Embedded Files
Password recovery can be used:
To identify the type of password encryption algorithms used by a system to determine if the security is sufficient,
Determine if users are using weak passwords or
Identify the plaintext password used during a penetration test.
The most popular password recovery techniques are brute-force and dictionary attacks against a password hash.
A decent IT system will not store passwords in plaintext but will instead encrypt the password to generate a unique hash. The security of such systems will depend on the encryption algorithm used (stronger is better) and the complexity of the password (longer and more complex is better.
Better IT systems will add a salt variable to the encryption of the password when generating the hash value. The salt variable makes it harder to perform dictionary or brute-force attacks, especially if the IT admin or pentester does not know the salt value.
Secure password hashing with saltÂ
The general process of password recovery includes these 4 steps:
Retrieve stored hash value (and possible salt variable)
Identify the type of hash (and therefore the type of encryption used)
Use a password recovery/cracking tool (online, JtR, or hashcat) to attempt recovery based on the several options - a type of hash, wordlist, rule set, and hardware.
Test the recovered password to confirm it works.
Identifying Hashes
Identifying Hashes
Use the following site to generate hashes: https://www.browserling.com/tools/all-hashes
The following tools can be used to identify the password hash type or perform password recovery:
Crackstation (https://crackstation.net/): an online utility that uses pre-computed lookup tables to crack and identify password hashes.
Hashes.com (https://hashes.com/en/tools/hash_identifier): an online utility that can identify hashes.
Hash-Identifier (https://www.kali.org/tools/hash-identifier/): CLI tool that identifies different types of hashes. Use the command hash-identifier to launch the utility and then input the hash.
Hash-id (https://snapcraft.io/hash-id): CLI tool for identifying hash types. Use the command hash-id -h <hash_string> or hash-id -f <file_with_hash_string.txt>to identify the hash type.
Google Sites
Report abuse