lite). Now for some overview and review...

You will need to download the software from the link I gave you above and unzip the folder to wherever you would like to run it from. If you are using the GUI version then it doesn’t matter, if you are using the console version you need to navigate to that folder for it to work unless you modify your environment paths. You can just double click on the hashcat-gui64.exe or hashcat-gui32.exe, depending on your setup and it will launch the GUI. You should see this first (choose the one that fits your system);

Choose CUDA for NVidia cards and OpenCL for ATI cards or CPU if you don’t have any GPU to use. NOTE: If you select one of the GPU options it will load the CPU requirements as well so you only need to choose one option. Then it will load the GUI with all of the needed tools, and will then look like this:

Hashcat (Tab1):
Let’s begin with an overview of Hashcat first and then I will take you through the other tabs. Hashcat is the part of the tool that leverages the CPU power to crack hashes, while the rest of the tools/tabs we will cover rely on the GPU(s). You will need to place your hashes in a file so you can load it in the tool, just click on open and browse to find and load. Next you can choose to check to remove the cracked hashes or not. I like to move copies into the local Hashcat folder to work on so I have backups elsewhere and find it nice to size it down as I go through all of my variations to get an idea of what is working and what isn’t (helps if you are working on large lists). You can also change the HASH:PASS separator if you do not like the default ":", but this is not typically needed. Also I have a nice trick I will share later that works if you keep the default. Next comes the wordlists, you can add as many as you have and then arrange the order of them as well. Simply click on the "Add files" button and browse to where you keep your Dictionary files. I have used shmoosh2x64.exe to combine all of my wordlists into a single file, I suggest you find a tool that works for you to keep the number to a reasonable level or by category so you can load in the ones you want or arrange as needed after loading them all in. Next you will need to identify the mode and the hash type to use. You can change the mode to alter your word list based on the description, by bruteforce mode, or you can go a step further and use rules to alter your word lists performing a hybrid attack.

I will assume you can figure out the Hash Type drop down menu but some may have trouble with the modes so here is a quick overview of the different attack modes:
·        straight - This mode will go through your dictionary from top to bottom without altering anything, if it is on your list it will find it if not it won’t...
·        combination - This mode will combine words together in the form of word1word1, word1word2 using the defined dictionary to pair the word combinations.
·        Toggle-Case - This mode will go through your defined wordlist and will alternate the Case used on each of the words, for example: word, Word, wOrd, woRd, worD, and so on...
·        Permutation - This mode will try to extend your wordlist by attempting to try all possible combinations of words that might be created from the characters used in each word. This can be accomplished through a good rule set so I won’t cover too much of it...
·        Table-Lookup - This mode allows you to compare Hashes against pre-computed hash tables. If you have these on hand or if you have created them yourself this may be helpful to you. I tend not to use rainbow tables so I will not go into this here...
·        Bruteforce - This will try to use bruteforce to find the password by simply trying every possible combination available given the charset to use and the min and max length to try, the time needed to run through all depends on the charset used and the strength of the setup you run it on.

I advise reviewing the Hashcat site for rules files as they can be used to manipulate your wordlist and make them exponentially more valuable and effective. They also can allow you to manipulate a wordlist as defined by the rule set used. You can use this to get the same affects as the Toggle-Case, Permutations, Combination, as well as custom ones like adding 2011 to the end or beginning of each word, or maybe in the middle instead. These types of things can all be defined in the rules and then loaded in to modify your wordlist on the fly. I generally run the "Straight" words attack mode and then roll through all of my rules I have setup one by one with a much higher rate of effectiveness.
Here are some possible charsets you might want to try out if you will be Bruteforcing your way to victory. Just keep in mind how they can impact time it might take to crack cycling through all possible combinations and also why it important to keep a secure password:
·        0123456789
o   3628800 Possible Combinations
·        abcdefghijklmnopqrstuvwxyz
o   403291461126605635584000000 Possible Combinations
·        !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        abcdefghijklmnopqrstuvwxyz0123456789
o   3.7199332678990121746799944815084e+41 Possible Combinations
·        ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        abcdefghijklmnopqrstuvwxyz0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
o   2.4800355424368305996009904185692e+96 Possible Combinations
·        abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
·        abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
o   1.0873661566567430802736528525679e+146 Possible Outcomes

