Never Ending Security

It starts all here

Best Password Audit Tools

Best Password Audit Tools

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password.

The purpose of password cracking might be to help a user recover a forgotten password, to gain unauthorized access to a system, or as a preventive measure by System Administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file’s access is restricted.

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

The time to crack a password is related to bit strength which is a measure of the password’s information entropy. Most methods of password cracking require the computer to produce many candidate passwords, each of which is checked. One example is brute-force cracking, in which a computer tries every possible key or password until it succeeds. More common methods of password cracking, such as dictionary attacks, pattern checking, word list substitution, etc., attempt to reduce the number of trials required and will usually be attempted before brute force. Higher password bit strength increases exponentially the number of candidate passwords that must be checked, on average, to recover the password and reduces the likelihood that the password will be found in any cracking dictionary.

The ability to crack passwords using computer programs is also a function of the number of possible passwords per second which can be checked. If a hash of the target password is available to the attacker, this number can be quite large.

In this post, we are covering a few of the most popular password cracking tools.


RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. A brute force hash cracker generate all possible plaintexts and compute the corresponding hashes on the fly, then compare the hashes with the hash to be cracked. Once a match is found, the plaintext is found. If all possible plaintexts are tested and no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded.

A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.

Several TB of generated rainbow tables for LM, NTLM, MD5 and SHA1 hash algorithms are listed on their website too.


  • Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
  • Support rainbow table of any hash algorithm
  • Support rainbow table of any charset
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc)
  • Computation on multi-core processor support
  • GPU acceleration with NVIDIA GPUs (CUDA technology)
  • GPU acceleration with AMD GPUs (OpenCL technology)
  • GPU acceleration with multiple GPUs
  • Runs on Windows operating systems
  • Windows XP 32-bit / 64-bit
  • Windows Vista 32-bit / 64-bit
  • Windows 7 32-bit / 64-bit
  • Windows 8 32-bit / 64-bit
  • Runs on Linux operating systems (x86 and x86_64)
  • Unified rainbow table file format on all supported operating systems
  • Command line user interface
  • Graphics user interface

Source && Download at:


Wfuzz is a tool designed to brutefore web applications, It was created to facilitate the task in web applications assessments, it’s a tool by pentesters for pentesters ;) It can also be used to find hidden resources like directories, servlets and scripts.


  • Capability of injection via multiple points with multiple dictionary
  • Output in colored HTML
  • Post, headers and authentication data brute forcing
  • Proxy and SOCK Support, Multiple Proxy Support
  • Multi Threading
  • Brute force HTTP Password
  • POST and GET Brute forcing
  • Time delay between requests
  • Cookies fuzzing

Source && Download at:

Cain and Abel

Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel


  • WEP cracking
  • Speeding up packet capture speed by wireless packet injection
  • Ability to record VoIP conversations
  • Decoding scrambled passwords
  • Calculating hashes
  • Traceroute
  • Revealing password boxes
  • Uncovering cached passwords
  • Dumping protected storage passwords
  • ARP spoofing
  • IP to MAC Address resolver
  • Network Password Sniffer
  • LSA secret dumper
  • Ability to crack:
  • LM & NTLM hashes
  • NTLMv2 hashes
  • Microsoft Cache hashes
  • Microsoft Windows PWL files
  • Cisco IOS – MD5 hashes
  • Cisco PIX – MD5 hashes
  • APOP – MD5 hashes
  • CRAM-MD5 MD5 hashes
  • OSPF – MD5 hashes
  • RIPv2 MD5 hashes
  • VRRP – HMAC hashes
  • Virtual Network Computing (VNC) Triple DES
  • MD2 hashes
  • MD4 hashes
  • MD5 hashes
  • SHA-1 hashes
  • SHA-2 hashes
  • RIPEMD-160 hashes
  • Kerberos 5 hashes
  • RADIUS shared key hashes
  • IKE PSK hashes
  • MSSQL hashes
  • MySQL hashes
  • Oracle and SIP hashes

Source && Download at:

John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

Source && Download at:


Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.

Hashcat has made its way into the news many times for the optimizations and flaws discovered by its creator, which become exploited in subsequent hashcat releases. (For example, the flaw in 1Password’s hashing scheme.)

Hashcat comes in two main variants:

  • Hashcat – A CPU-based password recovery tool
  • oclHashcat – A GPU-accelerated tool

Many of the algorithms supported by Hashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Bcrypt is a good example of this. Due to factors such as data dependant branching, serialization, and Memory (to name just a few), oclHashcat is not a catchall replacement for Hashcat.

