Hack RAR Password - Crunch - Hashcat - John The Ripper (Windows)

How a password creates more security problem than it solves?

An authentication mechanism (or method) is a way for you to prove that you’re allowed to access something. Passwords have been the default method of authentication for as long as most of us have needed to prove to a computer that we’re allowed to access it. However, passwords are not the only authentication mechanism. In the early days of computers and mainframes, passwords were stored in a database as plain text. When you wanted to sign-in, a gatekeeper application would ask you for your password. It would take whatever you typed in and check if it was equal to whatever it had stored in the database and if true, you were granted access. As the Internet evolved and grew, malicious hackers started gaining unauthorized access to systems. Once they were in, they would immediately download the plain-text password database and have instant access to all users passwords. Developers and systems administrators needed to come up with a solution to this problem and the solution they came up with was ‘password hashing’.

Talking about password security is a guaranteed crowd-snoozer, a surefire way to make people shut down and tune out, but the reality is that passwords are still important. Email or social media, online banking or gaming, educational applications or online services—anything that keeps some kind of user data still depends on passwords to keep miscreants out. Attackers will continue merrily looting bank accounts and taking over online services if users don’t step up and use better passwords.

Think of a hashing algorithm as a machine. In one end you input any text or binary data. Out the other end, you get a number that is a certain length – let's say 32 digits long in our example. The data you feed-in can be any size, from a few bytes to many terabytes or larger. No matter what data you feed in, you get a 32 digit number (in this example) that uniquely represents the data. What is amazing about a hashing algorithm machine is that if you feed something identical in you get the same 32 digit number. If you feed in War and Peace, you get a number. If you copy the book verbatim and feed in exactly the same text, you get the same number. If you change a single character in the novel, you will get a completely different number.

Hashing algorithms differ in the way they work and the most notable difference is the length of the number each one spits out. MD5 which is extremely popular spits out 128 binary digits. SHA2 spits out 256 bits (or binary digits). When system administrators and developers first encountered the security problems with password databases that stored as plain text, they turned to hash algorithms for help. What they came up with is, instead of storing your password in a database, they would just store a hash of your password. That is, the number that a hashing algorithm generates when it operates on your password.

When a user changes their password, or when a user account is created, the new password is typed in for the first time, the computer security application takes that password and runs it through a hashing algorithm and stores the resulting number in a database. The next time you try to sign-in and enter your password, the security system runs the password you entered through the same hashing algorithm and checks if the resulting hash matches the hash in the database (a hash is a number that a hashing algorithm spits out). If they match, then you’re allowed in. No longer are passwords stored in clear text in a database. If a hacker steals the user accounts database, they don’t automatically have all passwords, all they have is a list of hashes.

Storing hashes of passwords instead of passwords themselves was a major breakthrough in information security. The story, unfortunately, does not end there. Now that hashes are commonly used to authenticate users instead of plain-text passwords, a hacker does not immediately have a list of all passwords when they steal the user accounts database. However, there is a way for a hacker to steal hashes and turn them back into passwords.

The method is relatively simple. When a hacker steals a database of hashed passwords, to reverse engineer the hashes (convert them back to passwords) the hacker generates hashes from a dictionary of words he thinks might be the passwords that were used. If any of those hashes match what he has in the database, he has managed to reverse engineer a hash and now knows what the original password is.

When you create a new password, instead of just running the password on its own through a hashing algorithm, you do the following: Generate a random little piece of text. Put that text at the beginning of the password. Then run the combination of the little piece of text and the password through a hashing algorithm. Then you store the little piece of text (as plain text) and the resulting hash. That little piece of text is called a “Salt”. When someone wants to sign in, they type their password. The security application takes the stored piece of text or Salt, puts it at the front of the password that was entered and runs it through the same hashing algorithm to get a hash. It compares the resulting hash with the hash stored in the database and if they match you are granted access.

Rainbow Table: Rainbow tables are a method commonly used by hackers to crack password databases that use ordinary hashing without any additional security. Rainbow table attacks on hashed password databases are very effective because they are fast. To help protect against these kinds of attacks, developers and system administrators came up with a technique called ‘Salting’ Passwords.

