[Wolves] Crack your own password

Adam Sweet adamsweet at gmail.com
Fri Mar 13 12:32:04 UTC 2020


For a bit of fun, have a go at cracking your own password:

https://samsclass.info/123/proj10/p12-hashcat.htm

If you're running something based on Ubuntu 18.04 or newer and running
on bare metal rather than a VM you can just install hashcat from the
Ubuntu repos:

# sudo apt install hashcat

I believe newer versions of hashcat don't work inside VMs.

Then follow the rest of the tutorial by picking your password hash (or
that of a test user you added) out of /etc/shadow:

sudo grep yourusername /etc/shadow

In the example, the guys gets you to download a file containing 500 of
the most common passwords. There are all sorts of 'most common
passwords' or 'worst passwords' lists out there that can be used as a
dictionary file, e.g.:

https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials

If you try with a password list and hashcat finds your password,
probably stop using that password for anything.

You can also try to brute force a password rather than providing a
password dictionary file but it will take far longer, in the region of
hours and days rather than minutes depending on your hardware and
password complexity. Of course: electricity bill.

If you have a recent Nvidia or AMD graphics card you could try running
it on the GPU, but after faffing around with packages and libraries for
ages I could only get that to work on Windows.

I'm currently trying to brute force my own password on my GPU, just for
the technical exercise, to see how easily somebody else could do it and
it's not expected to complete today, let's put it that way.

There are frequent fairly high profile website breaches that expose user
password databases (e.g. Experian, LinkedIn, Last.fm, Epic Games,
MySpace, Ashley Madison, Snapchat, Sony, Tesco etc etc). If you're
worried about whether your account details have been exposed, take a
look at:

https://haveibeenpwned.com/

This is a website which collects publicly exposed user account databases
which were circulating and allows you to check whether your email
addresses were in any of the website breaches and tells you what other
details associated with that address were exposed (e.g. passwords,
addresses, card details). You can also subscribe if you want to be
notified if your email address pops up in a newly circulating website
data breach.

Ad



More information about the Wolves mailing list