Jump to content
Sign in to follow this  

10 best password cracking tools

Recommended Posts

PS: This article is presented for informational purposes only and does not constitute a call to action. All information is aimed at protecting readers from illegal actions.

Passwords are the most commonly used method for authenticating users. Passwords are so popular because the logic behind them is understandable to humans and relatively easy for developers to implement.

However, passwords can also create security vulnerabilities. Password Crackers are designed to retrieve credentials that have been stolen from data breaches or other hacks and extract passwords from them.

What is password cracking?

A well-designed password-based authentication system does not store the user's actual password. This would make it much easier for a hacker or attacker to access all user accounts on the system.

Instead, authentication systems store a hash of the password, which is the result of sending the password - and a random value called a salt - through a hash function. Hash functions are designed to be one-way, which means that it is very difficult to determine the input that gives a given output. Since the hash functions are also deterministic (meaning the same input produces the same output), comparing two password hashes (a stored one and a user-supplied password hash) is almost as good as comparing real passwords.

Password cracking refers to the process of extracting passwords from an associated password hash. This can be achieved in several ways:


  • Dictionary Attack : Most people use weak and generic passwords. Taking a list of words and adding a few permutations - like replacing $ with s - allows a password cracker to learn many passwords very quickly.
  • Brute-force attack : There are a limited number of potential passwords of a given length. Despite the slow speed, a brute-force attack (brute force attack) ensures that an attacker ultimately breaks the password.
  • Hybrid attack : A hybrid attack mixes the two. It first checks to see if the password can be cracked using a dictionary attack, and then moves on to a brute-force attack if it fails.

Most password cracking or password retrieval tools allow a hacker to perform any of these types of attacks. This post describes some of the most commonly used password cracking tools.

1. Hashcat

Hashcat is one of the most popular and widely used password crackers. It is available on all operating systems and supports over 300 different types of hashes.

Hashcat provides highly parallel password cracking with the ability to crack multiple different passwords on multiple different devices at the same time and the ability to support a distributed hash cracking system using overlays. Cracking is optimized through integrated performance tuning and temperature monitoring.

Download Hashcat here .


2. John the Ripper

John the Ripper is a well known free open source password cracking tool for Linux, Unix and Mac OS X. A Windows version is also available.

John the Ripper offers to crack passwords for many different types of passwords. This goes beyond OS passwords and includes regular web apps (like WordPress), compressed archives, document files (Microsoft Office files, PDFs, etc.), and more.

A professional version of the tool is also available, which offers the best features and native packages for the target operating systems. You can also download Openwall GNU / * / Linux which comes with John the Ripper.

Download John the Ripper here .


3. Brutus

Brutus is one of the most popular remote online password cracking tools. It claims to be the fastest and most flexible password cracking tool. This tool is free and only available for Windows systems. It was released back in October 2000.

Brutus supports several different types of authentication, including:


  • HTTP (basic authentication)
  • HTTP (HTML Form/CGI)
  • POP3
  • FTP
  • SMB
  • Telnet
  • IMAP
  • NNTP
  • NetBus
  • Custom protocols

It also supports multi-step authentication protocols and can attack up to sixty different targets at the same time. It also offers the ability to pause, resume, and import the attack.

Brutus has not been updated for several years. However, its support for a wide range of authentication protocols and the ability to add custom modules make it a popular tool for password cracking attacks on the Internet.

Get Brutus online password finder here .


4. Wfuzz

Wfuzz is a web application password cracking tool similar to Brutus that tries to crack passwords using a brute force attack. It can also be used to find hidden resources such as directories, servlets, and scripts. Wfuzz can also identify application injection vulnerabilities such as SQL injection, XSS injection, and LDAP injection.

Key features of Wfuzz password cracking tool:


  • Deployment at multiple locations across multiple directories
  • Colored HTML output
  • Publishing, headers and brute-force authentication data
  • Proxy and SOCK support, multiple proxy support
  • Multithreading
  • Hacking an HTTP password using GET or POST requests
  • Time delay between requests
  • Fuzzing cookies

5. THC Hydra

THC Hydra is an online password cracking tool that attempts to determine a user's credentials through a brute-force attack. It is available for Windows, Linux, Free BSD, Solaris, and OS X.

THC Hydra is expandable with the ability to easily install new modules. It also supports a number of networking protocols including Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP. -PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID , Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP / R3, SIP, SMB, SMTP, SMTP enumeration, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2 ), Telnet, VMware-Auth, VNC and XMPP.

Download THC Hydra here .

If you are a developer, you can also contribute to the development of the tool.


6. Medusa

Medusa is an online password cracking tool similar to THC Hydra. It claims to be a fast parallel, modular login guessing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3, PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, VmAuthd, and Telnet.

Medusa is a command line tool, so a certain level of command line knowledge is required to use it. How fast you can crack passwords depends on your network connection. On the local system, it can check 2000 passwords per minute.

