During my penetration testing studies I’ve come to realize the need for strong passwords is now more important than ever. I only realized recently just how easy it is to crack a weak password.

Let me show you how easy it is to brute-force (guess) a weak password:

cewl http://example.com > words.txt

hashcat --force words.txt -r /usr/share/hashcat/rules/best64.rule --stdout | sort -u > passwords.txt

hydra -l user -P passwords.txt ssh://example.com

Here’s a detailed breakdown of each command:

  1. cewl http://example.com > words.txt
    • cewl: cewl is a tool for generating custom wordlists by spidering a given website URL.
    • http://example.com: The target website URL from which CEWL will gather words. Imagine if I put in your blog or company website URL, what words could be gathered?
    • > words.txt: This redirects the output of the CEWL command (the generated wordlist) into a file named words.txt.
  2. hashcat --force words.txt -r /usr/share/hashcat/rules/best64.rule --stdout | sort -u > passwords.txt
    • hashcat: hashcat is a powerful “password recovery” tool that supports numerous hashing algorithms and attack modes.
    • --force: This option forces hashcat to execute even if it detects potential issues with the hardware or setup. I have to use this option, maybe you won’t.
    • words.txt: This is the wordlist filename generated by cewl in the previous step.
    • -r /usr/share/hashcat/rules/best64.rule: This applies a set of rules (in this case, the best64.rule file) to the wordlist to generate variations of the words (e.g., adding numbers, changing cases, etc.). It’s recipe driven, you can create your own rules or use one that is already provided by hashcat.
    • --stdout: This option forces the generated output to standard out, instead of writing it to a file.
    • | sort -u: This sorts the output and removes duplicates.
    • > passwords.txt: This redirects the final output into a file named passwords.txt. This may be a very large file, depending on the size of the wordlist and the rules applied.
  3. hydra -l user -P passwords.txt ssh://example.com
    • hydra: hydra is a network logon cracker that supports numerous protocols, ssh for example.
    • -l user: This specifies the username to be used in the brute-force attack. If we didn’t know the username, we could use -L users.txt to specify a list of usernames. A list of usernames might be the employees of a company, for example.
    • -P passwords.txt: This specifies the password list file to be used in the attack, from the file generated in the previous step.
    • ssh://example.com: The target SSH server URL.

By chaining these commands together, an attacker can easily generate a list of potential passwords based on the content of a website and then use that list to attempt a brute-force attack on an SSH server. This demonstrates the importance of using strong, unique passwords to protect your accounts and data.

fail2ban is a great tool to help protect against these types of brute-force password attacks. It can be configured to block IP addresses that perform too many failed login attempts in a specified amount of time. It’s not a silver bullet, as hydra can be throttled with the -c option.