3.3 Gaining Access: Password Attack Concepts

Gaining Access Through Credentials

The fastest route into a system is often a valid password, so the CEH spends real time on password attack concepts. You must be able to define each attack, name the tool associated with it, and name its countermeasure — exactly how the exam asks it. This is taught defensively: understanding the attack is how you build the defense.

Online vs. Offline Attacks

This distinction is heavily tested and decides which tool an attacker reaches for:

• Online attacks submit guesses to a live authentication service (a login form, SSH, RDP, FTP). They are rate-limited, slow, and noisy — lockout policies, throttling, and alerting all fire. Hydra (and Medusa, Ncrack) is the classic online tool: it takes username and password lists and tries combinations against a target protocol.
• Offline attacks run against a stolen hash database on the attacker's own hardware. They are fast and silent because the target service is never touched. John the Ripper and Hashcat are the offline crackers CEH names, which is why protecting credential stores matters so much.

How Windows Stores Passwords: LM vs. NTLM

The CEH tests Windows hash types directly. Windows historically stored two hashes in the SAM database (and the NTDS.dit on domain controllers):

The LM weakness is severe: because the password is uppercased and split into two independent 7-character chunks, an 8-character password becomes one 7-char block plus a 1-char block, and the keyspace collapses — rainbow tables crack LM almost instantly. The defensive takeaway: disable LM hash storage (it is off by default on modern Windows) so only the NT hash exists.

Password Attack Types (Conceptual)

• Dictionary attack — tries a curated word list of likely passwords. Fast but only finds passwords that are in the list.
• Brute-force attack — tries every possible character combination in a keyspace. Guaranteed to eventually succeed but grows exponentially with length and character set, so long passphrases make it infeasible.
• Rule-based / hybrid attack — starts from dictionary words and applies mutation rules (append digits, common substitutions, capitalization). It bridges dictionary speed and brute-force coverage and is effective against predictable human patterns.
• Password spraying — tries a few very common passwords against many accounts. By keeping per-account attempts low, it slips under account-lockout thresholds.
• Credential stuffing — replays username/password pairs leaked in other breaches against a target, exploiting password reuse. The credentials are already valid somewhere, so success rates are high.
• Rainbow table attack — uses large precomputed tables that reverse unsalted hashes to plaintext via a time-memory trade-off. Per-user salting defeats rainbow tables because every account would need its own table.

Pass-the-Hash and Hash-Based Attacks

A pass-the-hash (PtH) attack is a CEH favorite: because Windows NTLM authentication can use the hash directly, an attacker who steals the NTLM hash can authenticate as that user without ever cracking the plaintext. No password recovery is needed — the hash is the credential. Related techniques include pass-the-ticket (Kerberos) and Kerberoasting (requesting service tickets to crack offline). Tools like Mimikatz extract these hashes/tickets from memory; the defense is credential isolation, restricting local-admin reuse, and protections such as Credential Guard.

Attack vs. Tool vs. Countermeasure

The Cracking Tools CEH Names

Know what distinguishes the three tools the exam keeps returning to:

• John the Ripper (JtR) — an offline cracker famous for autodetecting hash formats and its cracking modes: single crack (uses account info as candidates), wordlist (dictionary with optional rules), and incremental (brute force). Primarily CPU-driven; great as an all-rounder.
• Hashcat — the high-speed offline cracker, GPU-accelerated and supporting 300+ hash types (MD5, SHA-family, bcrypt, NTLM, and more). Its attack modes are referenced by number: straight/dictionary (-a 0), combination (-a 1), brute-force/mask (-a 3), and hybrid (-a 6/-a 7). Mask attacks let you target a known password pattern efficiently.
• Hydra (THC-Hydra) — an online brute-forcer that attacks live network services — SSH, RDP, HTTP(S) forms, FTP, SMB, and many more — by trying username/password lists against the service. Because it touches the live service, it is slow and noisy and trips lockout and alerting.

The exam trap: do not confuse the offline crackers (John, Hashcat — operate on stolen hashes) with the online tool (Hydra — operates on a running service).

How Passwords Should Be Stored, and Layered Defenses

Good systems never store plaintext. They store a hash (one-way transform), strengthened by two ideas:

• A salt is a unique random value added to each password before hashing, so identical passwords get different stored hashes and precomputed (rainbow) attacks become impractical.
• A slow / adaptive hash (a purpose-built password hash with a tunable work factor) makes each guess expensive, so offline cracking crawls. Fast general-purpose hashes are poor password choices because attackers test billions of guesses cheaply.

No single control suffices. The CEH wants a defense-in-depth answer:

• Unique per-user salts + a slow adaptive password hash neutralize precomputation and slow offline cracking.
• Multi-factor authentication (MFA) makes a stolen password (or even a stolen hash) insufficient by itself — the strongest control against spraying and stuffing.
• Account lockout, throttling, and rate limiting blunt online guessing (and Hydra).
• Breached-password and weak-password screening stop reused and trivial passwords at selection.
• Disable LM hashing and isolate credentials to blunt rainbow tables and pass-the-hash.
• Monitoring and anomaly detection catch low-and-slow spraying that evades simple lockout.