Attack types

Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash’s keyspace. These modes are:

  • Brute-Force attack
  • Combinator attack
  • Dictionary attack
  • Fingerprint attack
  • Hybrid attack
  • Mask attack
  • Permutation attack
  • Rule-based attack
  • Table-Lookup attack
  • Toggle-Case attack

The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends the Mask-Attack as a full replacement.

Source && Download at:

THC Hydra

THC Hydra is a fast network logon password cracking tool. When it is compared with other similar tools, it shows why it is faster. New modules are easy to install in the tool. You can easily add modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OS X. This tool supports various network protocols. Currently it supports Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Source && Download at:


Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It claims to be a speedy parallel, modular and login brute forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd and Telnet. While cracking the password, host, username and password can be flexible input while performing the attack.

Source && Download at:


Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.


  • Runs on Windows, Linux/Unix, Mac OS X, …
  • Cracks LM and NTLM hashes.
  • Free tables available for Windows XP and Vista/7.
  • Brute-force module for simple passwords.
  • Audit mode and CSV export.
  • Real-time graphs to analyze the passwords.
  • LiveCD available to simplify the cracking.
  • Dumps and loads hashes from encrypted SAM recovered from a Windows partition.
  • Free and open source software (GPL).

Source && Download at:


L0phtCrack is a password auditing and recovery application (now called L0phtCrack 6) originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers’ tools of choice, although most use old versions because of its low price and high availability.

The application was produced by @stake after the L0pht merged with @stake in 2000. @stake was then acquired by Symantec in 2004. Symantec later stopped selling this tool to new customers, citing US Government export regulations, and discontinued support in December 2006.

In January 2009, L0phtCrack was acquired by the original authors Zatko, Wysopal, and Rioux from Symantec. L0phtCrack 6 was announced on 11 March 2009 at the SOURCE Boston Conference. L0phtCrack 6 contains support for 64-bit Windows platforms as well as upgraded rainbow tables support.

Source && Download at:


Cryptohaze is the home of high performance, open source, network-enabled, US-based cross-platform GPU and OpenCL accelerated password auditing tools for security professionals. Currently, many security professionals are at a serious disadvantage in auditing as they cannot submit hashes to online hash databases due to the terms of their auditing agreement. Cryptohaze tools are aimed at providing high quality tools that run on any platform – Windows, Linux, or OS X. The tools run on all platforms that support CUDA or OpenCL (currently Windows, Linux, OS X). If you don’t have a GPU – the OpenCL code will run just fine on your host CPU!

Tools Overview:

Cryptohaze Multiforcer

The Cryptohaze Multiforcer is a high performance CUDA password cracker that is designed to target large lists of hashes. Performance holds very solid with large lists, such that on a suitable server, cracking a list of 1 000 000 passwords is not significantly slower than cracking a list of 10. For anyone who deals with large lists of passwords, this is a very useful tool! Algorithm support includes MD5, NTLM, LM, SHA1, and many others.

Multiforcer New (MFN)

The Multiforcer New is a total ground up rewrite of the Cryptohaze Multiforcer with CUDA, OpenCL, and CPU (SSE/AVX/etc) support. It remains focused on brute forcing large hash lists, and scales very well. It also is designed for network clustering of machines – no longer are you limited to running your hashes with a single machine! Other tools have varying levels of network support, but Cryptohaze is the only open source tool with easy to use built in networking.

Cryptohaze GPU Rainbow Tables

There has been very little development in the promising Rainbow Table technology over the past several years. Cryptohaze GPU Rainbow table are a totally fresh implementation of rainbow tables, leveraging the strengths of the nVidia GPUs and OpenCL devices to allow for much larger table spaces and coverage. While the stock RainbowCrack tables use chain lengths of 10 000, the Cryptohaze tables use a chain length of 200 000. This allows much larger attack spaces – NTLM tables for full US charset (95 characters) length 8 are available, and other tables will become available as they are created. While doing this, cracking times on a high performance server remain very reasonable – in some cases, under 2 minutes per password!

Source && Download at:


Large scale brute force cryptanalysis needs a tremendous amount of computational power that government agencies like the NSA and companies like Google® have.

An average security researcher might want to have such capabilities as well but they do not have the tools or the computational resources. Moreover, they might not be skilled in writing software that takes advantage of the computational resources provided by commercial-off-the-shelf systems with CUDA and OpenCL capable GPUs and computational clusters provided by Amazon EC2® and Microsoft Azure®.

With Wisecracker™ we bridge this gap by providing an open source framework for security researchers to write their own cryptanalysis tools that can distribute brute force cryptanalysis work across multiple systems with multiple multi-core processors and GPUs. Security researchers can also use the sample tools provided as part of Wisecracker™ out-of-the-box.The differentiating aspect of Wisecracker™ is that it uses OpenCL and MPI together to distribute the work across multiple systems each having multiple CPUs and/or GPUs. We support the OpenCL libraries provided by Intel®, AMD® and NVIDIA®, and support multiple operating systems such as Linux®, Microsoft Windows® and Apple’s Mac OSX®.

