• They either do not work or are not reliable (false negatives several times in the past)
• They are slow (not multi-threaded or not testing multiple passwords within the same TCP connection)
• They lack very useful features that are easy to code in python (eg. interactive runtime)

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator will allow you to:

• Not write the same code over and over
• Run multi-threaded
• Benefit for useful features such as the interactive runtime commands, response logging, etc.

Currently it supports the following modules:

• ftp_login : Brute-force FTP
• ssh_login : Brute-force SSH
• telnet_login : Brute-force Telnet
• smtp_login : Brute-force SMTP
• smtp_vrfy : Enumerate valid users using the SMTP VRFY command
• smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
• http_fuzz : Brute-force HTTP/HTTPS
• pop_passd : Brute-force poppassd (not POP3)
• ldap_login : Brute-force LDAP
• smb_login : Brute-force SMB
• mssql_login : Brute-force MSSQL
• oracle_login : Brute-force Oracle
• mysql_login : Brute-force MySQL
• pgsql_login : Brute-force PostgreSQL
• vnc_login : Brute-force VNC
• dns_forward : Forward lookup subdomains
• dns_reverse : Reverse lookup subnets
• snmp_login : Brute-force SNMPv1/2 and SNMPv3
• unzip_pass : Brute-force the password of encrypted ZIP files
• keystore_pass : Brute-force the password of Java keystore files

The name “Patator” comes from this tv interview clip – patator

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking me how to use this tool..

You can download Patator v0.3 here:

patator_v0.3.py

Or read more here.

Well here is a nifty web-based interface for it. Rainbow Tables are really useful when cracking password hashes, but one major disadvantage of these tables is their size which can be hundreds of gigs for complex tables. The author thought it would be extremely useful to have a personal web interface for your rainbow tables which you can access from anywhere on the web anywhere without having to carry the large tables with you everywhere you go. And well here we are, Wophcrack (Web)Ophcrack.

When cracking LM or NTLM hashes Ophcrack is a great tool as we discussed recently, it provides both a GUI and CLI options along with some free and paid tables. The author basically wrote a quick and dirty PHP based web frontend for Ophcrack.

Wophcrack was designed to work on Backtrack 4 R2, Although it can be install on any Linux distribution with some small adjustments, Wophcrack can also easily edited to support Rainbow Crack.

You can download Wophcrack here:

wophcrack.zip

Or read more here.

We mentioned it in our RainbowCrack and Rainbow Tables article, definitely one of the best free options for Rainbow Cracking.

Features

• Runs on Windows, Linux/Unix, Mac OS X
• Cracks LM and NTLM hashes.
• Free tables available for Windows XP and Vista.
• Brute-force module for simple passwords.
• Audit mode and CSV export.
• Real-time graphs to analyze the passwords.
• LiveCD available to simplify the cracking.
• Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.
• Free and open source software (GPL).

You can find the various tables they offer here (mostly free with some paid):

Ophcrack Rainbow Tables

And of course our own collection of Free Rainbow Tables and other software here.

You can download Ophcrack 3.3.1 here:

Windows – ophcrack-win32-installer-3.3.1.exe
Source – ophcrack-3.3.1.tar.bz2

Or download the LiveCD here:

To crack XP hashes – ophcrack-xp-livecd-2.3.1.iso
To crack Vista hashes – ophcrack-vista-livecd-2.3.1.iso

Or read more here.

Features

• Basic Authorization & FORM support in both standard and HTTPS (SSL) mode
• HTTP/SOCKS 4 and 5 proxy support
• FORM auto-detection & Manual FORM input configuration.
• It is multi-threaded
• Wordlist shuffling via macros
• Auto-removal of dead or unreliable proxy and when site protection mechanism blocks the proxy
• Integrated proxy randomization to defeat certain protection mechanisms
• With Success and Failure Keys results are 99% accurate
• Advanced coding and timeout settings makes it outperform any other brute forcer

The full changelog including the latest version is here.

You can download NiX Brute Force here:

NIX_BruteForce.bz2

Or read more here.

We haven’t mentioned Hydra since way back in 2007 – THC-Hydra – The Fast and Flexible Network Login Hacking Tool

Currently this tool supports:

	  TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL,
          MYSQL, REXEC,RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5,
          VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3,
          Postgres, Teamspeak, Cisco auth, Cisco enable, AFP, LDAP2,
          Cisco AAA (incorporated in telnet module).

Recent changes for v5.8

• Added Apple Filing Protocol (thank to “never tired” David Maciejak @ gmail dot com)
• Fixed a big bug in the SSL option (-S)

Additions prior to public release (v5.7 and before)

• Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com)
• Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz
• Removed unnecessary compiler warnings
• Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be
• Fixed small local defined overflow in the teamspeak module. Does it still work anyway??
• Moved to GPLv3 License (lots of people wanted that)
• Upgraded ssh2 module to libssh-0.4.x (thanks to aris (at) 0xbadc0de.be for the 0.2 basis)
• Added firebird support (by David Maciejak @ GMAIL dot com)
• Added SIP MD5 auth patch (by Jean-Baptiste Aviat jba [at] hsc [dot] `french tld’)
• Removed Palm and ARM support
• Fix for cygwin which falsely detected postgres library when there was none.

