How to Guess a Password: Your 2024 Guide

[Man]

Before we can begin to guess a password, we need to establish a few parameters.

The first step in the process is identifying the target. If we are working on a pentest for a company, we need to know the login syntax. Is it Cameron.Smith or C.Smith or maybe CSmith?

We may know this beforehand or need to find out by doing some investigation online using OSINT.

Once we have the correct syntax for users, the next step is to figure out information on the service we are attacking, specifically the login information.

Does the login offer hints if the user forgets their login, such as username reminder, custom password hints, or security questions? And what is the password policy of the service? This will give you much more information you can use to formulate a plan of attack.

Let’s take a look at the website signup at the picture.

Looking at the form, we know the password must be at least eight characters, and no other requirements must be met.

Now we could use this information to create a list of passwords.

In 2011, Aaron Barr, the CEO of the cyber security consulting firm HBGary Federal, was hacked by Anonymous after they discovered he used the same password for his business email, Twitter, Facebook, Yahoo, and World of Warcraft accounts.

When trying to guess a password, you will often need to perform some sort of OSINT, which can be incredibly helpful in finding out more about the individual. You can locate the individual on social media and find hints like hobbies, significant dates, pet names, or work details that could be part of their password.

If you are working for a client, find a list of employees and their emails on LinkedIn or via other open-source means. This will give you a list you can manipulate. This list might reveal common themes or patterns, such as the company's username syntax or other potentially useful information.

Many individuals or employees follow similar patterns when generating passwords, often linking them to the specific service used. It is common for employees to include their company's name in their workplace passwords.

Moreover, people's personal interests and preferences, such as their pets' names, friends' or spouse/partner names, activities, preferred sports, and numerous other aspects of their lives, frequently influence their password selection.

You can use online OSINT sites such as Have I Been Pwned or Dehashed to see if the company has been involved in any breaches (and may still have employees using compromised passwords); you can also search specific individuals and discover if they have been involved in any breaches, where you may find passwords you can reuse.

Another way you can find potential passwords is by using a tool such as CeWL, a Ruby application designed to create custom word lists for password-cracking tools. It spiders a website, collecting words for a password list.

You can also use social engineering techniques to create fake login portals or even watering hole websites, these tactics can be effective in obtaining user credentials by duping the users into thinking they're logging into a legitimate service. Tools such as BeEF, Social Engineer Toolkit, or ChatGPT can help.

Rules

When creating a wordlist, we can also use rules to help take a password and modify it. We may want to append a password, such as adding numbers or symbols to the end of them (Password123@) or we may want to substitute characters (such as P@$$W0RD), or we could even reverse the password (like "drowssaP"). In addition, we could incorporate leet speak substitutions, such as replacing 'i' with '1', 'e' with '3', 'a' with '4', etc.

Here are some tools that can help you manipulate passwords in the ways we described above.

John The Ripper

John the Ripper's rule syntax is extensive, but we’ll provide a simple example. Rules in John are specified in the configuration file or on the command line using the -rules: option.

Here's an example of a rule that appends the numbers 0-9 to each word in the wordlist:

[List.Rules:MyRule]
$[0-9]

If you saved this in your john.conf file under [List.Rules:MyRule], you could then use this rule with:

john --wordlist=wordlist.txt --rules:MyRule hashes.txt

Hashcat

Hashcat, like John, can also manipulate a password list by using what’s known as a “rule-based attack.” You can specify a file containing rules to modify the words in the wordlist. This allows Hashcat to attempt variations on the words in the list, such as lowercase all letters or appending the character X to the end.

Here's an example of a command you might run with the best64 rule The "best64" rule is a collection of commonly used rules:

hashcat -m 1400 -a 0 -r rules/best64.rule hash.txt wordlist.txt

RSMangler

RSMangler is a wordlist manipulation tool. It takes an input file, such as a wordlist, and applies various transformations to the words in the list to generate a larger set of possible passwords. It performs a variety of transformations, including adding years to the end of the word, or adding the following words to the start and end: admin, sys, pw, pwd, numbers 01 - 09, etc.

Here is a sample command that will mangle the given wordlist.

rsmangler -m 6 -x 8 --file password.txt > mangled.txt

It reads password.txt as an input file, applies a variety of transformations to each word, and saves the results in mangled.txt. -m 6 specifies a minimum word length of 6 characters, while -x 8 specifies a maximum of 8. Any words generated outside of the specified range will be discarded. This is helpful if you know the length of the password.

