Online Password Cracking is a bit of an odd science.
In Spring of 2019, I was traveling during the National Cyber League (NCL) Individual Games, and I didn’t have easy access to my normal computer or a place to sit myself down, so I had a brilliant idea…I’ll do this entire game from my iPad. Looking at each of the categories from a high level, there was a way to complete at least half of the challenges using an online tool, or in some rare cases, by hand, so I decided to rise to the challenge. The main category that I had concerns about was, of course, password cracking.
I had never used an online tool for password cracking before. I knew they were out there, but, there are literally hundreds of billions of passwords with their associating hashes, no database can store them all, this is seemed to be an impossible task, but I set out finding some resources to be able to work through the category.
Crackstation has been my favorite online tool since I discovered it in 2018. It contains numerous wordlists, including the most common rockyou, and 219 additional gigabytes of passwords. The dictionary is enormous! Crackstation is usually where I begin, as it will tell you the wordlist it pulled from, and that allows me to work further down that same list using another tool or website.
Md5decrypt is a website that is great for various password hashes as well as various encryption types. I have used this website for Md5, NTLM (lovely old Windows passwords), and a few of their encryption tools for both the NCL games and a few other CTFs. While they do not provide the name of the wordlist, I normally use that as a starting point to begin to research where that password is found.
onlinehashcrack.com was a bit of an unexpected gem. I have found many paid password tools, which I usually immediately write off and continue down the list, but, I noticed they had a free option, where, if the password was already in the database (which meant it was found in a more common wordlist) it was free! I immediately tried a few well known password hashes, such as d41d8cd98f00b204e9800998ecf8427e, which should always return for any tool, as that is the MD5 hash of a null string. Onlinehashcrack contains many additional tools as well, including some for basic zip file and encrypted word document cracking. This website does contain paid options as well, and they are fairly pricey, so I normally use this as a last resort.
I continue to grow this list each season because, like many tools and websites, this is trial and error and it isn’t perfect! But, it is a great starting point for someone just starting out who is still learning the command line or is mobile during the games, these are a great starting point for you!
XoXo, Gossip Girl (Just kidding, Still MistressVenom)
Note: For additional online password cracking tools and tips, see Taisa’s post on Low-Tech Tooling: Competing From a Device You Can’t Install Tools On.