Chapter 14: Further Reading — Password Attacks and Authentication Bypass

Essential Books

Hash Crack: Password Cracking Manual by Joshua Picolet (Independently Published, 3rd Edition, 2019) The most comprehensive reference for password cracking techniques. Covers Hashcat, John the Ripper, rainbow tables, and every hash format you are likely to encounter. Includes cheat sheets, command references, and methodology guides. An indispensable desk reference for any penetration tester conducting password audits.

The Art of Intrusion by Kevin Mitnick (Wiley, 2005) Mitnick's collection of real-world hacking stories includes multiple cases where password attacks were the critical technique. His firsthand accounts of social engineering and credential theft provide context for understanding why passwords remain the weakest link.

Hacking Exposed: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray, and George Kurtz (McGraw-Hill, 8th Edition) The password cracking chapters in this long-running series provide a solid introduction to attack methodologies, tool usage, and defensive countermeasures. Updated regularly to reflect current threats and techniques.

Practical Social Engineering by Joe Gray (No Starch Press, 2022) While not exclusively about password attacks, Gray's book covers the social engineering techniques that often accompany password attacks: phishing for credentials, pretexting for password resets, and MFA bypass through social manipulation. Essential reading for understanding the human element of authentication attacks.

Tribe of Hackers: Red Team edited by Marcus J. Carey and Jennifer Jin (Wiley, 2019) A collection of interviews with professional red teamers, many of whom discuss their approaches to password attacks, credential harvesting, and authentication bypass. Provides diverse perspectives on real-world engagement methodology.

Online Resources

Hashcat Wiki and Documentation https://hashcat.net/wiki/ The official Hashcat documentation, including all supported hash modes, attack modes, rule syntax, and configuration options. The "Example Hashes" page is invaluable for identifying unknown hash types. The FAQ addresses common issues and optimization techniques.

HaveIBeenPwned https://haveibeenpwned.com/ Troy Hunt's breach notification service. Check email addresses against known breaches, and use the Passwords API to check if specific passwords appear in breach databases. The k-anonymity model ensures that passwords are never sent to the server. Essential for both personal security and organizational credential monitoring.

NIST SP 800-63B: Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html The authoritative U.S. government guideline for authentication and password management. Its recommendations—eliminating mandatory rotation, dropping composition rules, screening against breach databases—represent a paradigm shift in password policy. Required reading for anyone involved in setting authentication policies.

Impacket GitHub Repository and Documentation https://github.com/fortra/impacket Impacket's tools (secretsdump.py, GetUserSPNs.py, ntlmrelayx.py, psexec.py) are essential for Active Directory password attacks. The source code is well-documented and serves as a learning resource for understanding NTLM, Kerberos, and SMB authentication protocols.

adsecurity.org — Active Directory Security Blog https://adsecurity.org/ Sean Metcalf's comprehensive resource on Active Directory security. Covers Kerberoasting, AS-REP roasting, Golden and Silver Tickets, credential theft, and defensive techniques in extraordinary detail. The "Attack and Defend" series is particularly relevant to this chapter.

The Hacker Recipes https://www.thehacker.recipes/ A community-maintained knowledge base covering Active Directory attacks, including detailed guides for Kerberoasting, pass-the-hash, NTLM relay, and credential harvesting. Step-by-step instructions with tool commands make this an excellent practical reference.

Practice Environments

Active Directory Security Lab (DVAD / DVCP) Multiple community projects provide deliberately vulnerable Active Directory environments for practicing Kerberoasting, password spraying, pass-the-hash, and other credential attacks. Search for "Vulnerable AD Lab" or "DVAD" for setup guides.

Hack The Box — Active Directory Labs https://www.hackthebox.com/ The HTB Pro Labs (RastaLabs, Offshore, APTLabs) provide realistic Active Directory environments where password attacks are frequently the critical path. Many individual machines also require password cracking skills.

CrackStation https://crackstation.net/ A free online hash cracking service using massive pre-computed lookup tables. Useful for quick identification of common hashes during CTF competitions. The site also provides educational resources about hash types and cracking techniques.

TryHackMe — Password Attacks Module https://tryhackme.com/ Guided rooms covering Hydra, Hashcat, John the Ripper, and Active Directory credential attacks. The "Brute It," "Crack the Hash," and "Attacktive Directory" rooms are directly relevant.

Research Papers and Technical Resources

"Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks" by Melicher et al. (USENIX Security, 2016) Research on using neural networks to model password guessability, providing insights into how well different password policies resist cracking. The findings inform modern password policy design.

"Password Cracking Using Probabilistic Context-Free Grammars" by Matt Weir et al. (IEEE S&P, 2009) The foundational paper on grammar-based password cracking, which models how humans construct passwords and uses this model to generate highly effective password guesses. This approach is implemented in the PCFG Cracker tool.

"Practical Attacks on Kerberos Authentication" by Tim Medin (DerbyCon, 2014) The presentation that introduced Kerberoasting to the security community. Medin explains the attack clearly and demonstrates its devastating effectiveness against Active Directory service accounts.

"Secrets of the PlugX RAT and Pass-the-Hash Attack" by Dell SecureWorks (2012) One of the first detailed public analyses of pass-the-hash attacks used by APT groups. Provides context for understanding how nation-state actors use credential theft techniques.

"An Empirical Study of Wireless Carrier Authentication for SIM Swaps" by Lee et al. (SOUPS, 2020) Research demonstrating the ease of SIM swapping attacks, with implications for SMS-based multi-factor authentication. The study found that all major U.S. carriers were vulnerable to social engineering-based SIM swaps.

Certifications and Training

Offensive Security Certified Professional (OSCP) Password attacks—both online and offline—are a core skill tested in the OSCP exam. The PWK course covers Hashcat, John the Ripper, password spraying, and pass-the-hash in practical lab environments.

GIAC Penetration Tester (GPEN) The SANS SEC560 course covers password attacks extensively, including credential harvesting from memory, Kerberoasting, and password policy assessment. The certification validates these skills.

Certified Red Team Professional (CRTP) Pentester Academy's CRTP focuses on Active Directory attacks, with extensive coverage of Kerberoasting, AS-REP roasting, delegation abuse, and credential relay attacks. Highly recommended for anyone working in Windows enterprise environments.

HackTheBox Certified Penetration Testing Specialist (HTB CPTS) HTB's practical certification includes password attack scenarios in realistic environments. The training path covers modern credential attack techniques against Active Directory.

Tools Reference