Medusa also supports parallel attacks. In addition to a list of passwords to try, you can also define a list of usernames or email addresses to check during an attack.

Read more about this here .

Download Medusa here .


7. RainbowCrack

Any password cracking requires a compromise between time and memory. If the attacker pre-computed a table of password / hash pairs and stored them as a rainbow table, then the password cracking process is simplified to a lookup in the table. This threat is the reason why passwords are now salted: adding a unique random value to each password before hashing means that the number of rainbow tables required is much larger.

RainbowCrack is a password cracking tool designed to work with rainbow tables. You can create your own rainbow tables or use existing ones downloaded from the Internet. RainbowCrack offers a free download of rainbow tables for LANMAN, NTLM, MD5 and SHA1 password systems.

Download rainbow tables here .

There are also several paid rainbow tables available which you can buy from us here .

This tool is available for both Windows and Linux systems.

Download RainbowCrack here .


8. OphCrack

OphCrack is a free rainbow table password cracking tool for Windows. It is the most popular Windows password cracking tool, but it can also be used on Linux and Mac systems. It cracks LM and NTLM hashes. Free rainbow tables are also available for jailbreaking Windows XP, Vista and Windows 7.

A live CD OphCrack is also available for easy cracking. You can use the Live CD OphCrack to crack Windows-based passwords. This tool is available for free.

Download OphCrack here .

Download free and premium rainbow tables for OphCrack here .


9. L0phtCrack

L0phtCrack is an alternative to OphCrack. It tries to crack Windows passwords from hashes. It uses Windows workstations, network servers, primary domain controllers and Active Directory to crack passwords. It also uses dictionary and brute force attacks to generate and guess passwords. It was acquired by Symantec and discontinued in 2006. L0pht developers later acquired it again and launched L0phtCrack in 2009.

L0phtCrack also comes with the ability to scan common password security checks. You can set daily, weekly or monthly audits and it will start scanning at the scheduled time.

Find out more about L0phtCrack here .


10. Aircrack-ng

Aircrack-ng is a Wi-Fi password cracking tool that can crack WEP or WPA / WPA2 PSK passwords. It analyzes wireless encrypted packets and then tries to crack passwords using dictionary attacks and PTW, FMS and other cracking algorithms. It is available for Linux and Windows systems. You can also listen to a live CD of Aircrack.

Aircrack-ng tutorials are available here .

You download Aircrack-ng can here .


How to create a password that's hard to crack

In this post, we have listed 10 password cracking tools. These tools try to crack passwords using various password cracking algorithms. Most password cracking tools are available for free. Thus, you should always try to have a strong password that is difficult to crack. Here are some tips to try when creating your password.

  • The longer the password, the harder it is to crack: the length of the password is the most important factor. The complexity of a brute-force password guessing attack grows exponentially with the length of the password. A random seven-digit password can be cracked in a matter of minutes, and a ten-character password in hundreds of years.
  • Always use a combination of characters, numbers, and special characters: Using different characters also makes it difficult to guess the password with brute force, as it means that crackers have to try a wider range of variations for each character in the password. Include numbers and special characters, not just at the end of a password or as a substitute for letters (for example, @ for a).
  • Variety of passwords: Credential suppression attacks use bots to check if passwords stolen from one online account are used for other accounts as well. A data breach in a tiny company can jeopardize a bank account if the same credentials are used. Use a long, random and unique password for all your online accounts.

What to avoid when choosing a password

Cybercriminals and password cracker developers know all the clever tricks that people use to create their passwords. Some common password mistakes to avoid include:

  1. Dictionary Word Usage: Dictionary attacks are designed to check every word in the dictionary (and common permutations) in a matter of seconds.
  2. The use of personal information: pet's name, relative's name, place of birth, favorite sport, and so on are all vocabulary words. Even if that were not the case, there are tools to grab this information from social networks and build a word list from it to attack.
  3. Using Patterns: Passwords such as 1111111, 12345678, qwerty and asdfgh are some of the most commonly used currently. They are also included in the wordlist of every password cracker.
  4. Using character substitutions: Character substitutions such as 4 for A and $ for S are well known. Dictionary attacks check these replacements automatically.
  5. Use numbers and special characters at the end only: Most people put their required numbers and special characters at the end of a password. These patterns are built into password crackers.
  6. Use of shared passwords: Every year, companies like Splashdata publish lists of the most commonly used passwords. They create these lists by cracking cracked passwords, just like an attacker would. Never use passwords in these lists or anything similar.
  7. Using anything other than a random password: Passwords must be long, random, and unique. Use a password manager to securely create and store passwords for network accounts.


Password cracking tools are designed to retrieve hashes of passwords leaked during a data breach or stolen through an attack and extract the original passwords from them. They do this by taking advantage of weak passwords or by trying every potential password of a given length.

Password finders can be used for a wide variety of purposes, and not all of them are bad. While they are commonly used by cybercriminals, security services can also use them to validate the strength of their users' passwords and assess the risk of weak passwords to the organization.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...