Online Wifi Password Hacker

In an earlier tutorial, I had introduced you to two essential tools for cracking online passwords—Tamper Data and THC-Hydra.

In that guide, I promised to follow up with another tutorial on how to use THC-Hydra against web forms, so here we go.

  1. Although you can use Tamper Data for this purpose, I want to introduce you to a another tool that is built into Kali, Burp Suite.
  2. So, let's get started.
  3. Fire up Kali and open THC-Hydra from Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.

To be able to hack web form usernames and passwords, we need to determine the parameters of the web form login page as well as how the form responds to bad/failed logins.

  • The key parameters we must identify are the:.
  • IP Address of the website. field containing the username.

Step 5: Place the Parameters into Your THC Hydra Command

field containing the password. failure message. We can identify each of these using a proxy such as Tamper Data or Burp Suite. Although we can use any proxy to do the job, including Tamper Data, in this post we will use Burp Suite.

You can open Burp Suite by going to Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite.

  • When you do, you should see the opening screen like below.

Next, we will be attempting to crack the password on the Damn Vulnerable Web Application (DVWA).

  • You can run it from the Metasploitable operating system (available at Rapid7) and then connecting to its login page, as I have here.
  • We need to enable the Proxy and Intercept on the Burp Suite like I have below.

Make sure to click on the Proxy tab at the top and then Intercept on the second row of tabs.

Make certain that the "Intercept is on." Last, we need to configure our IceWeasel web browser to use a proxy.

We can go to Edit -> Preferences -> Advanced -> Network -> Settings to open the Connection Settings, as seen below.

There, configure IceWeasel to use 127.0.0.1 port 8080 as a proxy by typing in 127.0.0.1 in the HTTP Proxy field, 8080 in the Port field and delete any information in the No Proxy for field at the bottom.

Also, select the "Use this proxy server for all protocols" button.

Now, let's try to log in with my username OTW and password OTW.

When I do so, the BurpSuite intercepts the request and shows us the key fields we need for a THC-Hydra web form crack.

After collecting this information, I then forward the request from Burp Suite by hitting the "Forward" button to the far left . The DVWA returns a message that the "Login failed." Now, I have all the information I need to configure THC-Hydra to crack this web app!

Getting the failure message is key to getting THC-Hydra to work on web forms.

In this case, it is a text-based message, but it won't always be.

At times it may be a cookie, but the critical part is finding out how the application communicates a failed login.

In this way, we can tell THC-Hydra to keep trying different passwords; only when that message does not appear, have we succeeded.

Now, that we have the parameters, we can place them into the THC-Hydra command.

The syntax looks like this:. kali > hydra -L -p

.

So, based on the information we have gathered from Burp Suite, our command should look something like this:.

kali >hydra -L -P192.168.1.101 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed". A few things to note.

First, you use the upper case "L" if you are using a username list and a lower case "l" if you are trying to crack one username that you supply there.

In this case, I will be using the lower case "l " as I will only be trying to crack the "admin" password.

After the address of the login form (/dvwa/login.php), the next field is the name of the field that takes the username.

In our case, it is "username," but on some forms it might be something different, such as "login."

WEP and WPA

Now, let's put together a command that will crack this web form login. Now, we need to chose a wordlist. As with any dictionary attack, the wordlist is key. You can use a custom one made with Crunch or CeWL, but Kali has numerous wordlists built right in.

To see them all, simply type:. kali > locate wordlist. In addition, there are numerous online sites with wordlists that can be up to 100 GB! Choose wisely, my hacker novitiates.

In this case, I will be using a built-in wordlist with less than 1,000 words at:. Now, let's build our command with all of these elements, as seen below. kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V.

-l indicates a single username (use -L for a username list).

-P indicates use the following password list.

13. Kali Linux NetHunter

http-post-form indicates the type of form. /dvwa/login-php is the login page URL.

username is the form field where the username is entered.

^USER^ tells Hydra to use the username or list in the field.

password is the form field where the password is entered (it may be passwd, pass, etc.).

^PASS^ tells Hydra to use the password list supplied. Login indicates to Hydra the login failed message.

Login failed is the login failure message that the form returned.

-V is for verbose output showing every attempt. Now, let her fly!

Since we used the -V switch, THC-Hydra will show us every attempt. After a few minutes, Hydra returns with the password for our web application.

Although THC-Hydra is an effective and excellent tool for online password cracking, when using it in web forms, it takes a bit of practice.

The key to successfully using it in web forms is determining how the form responds differently to a failed login versus a successful login.

In the example above, we identified the failed login message, but we could have identified the successful message and used that instead.

To use the successful message, we would replace the failed login message with "S=successful message" such as this:.

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&S=success message" -V.

Also, some web servers will notice many rapid failed attempts at logging in and lock you out.

In this case, you will want to use the wait function in THC-Hydra.

This will add a wait between attempts so as not to trigger the lockout.

You can use this functionality with the -w switch, so we revise our command to wait 10 seconds between attempts by writing it:.

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -w 10 -V.

