Introduction :

Kali Linux provides some of the best essential password attack tools for every security
expert and expert. I have listed the best tools that Kali Linux 2020.1 provides for
password attacks. All of these tools are open source and available by default in the full
Kali format For Example :

1-CeWL tool.
2-Crunch tool.
3-Hashcat tool.
4-John the ripper toolkit.
5-Medusa tool.
6-Ncrack tool.
7-Ophcrack tool.
8-Wordlists utility.
9-Hydra tool.
10-Mimikatz tool.
11-Chntpw.
12-THC-pptp-bruter tool.
13-Rsmangler tool.
Hydra is a pre-installed Kali Linux tool used for brute-force username and password
for various services such as ftp, ssh, telnet, MS-SQL, etc. Brute-force can be used as a
technique to test different usernames and passwords against a target to identify the
correct credentials. Below is the list of all hydra-supported protocols.
Password attack :

The password is usually the key to any system or network. Since the advent of
computers, passwords have been used to lock down system data if this happens.
Therefore, cracking passwords is an urgently needed skill in the hacker industry. Get the
correct password or crack it, you will get the Kingdom key, and you can access it anytime
and anywhere. As we work, we'll also discuss more information on creating strong
passwords. If you're a sys admin reading this book, you are the book we're talking about.
The attacker is looking for your password. Of course, it's annoying to enter a 12- or 14-
character password every time you log in, but how important is your network?

Password attack is a mechanism used for most of the hacking activities. Exploitation
software exploits the application by hacking the administrator's password or other
accounts, and when we have to obtain social media accounts or other accounts from
C.E.O , The information gathering program uses an exploit program. When we have to
crack the hash from the captured wife password hash file, or the employees of other
target organizations are using Wife Hacking.

To be a good ethical attacker, one must be familiar with password hacking techniques.
Although it is easy to crack a password with only guessing methods, it is time
consuming and ineffective. So, to automate the task, we have several tools. In terms of
tools, Kali Linux is the number one operating system, so here we have included a list of
tools that can be used to crack Kali Linux passwords.
Password attacks can divided to online and offline attacks and hybrid.
Online password attacks:
In this type, we will use THC-Hydra (Hydra) password cracking program Sometimes ,
we have time to attack Windows PCs and get SAM directly. However, sometimes we
cannot do that, which is very useful For Internet password attacks .
Hydra supports many protocols, including (but not limited to) FTP, HTTP, HTTPS,
MySQL, MSSQL, Oracle, Cisco, IMAP, VNC, etc.! Please note that this type of attack
can be a bit loud, which increases your chances of being detected .

Online attacks on passwords are limited in two key ways. First, the speed of the network
is limited. Each username/password combination must be sent to the authentication server
over the network and the server responds accordingly.
Its time for this back and forth transmission depends heavily on the speed of the applicati
on server and the speed of the network, but a typical password attack can only take about 
3 – 5 login attempts per second.

How To Protect Yourself?

It will help you escape common password attacks by being aware of common threats
and robust cyber security measures. Take a look at some simple steps to stay safe that
you need to take:
Requiring strong passwords will require users to use a password generation tool like
Last Pass to identify long and complex passwords. Periodic login updates should also
be applied.
Login delays-after failed attempts, you can lockout user accounts for a particular
period of time. The delay is made longer by each attempt.
Crunch:
In order to crack the password, we have to try several passwords to get the correct
password. When an attacker uses thousands of words or character combinations to
crack a password, there is no guarantee that any of these millions of combinations will
not work. This group of different character sets is called a word list. In order to crack
or hash the password, we need a good list of passwords to crack the password. For
this, we have a tool called crunch in kali Linux

crunch is a pre-installed word list builder for Kali Linux. It is used to create custom
keywords based on word lists. It creates word lists by flipping and adding. We can use
some specific patterns and symbols to create word lists.

Creating Wordlists with Crunch on Kali Linux

A main aspect of brute force password attacks is wordlists. A brute force password
attack is an attack for those readers that are not familiar, in which an attacker uses a
script to continuously attempt to log into an account before they achieve a positive
result. Brute force attacks are fairly overt and can cause an attacker or their IP to be
locked out by a properly configured server.

This is the point of this way of checking the security of log in systems. Your server
should ban attackers attempting these attacks, and the increased traffic should be
registered. Passwords should be more safe at the user's end. To build and implement a
good password policy, it's important to understand how the attack is carried out.
Generating a List
Open up a terminal to get started. Crunch is already built on Kali and ready to go, so
you can run it right now. Start out with something tiny for the first list, like the one
below.