Source && Download at:


Moscrack facilitates the use of a WPA cracker on a cluster. Currently it works with Mosix (clustering software), SSH, RSH and Pyrit. It works by reading a word list from STDIN or a file, breaking it into chunks and passing those chunks off to seperate processes that run in parallel. The parallel processes can then execute on different nodes in your cluster. All results are checked and recorded on your master node. Logging, error handling, etc… are all handled for you. Moscrack capable of running for long periods of time (days/weeks/months/etc…) reliably and without risk of losing data or having to restart.


  • Basic API allows remote monitoring
  • Automatic and dynamic configuration of nodes
  • Live CD/USB enables boot and forget dynamic node configuration
  • Can be extended by use of plugins
  • Uses aircrack-ng by default
  • CUDA/OpenCL support via Pyrit plugin
  • CUDA support via aircrack-ng-cuda (untested)
  • Does not require an agent/daemon on nodes
  • Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin
  • Checkpoint and resume
  • Easily supports a large number of nodes
  • Desgined to run for long periods of time
  • Doesn’t exit on errors/failures when possible
  • Supports mixed OS/protocol configurations
  • Supports SSH, RSH, Mosix for node connectivity
  • Effectively handles mixed fast and slow nodes or links
  • Architecture independent
  • Supports Mosix clustering software
  • Supports all popular operating systems as processing nodes
  • Node prioritization based on speed
  • Nodes can be added/removed/modified while Moscrack is running
  • Failed/bad node throttling
  • Hung node detection
  • Reprocessing of data on error
  • Automatic performance analysis and tuning
  • Intercepts INT and TERM signals for clean handling
  • Very verbose, doesn’t hide anything, logs agressively
  • Includes a “top” like status viewer
  • Includes CGI web status viewer
  • Includes an optional basic X11 GUI

Source && Download at:

Reaver: WPS Nightmare

Reaver-wps takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It’s a feature that exists on many routers, intended to provide an easy setup process, and it’s tied to a PIN that’s hard-coded into the device. Reaver exploits a flaw in these PINs; the result is that, with enough time, it can reveal your WPA or WPA2 password. The

People assume that because their wireless encryption key is WPA2 standard, they are safe from cyber attack. They are wrong. This is a program that allows an attacker to easily compromise your routers password by attacking the PIN authorization process between your router and other devices. See, with your router’s PIN, a password is not needed. In fact, because Reaver doesn’t use a dictionary file to brute-force your password, it doesn’t matter how strong or long it is.  Reaver WILL eventually crack the PIN!

Source && Download at:


Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux and Windows; the Linux version is packaged for OpenWrt and has also been ported to the Zaurus and Maemo platforms; and a proof of concept port has been made to the iPhone.

In April 2007 a team at the Darmstadt University of Technology in Germany developed a new attack method based on a paper released on the RC4 cipher by Adi Shamir. This new attack, named ‘PTW’, decreases the number of initialization vectors or IVs needed to decrypt a WEP key and has been included in the aircrack-ng suite since the 0.9 release.

Aircrack-ng is a fork of the original Aircrack project.

Source && Download at:

What can you do ?

Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, shoulder surfing, side-channel attacks, and software vulnerabilities.

Always use longer password: Password length is a very important factor in auditing process. If you use short password, password auditing tools can easily go through all possible combinations and crack your password rather quick. A long password drastically increase time and resource requirements needed to crack the password. Rule of thumb ? No less than 8 characters long.

Always use a combination of characters, numbers and special characters: Password cracking tools try all combinations, one by one. Have a combination of small characters, capital letters, numbers and special characters drastically increases the time which would take to go through all of those cases.

Variety in passwords: Never use same password everywhere. Cyber criminals often steal passwords from one website and then try it on other websites.

Never use a dictionary word – Rainbow crackers usually have all of those words pre-hashed. Also avoid using your pet’s name, parent name, your phone number, driver’s license number or anything else that can be easy to guess. Avoid using passwords with sequence or repeated characters: For Ex: 1111111, 12345678 or qwerty, asdfgh.

Presenting SplashData’s “Worst Passwords of 2013″:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. abc123
  6. 123456789
  7. 111111
  8. 1234567
  9. iloveyou
  10. adobe123
  11. 123123
  12. admin
  13. 1234567890
  14. letmein
  15. photoshop
  16. 1234
  17. monkey
  18. shadow
  19. sunshine
  20. 12345
  21. password1
  22. princess
  23. azerty
  24. trustno1
  25. 000000

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s