Articles in this section

See more

What Password Recovery Attacks can I use?

Avatar
Yana Gourenko
  • Updated
Follow

Passware Kit offers various types of password recovery settings to configure password candidates:

Six basic password recovery attacks

Default set of attacks.

 Dictionary
Xieve
Brute-force
Mask
Known Passwords/Part
Previous Passwords

Four advanced password recovery attacks

These attacks are applicable to a limited set of file types, such as WinZip archives or MS Office files.		 Encryption Keys Extraction
SureZip Attack
Zip Plaintext Attack
Rainbow Tables Attack

Grouping attacks

The section includes methods of grouping attacks together to form complex passwords.		 Join Attacks
Append Attacks

Modifiers

  Each password recovery attack can be customized by adding a modifier to match common password patterns and to narrow the search.		 Change case
Change chars order
Substitution

 

Customize.jpg

 

BASIC PASSWORD RECOVERY ATTACKS

Basic.jpg

  1. Dictionary
  2. Xieve
  3. Brute-force
  4. Mask
  5. Known Passwords/Part
  6. Previous Passwords

Dictionary Attack

A dictionary attack tries thousands of words and frequently used combinations from dictionary files as possible passwords.

Sample passwords: “administrator”, “specialization”, “missionimpossible”, “demo12345”, “passwor<”.

A dictionary attack allows users to customize the following settings:

SETTINGS

  • Length

The program searches for a password of the specific length.

  • Dictionary file

Passware Kit offers 22 built-in dictionaries: Arabic, Bulgarian, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Icelandic, Irish, Italian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Turkish and Vietnamese.

To upload and compile custom dictionary files, use the built-in Dictionary Manager tool. The tool also allows users to sort, export, and import existing dictionaries, as well as to edit, merge, and delete unnecessary ones.DictionaryManager.jpg

  • Pattern

Defines the known part of the password.

If any part of the password is known, enter it in the “Pattern” field. Use the following symbols to specify unknown part(s):

?

Will be replaced by exactly one letter

*

Will be replaced by zero or more characters

\

Use to insert * and ? symbols

Examples:

The pattern “new?????” will match “newcomer” and will not match “newton”, “newbold”.

The pattern “mo*” will match “mod”, “moat”, “moanful”, etc.

The pattern “*ple\*” will match “apple*”, “couple*”.

 

MODIFIERS

To change case type, character order, or substitute characters, add the appropriate Modifier.

Sample passwords

Click Sample passwords link to see passwords that are generated by the attack.

Dictionary.jpg

 

Xieve™

A Xieve attack checks only those combinations of characters that are common in the selected language. It uses a large built-in table of frequencies of different combinations of letters.

Sample passwords: “mycomp” and “sweetemily”.

Xieve_level.jpg

A Xieve attack allows you to customize the following settings:

SETTINGS

  • Length

The program searches for a password of the specific length.

  • Language

Passware Kit offers 22 built-in dictionaries: Arabic, Bulgarian, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Icelandic, Irish, Italian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Turkish and Vietnamese.

  • Symbol Set

The symbol set can include uppercase letters, lowercase letters, and custom characters.

ADVANCED SETTINGS

  • Custom Characters

To add special characters to the symbol set, use the “Custom characters” field.

  • Pattern

Defines the part of the password.

If any part of the password is known, enter it in the “Pattern” field. Use the following symbols to specify unknown part(s):

?

Will be replaced by exactly one letter

*

Will be replaced by zero or more characters

\

Use to insert * and ? symbols

Examples:

The pattern “????the?” will match “vlmethey” and “ctesthes”.

The pattern “*to” will match “abato”, “domicato”, etc.

The pattern “?????come??\*” will match “abouncomend*”.

  • Xieve level

Select the Xieve level: low, medium, or high. With the high level settings, Passware Kit checks the most common combinations of letters only, skipping all the combinations that are not typical for the language selected.

MODIFIERS

To change case type, character order, or substitute characters, add the appropriate Modifier.

Sample passwords

Click the Sample passwords link to see the passwords that are generated by the attack.

Xieve1.jpg

 

Brute-force

A brute-force attack recovers passwords by checking all possible combinations of characters from the specified symbol set. This is the slowest, but most thorough, method.

