Cracking passwords involves special techniques to recover passwords and is rarely a five-minute-job involving a few keystrokes. This is a process that can take days or weeks or more if the password you are trying to recover is a proper password.

You can break these techniques into five categories...

Dictionary Attacks
This kind of an attack takes the form of a password-cracking application or script that has a dictionary file or a word list loaded into it. The dictionary file is a text file that contains a list of known words and might be the entire dictionary. The application or script uses this list to test different words as the password in an attempt to recover the password. Systems that use passphrases typically are not vulnerable to this type of attack.

Brute-force Attack
In this type of attack, every possible combination of characters is attempted until the correct one is uncovered. This kind of password attack is also called an exhaustive attack.

Hybrid Attack
This form of attack builds on the dictionary attack, but with additional steps as part of the process. In most cases, this means passwords that are tried during a dictionary attack are modified. The full brute-force keyspace is either appended or prepended to each of the words from the dictionary. The dictionary word "Password" might be tried with numbers appended: Password0001, Password0002, Password0003...Password9999.

Syllabe Attack
This type of attack is a combination of brute-force and a dictionary attack. The attacker takes syllables from dictionary words and combines them in every possible way to try to crack the password.

Rule-based Attack
This should be considered an advanced attack. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. It is possible to program the rules to fit almost any need. For instance a candidate password could be reversed: [email protected] becomes [email protected], a letter could be capitalized from [email protected] to [email protected], characters and numbers can be appended to [email protected] to become [email protected] etc.

In addition to these techniques, there are four types of attack. Each offer a different, effective way of obtaining a password from a target.

Passive Online Attacks
Attacks of this type are carried out simply by sniffing traffic with a tool such as Wireshark, via a Man In The Middle Attack (MITM) or using Replay Attacks.

Active Online Attacks
This kind of attack is more aggressive in nature that passive online attacks because the process require deeper engagement with the target. In cases of weak or poor passwords, active attacks are very effective. Forms of this attack include password guessing, Trojans/spyware/Key loggers, hash injection, and phishing.

Offline Attacks
This type of attack is designed to prey on the weaknesses nor of passwords, but of he way they are stored. Because passwords must be stored in some format, an attacker seeks to obtain them where they are stored by exploiting poor security or weaknesses inherent in a system. The attacker will attempt to steal password files with encrypted username and password combinations, and try to recover the passwords offline. This will prevent accidentally locking user accounts that have a limit to the amount of incorrect login attempts. Many locked accounts is a sure tell tale sign of an attack in progress. If credentials happen to be stored in a plain text or unencrypted format, the attacker will go after this file and gain the credentials. Forms of this attack include precomputed hashes, distributed network attacks (DNA) and rainbow attacks.

Nontechnical Attacks
This type of attack is also called a non-electronic attack. A characteristic of this attack is that it does not require any technical knowledge and instead relies on theft, deception and other means. This type of attack include shoulder surfing, social engineering, and dumpster diving.

An addition to the five categories already mentioned I will mention some other options not part of the CEH Certification. These are added for completeness of this post. I am aware that more types of password attacks exists but I find these to be the most useful ones.

Mask Attack
This type of attack is a brute-force attack used when the attacker knows part of the password, the length of the password or how the user usually builds a password. The attack will try all combinations in the keyspace except for those characters or patterns already known to the attacker. A common password structure of a poor or weak password could contain a persons name with the first letter capitalized, then followed by numbers. Say that the password is John1234, you could then build password combinations to always have the first letter capitalized, skipping all lower letters, numbers and special characters. The last four characters in the password would only be numbers, hence skipping all letters and special characters. The middle part of the password consists of lower letters only. This will save a huge amount of time. If some part of the password is known, this could also be used in a mask attack by only brute-forcing the part of the password that is unknown to the attacker.

Combinator Attack
This type of attack is a dictionary attack where each word in the dictionary is appended to each word in the dictionary. If the words white and horse are present in a wordlist they would be combined as whitewhite, whitehorse, horsehorse, horsewhite.

Permutation Attack
This type of attack is a kind of dictionary attack in which each word in a dictionary generates all permutations of itself. If a dictionary was to contain ABC that word would be combined into the following: ABC, ACB, BAC, BCA, CAB, CBA.

Table-Lookup Attack
This type of attack is a dictionary attack but require building a table of replacement characters for each character. Each word in the dictionary is split up into its individual characters and each of these are looked up in a table and if there is a match, the character will be replaced. If a dictionary file would contain the word "password" a table could be build like the following:
p=p
p=P
a=a
[email protected]
o=o
o=0
s=s
s=5
This will result in the letter "p" in the dictionary word "password" would be a candidate password with both "p" and "P", also when ever the letter "a" is present, it would be a candidate to try "@" as a substitution for "a". The same goes for the letter "o" in that "0" (zero) would also be a candidate. The letter "s" would also be substituted with the number "5". Using these tables will help in keeping cracking time to a minimum.

Toggle-Case Attack
In this type of dictionary attack each word in a dictionary, all possible combinations of upper- and lower-case variants are generated.

In general it is also possible to skip letters in a brute-force attack that is not common in names in the local area of the target person. Every letter that can be removed from a brute-force attack is going to speed up the attack significantly. One single letter makes a huge difference.