de Deutsch en English
binsec GmbH

Offline password attacks

Unlike online password attacks, the hashes of the user passwords are available for offline password attacks. A cryptographic hash function represents a one-way function, where data of any size is mapped to data with a fixed size. So reconstructing a password based on a hash means finding a password that was mapped to the same hash by the hash function.

The success of such an attack thus depends on three factors. On the attacker’s side, the more processing power he or she has, the more hashes of possible passwords can be generated in a fixed amount of time. This is of course relevant to the password strength and the hash function used. Normally, cryptographically secure hash functions are used for authentication, as with these it is practically impossible to find a collision, among other things. A collision in this context means the mapping of two strings to the same hash value.

Hashes can be cracked with the hashcat tool, for example. hashcat supports several hash functions such as MD5, SHA1 and SHA2 (→man hashcat).

Kimberley Hudson is a software developer at Dubius Payment Ltd. and responsible for managing the company’s blog. She needs administrative rights to do so, which is why her access data is of interest to us as attackers. Using the following /etc/shadow entry, we can guess how she handles passwords: 


khudson:$6$41zPfrpb$ipcj7mB9nPLllAWz/Lrr97cIfPUocPUl4fACWWww0qp7puEhPfpG.3QPh6WBwIlIhtWZN4rrit4qbZpkk28pn1:17476:0:99999:7:::

Sub Articles

Pentest Training

Take a look at the pentest training chapters and learn penetration testing:

  1. Preface
  2. Introduction
  3. Legal Framework
  4. Hacking vs. Penetration Testing
  5. Classification
  6. Meaningfulness of Penetration Tests
  7. Penetration Testing Standards
  8. The Hacking Guide
  9. Demonstration of a Penetration Test
  10. Risk Assessment of Identified Vulnerabilities
  11. Structure of Documentation and Reporting
  12. Insider stories: Tales from Dubius Payment Ltd.

Penetation Testing Course

About Pentest Training

Discover the world of penetration testing. Learn how to infiltrate networks and successfully penetrate systems and applications. Acquire the necessary hacking skills and use them when conducting professional penetration tests. Become a real penetration tester. Here you will find the free documents for the Pentest Training of binsec academy GmbH. The binsec academy GmbH offers the corresponding security training lab environments and certifications. However, the knowledge and wiki articles on hacking and penetration testing is universal.

About binsec academy GmbH

binsec academy GmbH is the European provider of online security training with virtual laboratory environments. The core component of all security training is the focus on practice, practice and more practice. In the wiki here you will find the public and freely available course materials. You can put the theory into practice at binsec-academy.com.

Keywords