Here’s an example of a password being created for someone called “John”:

The system administrator creates a new account on the system for a user called John with password ‘main'. The system automatically generates a short piece of text “abcTs”. The system takes the short text and combines it with ‘main’ to create the text “abcTsmain”. It then runs “abcTsmain” through a hashing algorithm and ends up with a 128-bit number. The system stores that number as the hashed password for John's account. Here’s how “John” signs in:

‘John’ arrives at work and tries to sign-in. He types in ‘main’ as his password. The system retrieves the record for the ‘John’ account. That record is a hash and the text “abcTs” which is a salt. The system combines the word “main” that John just typed in with the salt to make the text “abcTsmain” and runs a hashing algorithm on that. The system checks to see if the hash it retrieved matches the hash it just generated, it does match and it allows ‘John’ to access the system.

Here are the steps a hacker takes to crack Mr John’s salted password:

A hacker arrives and manages to hack into the system and he steals the database of password hashes and salts. The hacker tries to use pre-computed hashes of words in his English dictionary. One of the hashes are of the word ‘main’ but that doesn’t work because the hacker needs to combine the salt, which is ‘abcTs’ with the word 'main' before he hashes it. The hacker realizes his pre-computed rainbow table is useless. He needs to combine the salt for John’s password with every word in his dictionary and then see which hash matches. That means he needs to recalculate hashes for his entire dictionary which is going to take significantly longer. As you can see from the above example it is possible to crack passwords that use salts. It just takes much longer and requires more processing time.

For example, let us say you have stolen a password database and you have the hash of the password that ‘Joker’ uses. You want to know the actual password for Joker's account, so you take the word “oscar” and run it through the same hashing algorithm that the password database uses. You end up with a number and if the number matches the hash in the password database for user ‘Joker’, you now know his password. If it doesn’t match then try ‘2019’ and ‘oscar’ and ‘oscarwinner2019’ and progressively more words and more complex word combinations.

So to crack a password you need to take a very large dictionary of passwords and hash each of them, then compare those hashes to what is in the password database you stole and when you get a match you know the original password.

The problem is that generating hashes of words takes time. Each word might take a few milliseconds to hash. So you need a very fast computer to do this. Alternatively, you can take a very large dictionary of well-known passwords, generate hashes from all the words and store the words and their hashes. Then every time you steal a password database you can just reuse that list of words and their hashes. You don’t need to recreate the hashes every time. All you need to do is match your list of hashes with hashes in the password database and where you get a match you’ve cracked the password.

If your password is 9 characters of lowercase numbers and letters, that gives you 101,559,956,668,416 possible passwords. (36 to the power of 9). Now you begin to understand why longer passwords are better. You also begin to see why you should not just use letters and numbers, but special characters too. Any password that uses just letters and numbers is weak. Here’s why:

If you have a password made of just 1’s and 0’s and it’s 4 digits long, you will have:

2 to the power of 4 possible passwords or 16 possible passwords. If you have a password made of the digits 0 to 9 (that is 10 possible characters) and it is 4 digits long you have:

10 to the power of 4, which is 10,000 possible combinations. Now if you instead build your password out of all lower-case letters, upper-case letters, numbers and a set of 10 symbols, you have 26 + 26 + 10 + 10 = 72 possible characters. So if you have a password that is just 4 characters long you now have:

72 to the power of 4 possible passwords, which is 26,873,856 possible passwords.

As you can see, every time you increase the number of characters your password is made up of, you get a huge increase in the number of possible passwords, even though you keep the length
at just 4 characters in our example.

You get 26 million possible passwords from just 4 characters if you use a wider range of characters in your password. That really illustrates how important it is to use upper-case, lower-case, numbers and symbols in your password.

If you now expand the length of your password to 12 characters, you have 72 to the power of 12 or 19,408,409,961,765,342,806,016. Even with 8 GPU cluster, it would take 2495937 days or 6838 years to guess your password if we try every possible combination.

Why 12 is better and 16 better still
As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be reasonably brute-force guessed offline in hours.

Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time, in this case, would be measured in centuries. Sixteen takes the calculation off the chart. That’s why 16 is better than 12, and both are better than eight.

What about special characters?
I did leave out special characters, it’s true.

Let’s say that the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.
That takes us to 700 trillion possibilities.

Compare that to sticking with the original 62 letters and numbers, but adding only a single character to make it a nine-character password. That takes us to over 13 quadrillion possibilities.

Yes, adding and using special characters makes your password better, but significantly better yet is to simply add one more character

Download Links

Crunch - https://www.4shared.com/rar/bAJtj8M7ea/crunch_win.html
Hashcat - https://hashcat.net/hashcat/.
John - https://www.openwall.com/john/

Facebook - Syarz Asterisk
Twitter - Syarz Asterisk

Instagram - Syarz Asterisk