> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/introduction.md).

# Introduction

## Password Attacks

### Introduction

Passwords are the primary target in most authentication bypasses. This module covers attacking and cracking passwords across operating systems, applications, and encryption methods.

***

### Core Concepts

#### CIA Triad

Most breaches trace back to a breakdown in one of three principles:

| Principle           | Description                                 |
| ------------------- | ------------------------------------------- |
| **Confidentiality** | Only authorized users access data           |
| **Integrity**       | Data is accurate and unmodified             |
| **Availability**    | Systems and data are accessible when needed |

#### Authentication vs Authorization

* **Authentication** — proving who you are
* **Authorization** — what you're allowed to do after proving identity

> Auth comes first. Bypassing authentication bypasses authorization entirely — the attacker walks in as a valid user.

#### 4 Authentication Factors

| Factor             | Examples                             |
| ------------------ | ------------------------------------ |
| Something you know | Password, PIN, passphrase            |
| Something you have | Smart card, CAC, authenticator app   |
| Something you are  | Fingerprint, face, iris (biometrics) |
| Somewhere you are  | Geolocation, IP address              |

***

### Password Statistics (2019–2025)

| Stat                                  | Value                                |
| ------------------------------------- | ------------------------------------ |
| Reuse passwords across multiple sites | **66%**                              |
| Won't change password after breach    | **55%**                              |
| Use a password manager                | **36%** (up from 15% in 2019)        |
| Most common password                  | **123456** (4.5M breach appearances) |

> **Pentest relevance:** 66% reuse rate means a cracked credential has a \~2-in-3 chance of working on other platforms. This is the basis of credential stuffing attacks.

***

### How Passwords Are Stored

Passwords are hashed before storage to limit damage from a breach. Hashing is a **one-way** mathematical function — you can't reverse a hash to recover the original password.

#### Generating hashes

bash

```bash
# MD5
echo -n Soccer06! | md5sum
# 40291c1d19ee11a7df8495c4cccefdfa

# SHA-256
echo -n Soccer06! | sha256sum
# a025dc6fabb09c2b8bfe23b5944635f9b68433ebd9a1a09453dd4fee00766d93
```

***

### Password Cracking Techniques

#### 1. Rainbow Tables

Pre-compiled maps of `plaintext → hash` for a given algorithm. Fast lookup if the target hash has already been mapped.

**Defeated by salting** (see below).

#### 2. Dictionary Attack ✅ Primary method

Uses a wordlist of statistically likely passwords instead of every possible combination. Most efficient technique under time pressure.

bash

```bash
# Preview rockyou.txt
head --lines=20 /usr/share/wordlists/rockyou.txt
```

Key wordlists:

* `rockyou.txt` — 14M real passwords leaked from RockYou breach (2009, stored in plaintext)
* `SecLists` — curated lists for various attack scenarios

#### 3. Brute-Force Attack

Tries every possible character combination. **100% guaranteed** to crack any password given enough time, but impractical for strong/long passwords. Viable for passwords under 9 characters on consumer hardware.

> In practice, replaced by **mask attacks** — a smarter version of brute-force that uses known password patterns.

***

### Salting

A **salt** is a random byte sequence added to a password before hashing.

bash

```bash
# Same password, salted — completely different hash
echo -n Th1sIsTh3S@lt_Soccer06! | md5sum
# 90a10ba83c04e7996bc53373170b5474
```

#### Why salting works against rainbow tables

| Scenario             | Rainbow table entries needed    |
| -------------------- | ------------------------------- |
| No salt              | \~15 billion                    |
| 1-byte salt          | \~3.84 trillion (256× increase) |
| Unique per-user salt | Practically infeasible          |

**Key properties of a good salt:**

* Unique per user — never reused across the whole DB
* Stored alongside the hash (not secret)
* Should contain non-printable characters for maximum effect

***

### Hash Speed Comparison

Speed matters — fast hashes are easy targets, slow hashes make brute-force impractical.

| Algorithm       | Approx. speed (CPU) | Salted | Use for passwords?              |
| --------------- | ------------------- | ------ | ------------------------------- |
| MD5             | \~5M/sec+           | No     | No — legacy, avoid              |
| SHA-256         | Fast                | No     | No — not designed for passwords |
| DCC2            | \~10K/sec           | Yes    | Windows domain credentials      |
| bcrypt / argon2 | Very slow by design | Yes    | Yes — correct choice            |

> **Pentest rule:** MD5/SHA hash = mask + dictionary attacks viable. DCC2/bcrypt = dictionary only, pick wordlists carefully.

* Identifying hash types (hashcat `--identify` or `hash-identifier`)
* Cracking with `hashcat` and `john`
* Dictionary attacks with `rockyou.txt`
* Mask attacks (smarter brute-force)
* Understanding salt handling in hashcat formats

> Next sections cover **hashcat syntax, mask attacks, and rule-based attacks** — the core hands-on content for this module.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/introduction.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
