Chapter 14: Key Takeaways — Password Attacks and Authentication Bypass

Core Concepts

  1. Passwords are the most attacked authentication mechanism. Stolen credentials are involved in approximately half of all data breaches. Understanding password attacks is essential for both offense (penetration testing) and defense (building resilient authentication).

  2. Hash algorithm choice is the most important password storage decision. The difference between NTLM (160 billion hashes/second on a GPU) and bcrypt (183 thousand/second) is nearly a million-fold. Always use purpose-built KDFs: Argon2id, bcrypt, or scrypt.

  3. Online and offline attacks have fundamentally different characteristics. Online attacks are slow and detectable but require only network access. Offline attacks are fast and undetectable but require obtaining hashes first. Defense must address both vectors.

  4. Password spraying exploits statistical certainty. In any large organization, some users will have weak passwords. Spraying one common password against all accounts evades lockout while almost guaranteeing some success. Defense requires breach screening and MFA, not just lockout policies.

  5. Credential reuse transforms individual breaches into organizational compromises. With billions of credentials available from breach compilations, credential stuffing is the most common password attack against web applications. MFA is the primary defense.

  6. Pass-the-hash and Kerberoasting bypass cracking entirely. Attackers do not always need to crack passwords. NTLM hashes can be used directly for authentication, and Kerberos service tickets can be cracked offline without special privileges. Credential Guard, gMSAs, and Protected Users groups are critical defenses.

  7. MFA is essential but not infallible. Real-time phishing, push fatigue, and session hijacking can bypass MFA. FIDO2/WebAuthn hardware keys provide the strongest resistance to phishing-based bypass.

Practical Skills Checklist

After completing this chapter, you should be able to:

  • [ ] Identify common hash types by their format (NTLM, SHA-512, bcrypt, Kerberos)
  • [ ] Perform online password attacks with Hydra against SSH, HTTP, and RDP
  • [ ] Conduct password spraying against Active Directory with CrackMapExec
  • [ ] Extract password hashes from Windows systems using secretsdump and hashdump
  • [ ] Crack hashes using Hashcat with dictionary, rule, and mask attacks
  • [ ] Use John the Ripper for non-standard formats (ZIP, PDF, SSH keys, KeePass)
  • [ ] Perform Kerberoasting and AS-REP roasting attacks
  • [ ] Execute pass-the-hash authentication with Impacket tools
  • [ ] Set up and conduct NTLM relay attacks
  • [ ] Generate custom wordlists with CeWL and manual curation
  • [ ] Audit password policies against NIST SP 800-63B guidelines

Critical Reminders

  • Handle recovered credentials as sensitive data. Encrypt them in transit and storage. Include only necessary evidence in reports. Destroy working copies after the engagement.
  • Respect lockout policies. Password spraying in a healthcare environment can lock out clinical staff. Always determine lockout thresholds before testing and stay well below them.
  • Report systemic issues, not just individual passwords. A password audit that cracks 40% of passwords indicates a policy failure, not 40 individual failures. Recommendations should address the systemic root cause.
  • Always recommend defense in depth. No single control is sufficient. Combine strong hash algorithms, breach screening, MFA, privileged access management, and monitoring.

Connection to Next Chapters

The exploitation, network attack, and password attack skills from Chapters 12-14 form the offensive foundation of network and system exploitation. In the following chapters, you will apply these skills to specific domains: web application attacks, wireless security, and advanced post-exploitation techniques that build on the access gained through the methods covered here.