You can download Hydra v5.8 here:

Or read more here.

We wrote about Bruter v1.0 ALPHA version back in 2008, recently they announced the release of v1.0 Final!

Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.

It currently supports following services:

• FTP
• HTTP (Basic)
• HTTP (Form)
• IMAP
• MSSQL
• MySQL
• POP3
• SMB-NT
• SMTP
• SNMP
• SSH2
• Telnet
• VNC

Recent Changes

• Re-licensed to new-BSD license
• Added proxy support (CONNECT, SOCKS4, SOCKS5)
• Allowed more delimiter in combo file
• Added password length filtered in combo and dictionary mode
• Fixed miscellaneous bugs
• Updated openssl library to 0.9.8n

You can download Bruter v1.0 Final here:

Bruter_1.0.zip

Or read more here.

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients.

Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool, be sure to read the Ncrack man page to fully understand Ncrack usage.

You can download Ncrack ALPHA here:

Tarball: ncrack-0.01ALPHA.tar.gz
Windows Binary: ncrack-0.01ALPHA-setup.exe

Or read more here.

After what feels like an eternity (one year to the date since Medusa version 1.5), Medusa 2.0 is now available for public download.

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.

It currently has modules for the following services: AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC. It also includes a basic web form module and a generic wrapper module for external scripts.

Features

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

This release contains the most significant changes to the core of Medusa since its original release in 2005. We’ve moved to a “real” thread pool and modified how credential sets are selected. For a more detailed list of changes check the ChangeLog here.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison see Medusa Compare.

You can download Medusa 2.0 here:

medusa-2.0.tar.gz

Or read more here.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Most recently added is the support for Windows 2008 Terminal Server in APR-RDP sniffer filter.

You can download Cain & Abel v4.9.35 here:

ca_setup.exe

Or read more here, the online user manual is here.

crack.pl is a tool for cracking SHA1 & MD5 hashes, including a new BETA tool which can crack MD5 that have been salted. You can use a dictionary file or bruteforce and it can be used to generate tables itself.

NOTE – Salt function is currently only available for md5, you need to append ‘\’ infront of every $ while lookingup or cracking salted hash

General Usage and examples :
./crack.pl [sha1|md5|lookup|salt] [salt]
./crack.pl \$1\$killme\$TVUPnlxfX62j2D/fUVRqp1 bruteforce
./crack.pl 15191b869d2918ebeb0409dbee90f201 /pentest/wireless/cowpatty/dict
./crack.pl 15191b869d2918ebeb0409dbee90f201 bruteforce
./crack.pl 087e086132b9fb3b9c938ab646a4891b365c2f08 /pentest/wireless/cowpatty/dict
./carck.pl 087e086132b9fb3b9c938ab646a4891b365c2f08 bruteforce
./crack.pl table /pentest/wireless/cowpatty/dict md5 > table.md5
./crack.pl table /pentest/wireless/cowpatty/dict sha1 > table.sha1
./crack.pl table bruteforce md5 > bigtable.md5
./crack.pl table bruteforce sha1 > bigtable.sha1
./crack.pl table bruteforce md5 mysalt > table.mysalt

After generating a table you will need to remove any duplicates(if any). But there will be very little or none so this step is unnecessary and this step wll take a long time to run. Running the following will do that

sort -u <table name> -o <sorted table>

If you don’t mind some few errors in trade for space, open the source file and change $savespace=0 to $savespace=1. This will cause only the first 5 bytes of the hash to be stored and as such some two or more passwords may have the same beginning. To look up a hash,use the lookup feature.

./crack.pl <hash><table> lookup

This will find all possible passwords and compute the correct one, please note that fat32 system will store up to 4GB only. While generating a table the software will start from ‘aaaaaa’ onwards (six letters and up).
Less than six letter password is cracked within minutes (four minutes on mine;) ).

crack_salted.pl

This will crack md5 hashes of salted hash. The results are displayed within ‘singe ticks’.

TIP : most applications set the salt as the username :)
: I made a program to generate random strings (genrandom.pl) the list there should definitely pass through sorting and there is absolutly no guarantee that the salt/pass will be included

./crack_salted.pl <hash> <salt|-f salt_file> <method>

This is still in development

Installing Crypt::PasswdMD5

(a windows copy of make may be downloaded from http://gnuwin32.sourceforge.net/packages/make.htm)
$ cd Crypt-PasswdMD5
$ perl Makefile.PL
$ make
$ make test

You can download crack BETA 6 here:

crack.zip

Or preferably use the SVN.