NOTE: Possible combinations can be derived using factorial functions: x! Where x = number of characters available to use, hence:
·        0123456789 - 10! OR 10 x 9 x 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 = 362800 Possible Combinations

That is all the math I will bore you with for now, sorry but thought someone out there might find this interesting. Once you have identified the method that works best for you simply setup all the options and point everything to the correct files and if you have elected to have the cracked hashes removed then you might want to also check the Output "Write recovered hashes to file" and point it to where you want the output to go to. It will create a new file if needed, and will share nicely with the other tabs if you decide to use one file for all of your outputs, you can also play with the output formatting as well to put in form of HASH:PASS or HAHS:HEX_PASS or HAHS:PASS:HEX_PASS.

TRICK: If you have want to take the found passwords form the output file and add them to the word list you can write your own batch script or Perl script to remove the hash from prefix using the "hash list separator" as your indicator mark to stop removing items from each line. If that doesn’t work you can copy and paste the list online here: You can identify your hash list separator on the right hand side and then let it run. It will allow you to split the list into a separate hash file and a separate password file, which you can then add to your word list or manage as needed. See screenshot below:
 Everything so far relates to the main tab for Hashcat which relies on CPU power. This can be fine if you have a simple rule set or a small word list, but can take centuries if you have a rather complex rule set and a really large word list. For example, I am running this with the latest i7 core processor and can get speeds up at about 56 Million words a second which may take around 13 Hours if I let it go non-stop at an 8 character password with the "abcdefghijklmnopqrstuvwxyz0123456789" charset. If I wanted to start testing longer password possibilities or larger charsets it would start growing exponentially and would become unrealistic after a while. This is where it is handy to upgrade your motherboard with a few video cards and start putting them to use in cracking. The GPU cores can be used to help out the job and can achieve insanely high pass through rates. If we run the same bruteforce attack using my two GPU enabled cards (450GTS & 580GTX-ti) I can speed things up to about 800 Million Passwords a second to speed the attack time from ~13 hours to just under an hour. This makes a HUGE difference in completion time!!!

Let us now review the three (3) different GPU tools available and how and when to use them: oclHashcat/cudaHashcat, oclHashcat-plus/cudaHashcat-plus, and oclHashcat-lite/cudaHashcat-lite.

cudaHashcat/oclHashcat (Tab2):
There is cudaHashcat/oclHashcat which can be used for BruteForcing MD5, MD4, NTLM, DCC, SHA-1, and MySQL hashes. It is handy for bruteforcing a Large Hash list after exhausting all of your dictionaries. It also has the ability to apply rules to either side of the password combinations being tried (left vs. right side). This tool will take the default built in charsets or customer user defined charsets and will run much faster than any CPU bruteforce attempts. You can define the charset to use by using the mask feature and identifying the number of characters to use. You would need to define 4 on one side and 4 on the other to try all possibilities for 8 character hash. Here is a overview of what can be used to define how you want to perform this hybrid attack:
·        ?l = lowercase alpha (abcdefghijklmnopqrstuvwxyz)
·        ?u = uppercase alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)
·        ?d = numerical digits (0123456789)
·        ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
·        ?h = ISO-8859 characters from 0xc0 - 0xff
·        ?D = 8bit characters from German alphabet
·        ?F = 8bit characters from French alphabet
·        ?R = 8bit characters from Russian alphabet
·        ?1 = number one - use custom charset 1 (uses whatever you copy into the empty field)
·        ?2 = number two - use custom charset 2
·        ?3 = number three - use custom charset 3
·        ?4 = number four - use custom charset 4

?l?l?l?l ?l?l?l?l would define a password of 8 characters in length using all lowercase alphabet as charset to try all possibilities: aaaaaaaa-zzzzzzzz.

The custom charset can be used as needed, but I find them helpful to add specific combinations to the end or beginning of the passwords being used in the word list, for example you could define custom1 as 1, custom2 as 2, custom3 as 3, and custom4 as 4 and to define the last 4 characters as 1234, which depending on your placement can create a whole new dictionary. I have found ending with 123 has very high success rates on real life samples.

               ?l?l?l?l ?1?2?3?4 would define a password of 8 characters and would fix 1234 as the last four characters of each password attempted, from aaaa1234-zzzz1234. Hopefully you can see how this can be helpful when all dictionary attempts have been exhausted and/or you have some helpful information to help you narrow down the possibilities to be used - since you can define the placement and characters to be used in the attempts.