I recommend that you practice the use of THC-Hydra on forms where you know the username and password before using it out "in the wild."

Read this comprehensive review and comparison of the top Password Cracking Tools to select the Best Password Cracker for your requirements:.

Since ancient times, we have been using passwords.

Sentries in ancient Rome would ask ‘watchwords’ to verify the identity of users.

Today, passwords are used to secure confidential digital data. But, sometimes people forget their passwords.

Password cracking tools help restore lost passwords. Whether you have forgotten a password or your password has been hacked, a password cracking app can help you recover it.

The tools use different techniques to restore passwords.

What You Will Learn:. Password Cracker Tools Review.

List Of Popular Password Hacking Software.

In this tutorial, we have reviewed 11 password cracker tools that will allow you to recover lost passwords by using different methods.

Step 8: Let Her Fly!

Fact Check: About 21 percent of users forget passwords after two weeks. Nearly a third of online purchases are abandoned due to forgetting a password. People Affected by Password Security Breaches:. Pro Tip: You should look at the techniques used for recovering passwords.

The best password cracking tools use sophisticated techniques for recovering their passwords. If a free trial is available, you should try the software to test the features of the application. Q #1) What are Password Cracking tools? Answer: These tools use different techniques to recover forgotten passwords.

Some apps try to guess the passwords. Others recover the passwords from a file stored in a local or remote location. Additionally, password cracking tools also help in finding out vulnerabilities in web applications.

Q #2) How does Password Cracking apps work?

10. OmniPeek

Answer: These applications make use of different methods for recovering passwords.

Common techniques used include Dictionary Attack, Brute Force Attack, Rainbow Table Attack, Cryptanalysis, and simply guessing the password.

Q #3) What are the uses of a Password Cracking application? Answer: Password cracking software can be used to recover passwords that have been forgotten.

You can also use the tool for recovering social media accounts that have been stolen. The tool can also be used by security experts to detect vulnerabilities.

Web application developers can also use password cracking tools to find out about security issues.

It can help them to secure the authentication algorithm to protect the app against online attacks.

Q #4) Is it legal to use a Password Cracking tool?

Answer: You can use this tool for recovering stolen or forgotten passwords.

But it’s illegal to use a password cracking tool for hacking into another person’s account or data.

Here is the list of 11 most popular Password Cracking Tools:.

Password Cracker. Brutus Password Cracker. John The Ripper. Review of the Password Cracking tools:.

Best for password hash cracking for free online.

CrackStation is a free online service for password hash cracking. This technique is a variation of the Dictionary Attack that contains both dictionary words and passwords from public password dumps.

The service cracks password hashes by using pre-computed lookup tables consisting of over 15-billion entries that have been extracted from various online resources.

Password hash cracking. Supports LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults.

Uses Look-up table with +15 billion entries.

Works only for ‘nonsalted hashes’. Verdict: CrackStation is great for password hash cracking. It uses lookup tables for cracking many hashes quickly.

But the software works only for nonsalted hashes that do not have a random string attached.

Website: CrackStation. Best for recovering hidden passwords in Windows applications for free. Password Cracker is a desktop tool that will let you view hidden passwords in Windows applications.

Some applications hide passwords by asterisks for security purposes when creating an account. Using the tool, you don’t have to note down the passwords on a piece of paper.

When enabled, you only have to hover the mouse to the Test field to see the password. View hidden passwords. Supports multiple languages. Verdict: Password Cracker is a great tool for restoring lost passwords. It can help recover hidden passwords of most Windows applications.

However, the app cannot restore MS Office password-protected documents as there the password encryption is not supported. Website: Password Cracker Tool. Best for retrieving passwords and usernames from websites, applications, and operating systems.

Brutus password cracker uses the Dictionary Attack for retrieving passwords.


You can use the software for cracking simple passwords. The desktop application works only on Windows operating systems. Supports FTP, HTTP, POP3, SMB, Telnet, NetBus, IMAP, NNTP, and other platforms. Multistage authentication engine. Supports sixty simultaneous connections.

Configurable brute force modes.

Supports Socks Proxy. Verdict: Brutus password cracker can hack passwords of different desktop and online applications. But the applications cannot hack into social media and email accounts. Moreover, the application cannot hack complex passwords consisting of a combination of numbers, letters, and symbols.

Website: Brutus. Best for retrieving Wi-Fi passwords for free using FMS Attack and other techniques. AirCrack is a free desktop application used for cracking Wi-Fi passwords. The software cracks WPA and WEP passwords. It can also be used to improve Wi-Fi security through monitoring, fake access points, and testing connections. The application analyzes encrypted packets and tries to crack them using its algorithm. Works on Windows, OS X, Linux, FreeBSD, NetBSD, OpenBSD, Solaris, and eComStation2. Uses FMS Attack. Supports WEP and WPA passwords. Monitoring, analyzing, and testing a Wi-Fi connection. Verdict: AirCrack is a great tool for retrieving Wi-Fi passwords. The application can be used for monitoring network traffic as well.

Website: AirCrack.