Sample passwords: “Pw5@”, “23012009”, and “qw3erty”.

BF.jpg

A brute-force attack allows users to customize the following settings:

SETTINGS

  • Length

The program searches for a password of the specific length.

  • Language

Passware Kit offers 22 built-in dictionaries: Arabic, Bulgarian, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Icelandic, Irish, Italian, Polish, Portuguese, Romanian, Russian, Slovenian, Spanish, Swedish, Turkish and Vietnamese.

  • Symbol Set

The symbol set can include uppercase letters, lowercase letters, numbers, symbols, space, and custom characters.

ADVANCED SETTINGS

  • Custom Characters

To add special characters to the symbol set, use the “custom characters” field.

  • Pattern

Defines the part of the password.

If any part of the password is known, enter it in the “Pattern” field. Use the following symbols to specify unknown part(s):

?

Will be replaced by exactly one letter

*

Will be replaced by zero or more characters

\

Use to insert * and ? symbols

Examples:

The pattern “c0ll??” will match “c0ll78” and “c0ll3D” and will not match “c0ll784

The pattern “h@m*” will match “h@m”, “h@m1987”, etc.

The pattern “pass*\?” will match “passw0rd?”.

MODIFIERS

To change case type, character order, or substitute characters, add the appropriate Modifier.

Sample passwords

Click the Sample passwords link to see the passwords that are generated by the attack.

BF_Sample.jpg

 

Mask Attack

A mask attack checks passwords that match a specific pattern. This attack allows users to skip unnecessary character combinations and reduces the time spent on brute-force password recovery. Check out the “How to use a Mask Attack” article.

 

Known Passwords/Part (improved in Passware Kit v.2022.1)

Passware Kit now allows users to leverage the Known Passwords attack by specifying multiple passwords but without creating a custom dictionary.

The Attack can support up to 99 passwords and functions as either a separate attack or as part of a Join Attack. For example, if the password is a word followed by the numbers “1980”, use Join Attacks to combine Dictionary Attack and Known Passwords/Part Attack with the value set to “1980”. Or, once 10 possible words are known along with a pattern of 5 numbers, use Join Attack with Known Passwords/Part Attack containing the 10 possible words and Brute-force Attack with 5 numbers. 

These passwords can also be modified with the regular Passware Kit modifiers, such as “Change casing”, “Change chars order” and “Substitute chars.”

 

Previous Passwords

The previously recovered passwords are added automatically to the “Previous Passwords” dictionary to be reused for other files.

Back to the top...

 

FILE-TYPE SPECIFIC PASSWORD RECOVERY ATTACKS

  1. Encryption Keys Extraction
  2. SureZip Attack
  3. Zip Plaintext Attack
  4. Rainbow Tables Attack

Encryption Keys Extraction (MS Word/Excel/PowerPoint v.2007-2019)

An encryption keys extraction attack instantly decrypts MS Office 2007-2019 files (Word, Excel, PowerPoint) using a memory image of a computer or system hibernation file (hiberfil.sys) acquired while the file was open. The attack instantly extracts the encryption keys and decrypts the file, regardless of the password length.

Extraction.jpg

SureZip™ (WinZip up to v.8.0)

A SureZip attack decrypts zip archives created with WinZip version 8.0 and earlier in less than an hour, regardless of the password used to protect it. At least 5 simultaneously encrypted files are required to process the archive. Archives created with WinZip are supported.

Zip Plaintext (WinZip)

If there is at least one file from a password-protected zip archive available unencrypted, a zip plaintext attack instantly decrypts the whole archive, regardless of the password length. Archives with WinZip standard encryption are supported.

NOTE: AES-encrypted archives are not supported by a Plaintext attack.

Plaintext.jpg

You can compress the available unencrypted file with the same version of zip and use it as a plaintext archive. The essential requirement: the plaintext file should be zipped with encryption that is byte-by-byte equal to the one that was used to encrypt the whole archive.

Rainbow Tables (Password Hashes and MS Office files)

A rainbow tables attack recovers hashed passwords from Windows, MD5, LANMAN, NTLM, and SHA1 hashes. To calculate a password, it uses a rainbow table – a precomputed table for reversing cryptographic hash functions. Rainbow tables are available as a separate Passware product – Passware Rainbow Tables for Windows or for download at third-party websites, such as FreeRainbowTables.com. The attack supports unpacked .RT and .RT2 tables.