# crunch 1 3 0123456789

Okay, so the line above will build a list of all possible numerical combinations of zero
through nine with two and three characters. To repeat, the smallest character
combination is the first number. It's a single character in this situation. This is a little
impractical, as no one should have a password for a single character, and it should not
be allowed by the web.
The longest character combination is the second number. It's 3 this time. Therefore,
Crunch will create any possible mix of three of the characters supplied.

The last section is the list of all the characters that will be used by Crunch to create the
combinations. This list is relatively short, so feel free to run it, but the total size of the
list will explode as soon as you start adding more characters or increasing the
maximum combination size.

The above scenario isn't all that possible, but unlocking a phone or anything like that
might be added to the pin combination. The following Linux command may be used
to create a more practical list.

# crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz
This command uses lower case characters to produce all possible three, four, and five
character combinations of numbers zero through nine and the alphabet. Although the
created passwords will be short, the list will be completely huge.

If you had the hardware and resources to really try to test password protection, you
might run something like the below command.

# crunch 3 10 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Don't attempt to run it. It will create a file that will easily fill your entire hard drive
with regular hardware and be practically unusable. However, if anyone was able to
use it, all numbers and both the lower and upper case alphabets could be used to
evaluate any password for every combination of three to ten characters.

Capturing the Output

What you have seen so far is just the Outputting of screen numbers. Obviously, that
isn't really useful. You are supposed to be creating a text file for another program to
use, after all. Crunch as a built-in output generation flag in the form of a text file .

# crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz -o Documents/pass.txt

You can build your wordlist in the form of a properly formatted text file just by
adding the -o flag and specifying a destination.
However, there is another way to do this. Say that you already have a good word list
of bad passwords that are common. In fact, by default, there is one installed on Kali at
/usr/share/wordlists named rockyou.txt. You just need it to decompress. To test
additional possibilities in one shot, what if you decided to add your created wordlist to
rockyou.txt? You're going to. Just redirect Crunch's production to file.
 # crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz >> /usr/share/wordlists/rockyou.txt

The file is going to be very big, so make sure you have room and want to test the
many possibilities.

Closing Toughts

Not much else is there to say. Crunch is an excellent wordlist construction tool. It
should be used intelligently and with discretion, like any security tool. Crunch will
easily create a short list for other programs like Hydra to test in the event of very poor
passwords. The other methods that can use Crunch's wordlists to search for insecure
passwords will be explored by future guides.

Hydra-gtk :
The Hacker's Choice (THC), a non-profit organization of international security
researchers and hackers, is a fast and scalable Network Logon Cracker created by
Hydra. Hydra is a parallelized logon cracker that primarily employs an attack based on
a brute-force dictionary. It supports, but is not limited to, a broad variety of network
protocols, including: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT,
MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5,
VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, And different
protocols for databases. Hydra was developed by the THC to be expandable, so it is
relatively easy to add new modules.
Two interfaces are provided by Hydra: a Command Line Interface (CLI) and a Visual
User Interface (GUI) named Hydra GTKK (Graphic Tool Kit). Hydra GTK is a strong
Interface that is able to reduce this efficient cracker's learning curve. For both cyber
security noobs and trained ethical hackers, Hydra is strongly suggested.
Hydra-GTK

Hydra GTK is a hydra front end GUI, as this is a hydra GUI that you already have
THC-hydra mounted. If you are running Kali Linux this will be pre-installed for
anyone else that you can type to update it.

sudo apt-get install hydra-gtk

GTK+ based GUI cracker - really fast network logon cracker

Hydra is a parallelized login cracker that supports countless attack protocols. It's very
fast and versatile, and new modules are simple to install. Quite quick network logon
cracker-GTK+-based GUI Hydra is a parallelized login cracker that supports a variety
of attack protocols. It's very fast and versatile, and new modules are simple to install.
Reference :

1- Matt Miller(19/Oct/2018), principal security engineer , accessed 29/12/2020

(Soft copy) Website link: https://www.triaxiomsecurity.com/2018/10/19/whats- the-difference-
between-offline-and-online-password-attacks/

2- Nick Congleton (21 September 2018), SSH Password Testing With Hydra on Kali Linux,
accessed 30/12/2020(Soft copy) Website link: https://linuxconfig.org/ssh-password-testing-with-
hydra-on-kali-linux

3- January 2019, Thc Hydra Gtk For Windows , accessed 30/12/2020(Soft copy) Website link:
https://farmsdedal697.weebly.com/blog/thc-hydra-gtk-for-windows