Ethical Hacking Password Attacks and Credential Exploitation
Passwords are the most common authentication mechanism in use today — and the most frequently compromised. Gaining control of a valid credential is often faster and stealthier than exploiting a software vulnerability. An ethical hacker who can demonstrate how quickly passwords can be cracked or stolen gives an organization powerful evidence to push for stronger authentication policies.
How Passwords Are Stored
Modern systems do not store your password as plain text. Storing "mypassword123" directly in a database would mean anyone who accessed that database could read every user's password instantly. Instead, systems store a hash.
What Is a Hash?
A hash function takes any input (your password) and converts it to a fixed-length string of characters. The conversion is one-way: you can hash a password easily, but you cannot mathematically reverse a hash back to the original password. The same input always produces the same output. For example:
- MD5 hash of "password":
5f4dcc3b5aa765d61d8327deb882cf99 - MD5 hash of "password1":
7c6a180b36896a0a8c02787eeafb0e4c
Changing one character completely changes the output. When you log in, the system hashes your entered password and compares it to the stored hash. It never sees your actual password again after the initial setup.
Common Hashing Algorithms
| Algorithm | Hash Length | Status | Used In |
|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Broken — insecure | Legacy systems, file checksums |
| SHA-1 | 160-bit (40 hex chars) | Broken — insecure | Older SSL certificates, Git commits |
| SHA-256 | 256-bit (64 hex chars) | Secure | Modern applications, blockchain |
| bcrypt | Variable | Secure | Web application password storage |
| NTLM | 128-bit | Weak without salting | Windows authentication |
Obtaining Password Hashes
Before cracking passwords, an ethical hacker needs to obtain the hashes. Different operating systems store credentials differently.
Windows: SAM Database and NTLM Hashes
Windows stores local user passwords as NTLM hashes in the SAM (Security Account Manager) database at C:\Windows\System32\config\SAM. This file is locked while Windows runs. On a domain, credentials are stored in the Active Directory database (NTDS.dit) on the domain controller.
With administrative access via Meterpreter, an ethical hacker dumps Windows hashes using:
hashdumpThis returns output like:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::The third field is the LM hash (often empty in modern Windows) and the fourth field is the NTLM hash — the one worth cracking or using directly.
Linux: /etc/shadow
Linux systems store password hashes in /etc/shadow. Only root can read this file. Each line contains the username, hashing algorithm identifier, salt, and hash. A typical entry looks like:
alice:$6$rounds=5000$somesalt$hashedvalue:18000:0:99999:7:::The $6$ indicates SHA-512. The value between the second and third $ symbols is the salt.
Salting: The Defense Against Rainbow Tables
A salt is a random value added to the password before hashing. The same password hashed with a different salt produces a completely different hash. "password" + "abcd1234" produces a different hash than "password" + "xyz9876." Salting defeats rainbow table attacks because an attacker cannot precompute a table that accounts for every possible salt.
Cracking Techniques
Brute Force Attack
Brute force tries every possible combination of characters. A GPU can test billions of MD5 hashes per second. Despite this speed:
- A 6-character lowercase password (26^6 = 308 million combinations) falls in under a second.
- An 8-character mixed-case + numbers password (62^8 = 218 trillion combinations) takes minutes with modern hardware.
- A 12-character truly random password (94^12 = 475 quadrillion combinations) takes years even with dedicated cracking hardware.
Password length matters far more than complexity. "correct-horse-battery-staple" is far harder to brute-force than "P@ssw0rd!" despite looking simpler.
Dictionary Attack
A dictionary attack tests a precompiled list of words, common passwords, and known leaked passwords against a hash. Tools like John the Ripper and Hashcat ship with built-in wordlists. The most commonly used wordlist in ethical hacking is rockyou.txt — a list of 14 million real passwords leaked from the RockYou social gaming site breach in 2009. Many of these passwords remain in active use today because people repeat them across platforms.
Rule-Based Attack
Real users modify common words in predictable ways to meet password complexity requirements: adding a number to the end, capitalizing the first letter, substituting letters for numbers (a→4, e→3, o→0). Rule-based attacks apply transformations to a dictionary to generate these variants automatically. "password" becomes "Password1", "P@ssword1", "p455w0rd", and dozens of other variants — all tested automatically.
Rainbow Table Attack
A rainbow table is a precomputed lookup table that maps common passwords to their hashes. Instead of computing each hash during the attack, the attacker simply looks up the hash in the table and retrieves the password directly. Rainbow tables are only effective against unsalted hashes. Any properly salted hash is immune to precomputed tables.
Hashcat: Modern Password Cracking
Hashcat is the world's fastest password recovery tool. It uses the GPU (graphics card) rather than the CPU for hash computation, achieving speeds orders of magnitude faster than CPU-based tools. A mid-range gaming GPU can test over 10 billion MD5 hashes per second.
To crack NTLM hashes from a Windows hashdump using a dictionary attack:
hashcat -m 1000 -a 0 hashes.txt rockyou.txt-m 1000— NTLM hash type-a 0— dictionary attack modehashes.txt— file containing extracted hashesrockyou.txt— the wordlist
John the Ripper
John the Ripper (commonly called "John") is a versatile password cracker that automatically detects hash types and supports multiple attack modes. It is particularly well-suited for Linux shadow file cracking and offline hash cracking in lab environments.
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtPass-the-Hash: No Cracking Required
On Windows networks, many authentication protocols accept the password hash directly — they never require the actual plaintext password. Pass-the-Hash (PtH) is the technique of using a captured NTLM hash to authenticate to another system without ever cracking it.
Imagine stealing a hotel key card without knowing what room number it unlocks. You swipe it at every door until one opens. PtH works similarly: take the hash, use it to authenticate to other machines on the network, and see where it provides access.
Metasploit's psexec module and the tool Impacket both support pass-the-hash attacks. This technique is why stolen NTLM hashes are so dangerous even when the underlying password is long and complex.
Online Password Attacks: Attacking Login Forms
Offline attacks crack hashes without interacting with a live service. Online attacks attempt credentials directly against a login form, SSH server, RDP portal, or other live authentication point.
Hydra
Hydra is a fast network login cracker that supports dozens of protocols: HTTP, SSH, FTP, SMB, RDP, MySQL, and more. It automates submitting username/password combinations from a wordlist and reports any successful logins.
hydra -l admin -P rockyou.txt ssh://192.168.1.10This attempts to log in as user "admin" via SSH, trying every password in rockyou.txt.
Account lockout policies — locking an account after a number of failed attempts — defend against online brute force. Ethical hackers test whether lockout policies are in place and configured correctly.
Credential Stuffing in Practice
Credential stuffing uses lists of breached username:password pairs from one site against other services. The attack works because many people reuse the same password across multiple accounts. Automated tools test millions of credential pairs per hour against login portals. Have I Been Pwned (haveibeenpwned.com) allows anyone to check whether their email appears in known data breaches.
Key Points
- Passwords are stored as hashes — one-way mathematical conversions that prevent direct reading of plaintext credentials.
- Salting adds a random value before hashing and defeats precomputed rainbow table attacks.
- Brute force, dictionary, rule-based, and rainbow table attacks are the four primary cracking techniques.
- Hashcat uses GPU acceleration to test billions of hashes per second; John the Ripper is versatile for lab cracking tasks.
- Pass-the-Hash attacks authenticate using a captured hash without cracking the underlying password.
- Hydra automates online brute-force attacks against live login services; account lockout policies defend against it.