Best for cracking password hashes using the large-scale time-memory technique for free.

RainbowCrack is a free desktop tool for cracking password hashes for free.

The software can be used for recovering passwords from online applications. It allows faster password cracking as compared to other brute force password crackers. The application uses a time-memory trade-off technique for computing passwords. The results are stored in a rainbow table that can be used to crack a password using brute force techniques. Supports Windows and Linux platforms. Optimized memory trade-off tool for table creation, conversion, and lookup.

Supports multi-core processing and GPU acceleration. High-performance hash cracking. Supports NTLM Tables, MD5 Tables, SHA2 Tables.

Verdict: RainbowCrack can be used for recovering passwords using precomputed tables. You can use the tool for reversing cryptographic hash functions that can be used for recovering lost passwords. Website: RainbowCrack. Best for testing security functionalities of applications by security consultants and researchers. THC Hydra is an open-source application that can be used by security consultants and researchers to test security functionalities.

The software supports one of the largest numbers of security protocols. The tool that uses a brute force technique is suitable for security specialists and software developers. You can also contribute to the development of the tool if you are a developer.

Supports +50 protocols, including HTTPS, Oracle, SID, Telnet, and more.

Runs on Windows, macOS, and Unix Platforms. Mobile system support including iPhone, Android, and Blackberry. Verdict: THC Hydra is an online cracking tool that can be used by security experts to detect vulnerabilities in the software. The application supports different protocols and allows fast recovery of passwords.

To install the software, you have to compile it. Website: THC Hydra. Best for detecting security weakness of protocols on the Windows operating system for free. Cain and Abel is a free password cracking tool that was developed for forensics staff, security professionals, and network professionals. The application can act as a sniffer for monitoring network data. Additionally, the application can recover passwords by recording VoIP conversations, analyzing routing protocols, decoding scrambled passwords, and reveal cached passwords.

Supports the Windows platform. Work as a Sniffer for monitoring traffic. Crack encrypted passwords using Dictionary Attack, Brute Force Attacks, Cryptanalysis Attacks. Revealing password boxes. Sniffing on APR, SSH-1, and HTTPS protocols. Verdict: Cain and Abel tool is one of the most popular passwords cracking tools.

Most reviewers have praised the application for using a large number of techniques for password cracking. The only downside of the app is that it is only usable on Windows operating platform. Website: Cain and Abel. Best for password cracking using brute force parallel testing for free. Medusa is yet another great password cracking tool that is similar to THC Hydra.

The command-line tool can test up to 2000 passwords in a minute. It allows the user to carry on a thread based multiple processing to crack passwords. You can use the software to retrieve passwords of multiple accounts.

Brute-force testing using thread-based parallel processing.

Flexible user input including user/host/password. Supports multiple protocols including HTTP, MB, MS-SQL, POP3, and SSHv2. Remote password cracking. Verdict: Medusa is a fast password cracking tool that can be used to retrieve remote passwords.

The software can be used to test vulnerabilities of online applications. Website: Medusa. Best for detecting weak passwords on Unix and macOS operating systems for free. John The Ripper is a free tool that can be used for remote and local password recovery. The software can be used by security experts to find out the strength of the password.

This tool uses Brute Force attack and Dictionary Attack features to detect passwords. Password cracking using BruteForce and Dictionary Attack techniques.

Supports macOS, Linux, BeOS, OpenVMS, and Windows. Large password has files. Support MIC, AVX2, AVX-51, ASIMD, MD54, and SHA protocols.

Verdict: John the Ripper is a popular open-source free cracking tool. You can use the software for free for both commercial and non-commercial purposes. The tool has primarily been developed to detect UNIX passwords.

However, it can also be used for cracking Windows LM and other types of password hashes. Price: John the Ripper is available in two formats. The free, open-source format can be downloaded and modified for non-commercial purposes.

The commercial version of the software is also free and that is available for Linux and Mac OS X on Intel and AMD processors. The only difference is that the Pro version is in the native format that is targeted for specific operating systems.

Website: John the Ripper. Best for password cracking on the Windows platform for free. ophCrack is a Windows-based application that can crack passwords using rainbow tables on a time-memory trade-off platform.

The online app is claimed to recover about 99.99 percent of alphanumeric passwords within seconds.

This application supports a large list of features including multiple injection points, recursion, cookies fuzzing, and multi-threading support. Cracks NTLM and LM password hashes. Brute force module attacks. LiveCD simplifies cracking.

Audit mode and CSV support.

  • Encrypted SAM support. Verdict: ophCrack is a powerful password cracking tool for Windows operating system. The software is praised for its simple user interface and quick cracking algorithm.
  • Website: ophCrack. Best for discovering and locating vulnerabilities to website applications for free. WFuzz is developed for Brute Force applications to detect vulnerabilities.
  • The software can be used for located unlinked resources such as scripts, servlets, and directories. The applications support different protocols including XSS, SQL, LDAP, and more.
  • The software supports macOS, Linux, and Windows Operating systems. Secure website by identifying vulnerabilities. Modular framework.
Comments are closed.