If you decide to use a dictionary instead of masks you can also combine rules to them as well on a left and right side basis, same as masks and custom charsets above, just fill out the details for the mandatory fields. I tend to reserve my dictionaries for the next tab though, so I will not cover that part here. The last thing to complete before running the GPUs at things is the Resources section. You will need to define the GPU(s) to be used. If they are all the same type then do nothing and it will use them all together, however if you have a mix match of cards like I do (due to budget reasons) then you can simpy define them using comma separated values. I use two different cards and it will only use one by default so I change the GPU devices to state "1,2" to instruct it to use both GPU #1 and GPU #2. You will find better results if you run the same type of cards, but this is a perfectly acceptable and working alternative for those that grow on a budget or over time. If you do a little research or are more familiar with your GPU then you can tweak your heart out with the workload tuning and GPU loops but the defaults will be fine for the average users. Finally choose to write your output file to where you want in the desired format and you can start the GPU attacks on your hash list. You will notice the command used is also displayed next to the start button if you want to learn the commands to do things from the console. This is also very helpful if you pause an attack and need to pick things up later, as the commands can be rather long and you can simply copy and paste it to where you need it. Once you hit start the command prompt should open and show the running status, you can the "S" button to show the status at any given time.

oclHashcat-plus/cudaHashcat-plus (tab3):
This was also formerly known as oclHashcat+/cudaHashcat+ and has recently been changed to the new name. This GPU tool is used to replace the outdated CPU cracker that we originally all came to love and known as Hashcat, and is very good for single or large lists of MD5, MD4, NTLM, DCC, and DES hashes. This takes your Dictionary and Password files and runs the same attacks on them that Hashcat would, but instead of using the CPU it uses the GPU power, which results in exponentially faster results.
Like on tab1 for Hashcat we will need to point it to our Hash list file, choose to remove cracked hashes or not, point it to your dictionary or password files (as many as you have or need - haven't hit the limit yet), identify hash type. Now you can’t choose attack modes here but you can point it at your rules files which will do way more than the default attack modes will ever do, so not much loss here. If you want to let the tool auto-generate rules based on the developer’s statistical analysis you can do that as well and define how many rules to generate. As done on the oclHashcat/cudaHashcat you will need to define your GPU cards to use in the attack if they are not of the same kind and adjust any of the other parameters if you are advanced enough to know what you are doing. Choose to write the output and format type if desired and that is it. As before it will open the command prompt for you and start running the dictionary attacks off the GPU devices identified.
Once it is running it will look similar to before, and you can use the "S" for up to date status check, "h" for help dialogue, or "q" to quit:
oclHashcat-lite/cudaHashcat-lite (tab4):
This GPU tool is a bit more precise and can only be used on a single hash at a time, but is capable of cracking MD5, SHA-1,MySQL > 4, NTLM< and Domain Cached Credentials (DCC) hashes at extremely fast rates.
This can be very handy when you have a high priority hash and want to focus everything you have on it to Bruteforce it. You will also need to define the mask to use if desired or you can simple provide the charset to use and the min and max parameters for password length. You can also instruct the tool to take charset in hex form by checking the available box.
As done for the previous tabs you will need to identify your GPU devices and tweak any advanced parameters you want. Lastly identify if you want to write the output to file and where and you are ready to fire away.
This completes the overview and review of the latest release from the Hashcat team for Hashcat-GUI-v0.4.2. I hope you have enjoyed this review and I hope you find this tool very useful in your hash cracking adventures. If you want to speed things up you can also run one attack from the GPU tools while simultaneously running an attack from the CPU powered Hashcat tab. I use this method regularly to allow the CPU to handle the small rule sets I have and let the more complex rules run through the GPU to save time. You can also let Bruteforcing of smaller length attempts run on CPU while running anything over 7 characters long on the GPUs to save yourself some time. Enjoy and follow up with the makers of the tool as it is being updated all the time and they never seem to stop amazing me. If you have a small problem or need some help please feel free to comment or drop me a line and I will do what I can to help out with GUI or console problems. This was not meant to be an end all be all of tutorials or overview, but I do think it is very helpful and quite amazing tool and wanted to share it with the world. Have fun cracking...

UPDATE - Here is the video I made to accompany the article above: