There is a plethora of password cracking tools out on the Internet. New ones come… and old ones become obsolete and fade away!
The theory goes it is computationally infeasible to discover the input (password) of an MD5 hash (or any strong hash) from the hash itself. So what password crackers do is hash a bunch of words (millions) various different ways (like substituting the number 4 for an upper case A or the @ for a lower case a) until they come up with a hash that matches what they are looking for. To make this process faster lookup tables are put together in such a fashion that hashes are matched to passwords. All the computer needs to then do is compare the input hash with the hash in the lookup table. This is much faster than having the computer compute the hash and then compare it.

One technique that produces stronger hashes is the use of salt. MD5 hashes will always produce the same hash if nothing else acts on the generation of the hash. (How’s that for a tongue twister?) SO for example, given the password of ‘ussfreedom0305’, the MD5 hash will yield ‘a8ff0961f5d6cee3da0c06db83a9eec5’. It doesn’t matter which Generator you use, the results will be the same. However, if one were to introduce random bits of data (salt) into the generation of the hash it will always result in a unique hash. This now makes it computationally infeasible to grab a password from a salted hash! Two users will have two different salts and thus given the same string of characters (password) they will both be different. No in order for a password cracker to work… They’d need to compute the salt in addition to the password string.

John the Ripper

Is a true password-cracking tool! The nice thing about this tool is that it can crack MD5 passwords. In addition to MD5, John the Ripper will work with on DES based crypt password, Blowfish based passwords, NTLM hashes and SHA-1 hashes! John the Ripper is a dictionary-based cracker. One can use many different dictionaries including pre-cracker wordlists to expedite the crack! Those not looking to spend the extra money for larger dictionaries, a large multilingual wordlist optimized specifically for use with John the Ripper (4,106,923 entries, 43 MB uncompressed) is included in the package (openwall.com, 2009).

John the Ripper can be found at http://www.openwall.com/john/

Cain and Abel

Insecure.org maintains a list of the top 10 password crackers. The list is old but some of the tools are really good. Top on their list is Cain and Abel… and boy do I wish they had this program for the Mac. It’s not only a password cracker it’s an all purpose ‘pen-testing’ application.  Some of Cain and Abel’s functionality includes a network sniffer, a password cracker (both for passwords captured out on the network and from a file), and a WEP key cracker. It can perform ARP cache poisoning. It has a RSA SecurID Token Calculator. It goes way beyond mere password cracking!

Cain and Abel can be found at http://www.oxid.it/cain.html.

THC-Hydra

THC-Hydra is a brute-force network login password cracker. In other words, it tries many different passwords until it comes across one that works. Brute-force attacks can be performed offline or online. Offline attacks can occur when the attacker has obtained a known good hash. This is in many ways similar to a dictionary attack. The only difference is that it’s not using dictionary words but rather mathematical combinations to get the password. Online attacks of which, THC-Hydra, is an excellent tool for, the attacker tries to authenticate against the host itself.
Currently, THC-Hydra supports that brute forcing of the following protocols:

TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, LDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA (darknet.org.uk, 2007)

There are many more risks/problems associated with this type attack. First failed attempts are logged (very often with the IP address from which the attack was performed from). Next, and good password policy would expire an account after a certain number of failed attempts. Lastly, if strong password policies are not in effect, hopefully the server will increase the amount a time before another attempt is made at logging in.

THC-Hydra can be found at http://freeworld.thc.org/thc-hydra/

Wrap Up

The thing that needs to be understood about all these tools is that they are branded as security testing tools (to test how security a system may be) or a demonstration tools (to show how easy weak passwords are cracked). Either way, they can be turned from there good intentioned tools to devices of the malcontent. If you are going to use them in your environment make sure that you get written documentation from your superiors before working with them.

Resources:

Unknown, (2009), John the Ripper Pro password cracker for Mac OS X, Retrieved on March 6, 2009 from http://www.openwall.com/john/pro/macosx/

Darknet, (2007, February 14), THC-Hydra – The Fast and Flexible Network Login Hacking Tool, Retrieved on March 6, 2009 from http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/