So, how easy is it to hack into someone’s email or social media account? Surprisingly easy. According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021, surpassing 2020’s total of 1,108 and the previous record of 1,506 set in 2017. The numbers reflect a year of high-profile cyberattacks that targeted everything from oil pipelines to tech companies entrusted with the personal information of millions of consumers worldwide. This year wasn’t different either; several well-known companies, such as DoorDash, Samsung, Cisco, and Twilio fell victim to data breaches that leaked the personal information of millions of customers on the dark web. Once the data is on the dark web, anyone can get their hands on the leaked data by paying the attackers some dogecoin (just kidding, it’s mostly bitcoin).
What’s more alarming is that such leaked information is not exclusive to the dark web, where it’s compartmentalized, and access is restricted by design; it’s also available on the public internet we use every day. Websites such as Have I Been Pwned? and Leak-Lookup allow us to check if our data has been leaked via a major data breach. Leak-Lookup goes a step further and allows users to retrieve the leaked information for as little as $0.33 per data point. However, most passwords are hashed, and much effort is required to crack the hash and retrieve the plain text password. Although it may sound complicated, searching, retrieving, and cracking a victim’s password is not complex if you have the right tools. So, let me hack myself to show you how easy it is to hack someone and how easily we can become victims ourselves.
Obtaining the Hashed Password
The first step to any cyber attack would be to gather personal information about the victim via social engineering or other means. Since I know my personal information, I’ll skip this step and search and retrieve my data from the Leak-Lookup site. You can search using email, username, first name, last name, full name, etc.
I retrieved my data by searching for records that contained my email and found my email in three data breach records. I have no memory of directly using these sites to do anything, and the major sites I use likely used them to handle authentication or purchases.
Out of the three passwords I could recover, one was an MD5 hash, while the other two were bcrypt hashes. Since MD5 hashes are easier to crack than salted bcrypt hashes, I decided to crack the MD5 hash.
Hashcat is an advanced CPU/GPU-based password recovery utility that supports seven unique attack modes for over 100 optimized hashing algorithms. You can install Hashcat on Linux, macOS, or Windows and use CUDA-enabled GPUs to speed up computation. Before I ran the program to crack the hashed password, I benchmarked Hashcat on my computer, which has an Nvidia GeForce GTX 1060 6 GB GPU.
The Hashcat benchmark revealed that my computer could crack about 13 billion MD5 hashes per second. That’s a lot, but considering the number of possible passwords, it can take a very long time to crack the hash if we’re not smart about it. Luckily, we can use one of the seven unique attack modes and option flags Hashcat offers to speed up computation. You can take a look at the list of attack modes and option flags here.
The attack mode you use depends on a lot of factors. Most traditional forms of password cracking involve some wordlist containing a list of possible passwords the victim could have used. Wordlists are also often used in combination with rule-based attacks. However, in the worst-case situation, we have no choice but to use brute force to crack the password.
Assuming you don’t use a password manager to generate passwords for you, most passwords people use are 6-16 characters long. Most passwords fall in the lower end of the character count, i.e., 6-10 characters long. Most passwords consist of lowercase and uppercase letters, symbol, and numbers. Based on these two constraints, it’s fairly easy to come up with a Hashcat command that uses character length and type to crack a hash using brute force.
Since I know my own password length, I constructed a Hashcat command as follows with the help of the Hashcat man page:
Please read the Hashcat man page to understand how this command works (it’s a good learning experience 😉). I ran the Hashcat command on my computer, and the status screen mentioned it would take about 4 hours to crack the hash since the program had to check against almost 70 trillion possible passwords. This number is based on the number of standard characters (letters, numbers, symbols) and the length of the password. Since there are 95 standard characters and our password length is 7, we have $95^7 = 69,833,729,609,375$ possible passwords.
Although the status screen said it would take about 4 hours to crack the hashed password, the program was able to crack it in just 20 minutes. The program revealed the cracked password alongside the hashed password; unfortunately, that was indeed the correct password.
Of course, once an attacker has the plaintext password, they can gain unauthorized access to the victim’s social media, email, or banking accounts, and we all know what happens next. The only way to defend ourselves from these attacks would be to use a password manager that generates and manages complex and unique passwords for us. I hope this blog post was an eye-opener for you, and I strongly encourage you to manage your passwords properly.
⚠️ WARNING ⚠️ This blog post is intended for educational purposes only. The author does not encourage anyone to use the techniques described in this blog post for illegal activities.