To be continued.

 

[Man]

Once you're ready to try the passwords or hashes, let's discuss some tools you can use.

- Attacking Login Portals

Hydra

Hydra is a popular login brute force tool that performs dictionary attacks against many services such as SSH, FTP, or web servers. It attempts to log in to the service using the username provided and all the passwords in your list.

BurpSuite

BurpSuite is a collection of testing tools for web applications designed for penetration testing. It has a feature called “Intruder” that allows you to replace the username and password fields with values from a wordlist.

- Cracking Password Hashes

Hashcat

Hashcat is a powerful password-cracking tool that uses the power of your GPU(Graphics Processing Unit) to crack various hashes with different types of attack modes, including brute force, dictionary, combination, and rule-based attacks.

John The Ripper

John is another great password-cracking tool that employs various methods to attempt to crack a password. The most common technique is a dictionary attack, which attempts a list of possible passwords. It is also capable of brute-force attacks, attempting every possible combination of characters. In addition, it is capable of rule-based attacks, in which it modifies the words in a wordlist based on predefined or custom rules.

- Create Custom Password Lists

CUPP

CUPP, which stands for Common User Passwords Profiler, is a tool used to generate targeted wordlists based on personal information. It uses details about a target, such as their name, pet's name, birthday, etc., to create a custom wordlist that can be used in a dictionary attack.

To be continued.

 

[Man]

What to Watch Out For

You will undoubtedly encounter some of the following when attempting to log in using brute force or password-spraying methods.

Account Lockout Policies

Before spraying passwords, try to understand the account lockout policy of the targeted service. Let’s take Active Directory as an example. In Active Directory, most often, the lockout policy will be in place with, let’s say, ten invalid login attempts. If users enter an incorrect password ten times consecutively, their account will be locked. The lockout duration is set to 30 minutes by default, which means the user will be unable to log in for that time period.

Your best bet in situations like this is to try to spread out your attempts by trying a single password across multiple different account names. Try to use some of the most common passwords used with Active Directory, such as:

P@ssw0rd01, Password123, Password1, Hello123, Welcome1/Welcome01
$Companyname1
Winter2023*, Spring2023!, Summer2023?, Summer2023, July2023! (Depending on the time of year your testing is taking place)

Multi-Factor Authentication

You may also run into a situation where you successfully log in to a service, but then you realize the user has set up MFA (Multi-Factor Authentication). Where do you go from here? There are a few ways you can accomplish this.

Social Engineering: A well-crafted phishing attack could trick users into providing their MFA token. This method, however, requires timing and precision because MFA tokens usually expire quickly.

Man-in-the-Middle (MitM) Attacks: In this method, you place yourself between the user's communication and the service. When the user enters their MFA token, you intercept and use it to authenticate their session. Evilginx2 and CredSniper are a couple of tools that can help with this.

CSRF Tokens

In certain situations, you may be up against anti-CSRF tokens when attempting a brute-force attack. A new CSRF token must be fetched from the server for every login attempt, as each token is typically unique per session or request. This effectively means that for each login attempt, we would need to fetch a new login page, parse it to extract the CSRF token, and then use it in the login request.

To overcome this, you could use advanced tools like Burp Suite to update CSRF tokens while using Intruder automatically or automate the process by writing scripts in Python.

IP Blacklists

While attempting brute force attacks, you may also be subject to IP blacklisting. IP blacklisting is a security measure that blocks traffic originating from particular IP addresses. Systems may implement this to prevent repeated failed login attempts, indicating a brute force attack.

There are a few ways we can circumvent this. To bypass the blacklist, you can use a proxy server or VPN to change your IP address, utilize cloud-based services, or use virtual machines to test from different IP addresses.

Or use a script like TREVORspray from GitHub.

TREVORspray is a password sprayer that can take advantage of SSH proxying. It logs in to multiple different systems (such as AWS virtual machines, each with a different IP address) and takes turns attacking a password portal from each to avoid blacklisting the IPs because of too many failed attempts in a short period from a single IP.

It supports attacking various services like Office 365, Active Directory Federated Services, Outlook Web App, Okta SSO, and Cisco VPN. It also supports Office 365 MFA bypass.

Conclusion

You should now better understand how to guess a password.

We’ve walked you through common weak passwords, what parameters must be established before beginning, how to use OSINT to find passwords, different tools used while cracking or brute forcing, and what you need to watch out for when performing attacks.