The rainbow tables attack can also be used to decrypt Word and Excel 2003/2002/2000/97 files protected with the original 40-bit encryption instantly. To decrypt the files, the attack requires special rainbow tables that are available as a separate Passware product – Passware Rainbow Tables for Office.

Both-NEW.png

Back to the top...

 

GROUPING ATTACKS

  1. Join Attacks
  2. Append Attacks

Join Attacks

The join attacks group allows users to combine several attacks together to form complex passwords.

Example: the following join attacks group generates passwords like “apple1987”, “pie1234”, “home1876”.

Join.jpg

The join attacks group applies its settings to all parts of the password. It allows users to customize the following settings:

SETTINGS

  • Length

The program searches for a password of the total specific length.

  • Order of attacks

To change the order of attacks inside the join attacks group, use one of the options below:

  • Original

The program checks passwords from the original order of the attacks. For the previous example, sample passwords are: “apple1987”, “pie1234”, “home1876”.

  • Original and Reverse

The program checks passwords from both the original and reversed order of the attacks. For the previous example, sample passwords will also include such passwords as: “1987apple”, “1234pie”, “1876home”.

  • All possible combinations

The program checks passwords from all possible combinations of attacks. This option is recommended for join attacks groups with more than two attacks inside.

Sample passwords for the attack below are: “pie19grow”, “grow19pie”, “19growpie”,”19piegrow

Join_AllPerm.jpg

Sample passwords

Click the Sample passwords link to see the passwords that are generated by the attack.

Join_1.jpg

 

Append Attacks

The append attacks group runs attacks to check the shortest passwords first, then runs the same attacks to check increasingly longer passwords.

In the example below, the three independent attacks (dictionary, brute-force, and join attacks group) are added to the append attacks group:

Append.jpg

The program starts the search with the shortest password candidates. Sample passwords are:

  • Dictionary attack: demo
  • Brute-force attack: 1234
  • Join attacks group: pie1

Once all the passwords of length 4 are checked, the program switches to 5-character-long passwords. Sample passwords are:

  • Dictionary attack: brown
  • Brute-force attack: 12345
  • Join attacks group: home1

And so on.

When the append attacks group is not used, Passware Kit checks all the passwords of each attack before running the next one.

Back to the top...

 

MODIFIERS

Each password recovery attack can be adjusted by adding a special modifier to match a pattern and to narrow the search.

Modifiers.jpg

  1. Change case
  2. Change chars order
  3. Substitution

Change case

The modifier specifies the case of the password candidates.

There are several options to choose from. For example, for the password candidate “Catch”, the change case modifier will generate the following passwords:

  • Original: Catch
  • Normal: Catch
  • Toggle: cATCH
  • Upper: CATCH
  • Lower: catch
  • Reverse: cATCH
  • Mixed: cATcH

Change chars order

The modifier reverses the order of characters. For example, the password candidate “Password” will be modified to “drowssaP”.

Substitution

The modifier substitutes characters from the original password in accordance with the selected substitution rule:

⁃ English mistypes: checks words with a possible typo

Password -> Passeord

⁃ English upside down

password -> dɐssʍoɹp

⁃ English to Russian keyboard: English words typed using a Russian keyboard layout

Password -> Зфыыцщкв

⁃ Russian to English keyboard: Russian words typed using an English keyboard layout

Пассворд -> Gfccdjhl

⁃ English to Arabic keyboard: English words typed using an Arabic keyboard layout

mceclip0.png

⁃ Arabic to English keyboard: Arabic words typed using an English keyboard layout

mceclip1.png

⁃  Numbers to letters keyboard:

1234567890 -> qwertyuiop

⁃ Letters to numbers keyboard:

qwertyuiop -> 1234567890

⁃ Leetspeaking: replaces ‘a’ with ‘@ or ‘4’, ‘e’ with 3’, etc.

password -> “p@$$wOrd”, “p4$$wOrd”,...

⁃ Russian transliteration:

Пассворд -> Password

Back to the top...

Related articles

Comments

0 comments

Please sign in to leave a comment.