trinetra.
cyber defense — learn
tutorials · lab 06 · password cracking fundamentals
06 / 10 · DEFEND
04step · module overview

You finished Lab 06. Here's what stuck.

A short recap of the five steps — the stolen list of scrambled passwords, naming each scrambling method, cracking the quick ones, cracking the slow one, and building the flag. Keep them close; the next lab takes the same "never trust what the user's side sends you" idea and applies it to web traffic.

Module complete · password-cracking-fundamentals

You read the stolen list, worked out how each password was scrambled, cracked them quickest-first, and built the flag. A pile of scrambled passwords is no longer a mystery — it's a list with a clock on it, and how long that clock runs depends entirely on which scrambling method the website picked.

XP earned+200xp
DifficultyBeginner
Time spent~60min
TrackDefend
Recap · the five beats keep close
  1. 01 The leak — a list of scrambled passwords. A hacked site hands the attacker gibberish, not real passwords. Un-scramblable, supposedly. How strong that promise is depends entirely on the scrambling method the website chose — and most of them choose badly.
  2. 02 Name it before you attack. hashid hashes.txt spots the scrambling method in a split second, just from its shape. 32 characters = MD5, 40 = SHA-1, a $2a$ at the start = bcrypt. Your cracking tool needs that name to even begin.
  3. 03 The quick wins — MD5 falls in seconds, SHA-1 in minutes. john --format=raw-md5 --wordlist=rockyou.txt hashes.txt finishes before the kettle boils. These methods were built to be fast for checking files, which makes them useless for hiding passwords.
  4. 04 The slow one — bcrypt is built to be slow. hashcat -m 3200 user3.hash rockyou.txt with the slowness dial at 10 lets the attacker try only ~1,000 guesses a second instead of a billion. Set the dial low and it barely helps — but turning it up one notch doubles the attacker's work.
  5. 05 Put it together — and pick the fix. Three cracked passwords glued together with underscores became the flag. The fix: use Argon2id, or bcrypt with its slowness dial at 12 or higher, plus a unique pinch of random text per user (a salt), and turn the slowness up again every year. The scrambling method you pick is the security.
Next module

Lab 07 · Burp Suite Cookie Tampering

Switch from cracking stolen passwords to catching live web traffic. Using a tool called Burp, sit between your browser and the website, catch the little "who you are" tag it hands you, change it to say "admin," and walk in as the boss — without ever knowing a password.

start · lab 07 →