General security

5 best password auditing tools

Irfan Shakeel
January 9, 2018 by
Irfan Shakeel

A single weak password exposes your entire network to an external threat. Password hacking is one of the most critical and commonly exploited network security threats. In many ways, passwords should be viewed as your first line of defense where protecting your company's data is concerned. The huge number of data breaches occurs because someone was careless with their password and it fell into the wrong hands.

Weak passwords are easy to break, while complex passwords are difficult to memorize. Having an elaborate security policy is a great way to ensure the security of your network. Moreover, Password auditing tools are also used to examine the security of your network by attempting to break into the network. It tries common attacks on the account passwords in an attempt to recover a password of a user account.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The Password Auditor allows, carrying out a password audit within a limited period. If it is possible for a Password Auditor to recover a password within a reasonable time, the entire network cannot be considered secure.

There are several methods used by password auditors for testing and recovering passwords, including Bruteforce attack, mask attack, dictionary search and rainbow table attack. Moreover, there are many password auditing tools available to perform password auditing.

Here is a list of some best password auditing tools that are being used and preferred as a best password auditing tool in the field.

Learn about breaking passwords

Discover key forensics concepts and best practices related to passwords and encryption. This skills course covers:

⇒ Breaking password security

⇒ Breaking Windows passwords

⇒ Two-factor authentication


Start your free trial


The RainbowCrack uses Philippe Oechslin's faster time-memory trade-off technique. This brute force hash cracker generates all possible plaintexts and compute the corresponding hashes on the fly, then compare the hashes with the hash to be cracked. Once a match is found, the plaintext is found. If all possible plaintexts are tested, and no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded.

The RainbowCracker requires a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length is computed, and the results are stored in files called rainbow table. It is time-consuming to do this kind of computation. However, once the one-time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.


  • Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
  • Support rainbow table of any hash algorithm
  • Support rainbow table of any charset
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc)
  • Computation on multi-core processor support
  • GPU acceleration with NVIDIA GPUs (CUDA technology)
  • GPU acceleration with AMD GPUs (OpenCL technology)
  • GPU acceleration with multiple GPUs
  • Runs on Windows operating systems
  • Windows XP 32-bit / 64-bit
  • Windows Vista 32-bit / 64-bit
  • Windows 7 32-bit / 64-bit
  • Windows 8 32-bit / 64-bit
  • Runs on Linux operating systems (x86 and x86_64)
  • Unified rainbow table file format on all supported operating systems
  • Command line user interface
  • Graphics user interface

RainbowCrack can be downloaded from here.


Wfuzz is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), brute force GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc.), brute force Forms parameters (User/Password), Fuzzing, etc.

It was created to facilitate the task in web application assessments. It can also be used to find hidden resources like directories, servlets, and scripts.


  • Multiple Injection points capability with multiple dictionaries
  • Recursion (When doing directory brute force)
  • Post, headers and authentication data brute forcing
  • Output to HTML
  • Colored output
  • Hide results by return code, word numbers, line numbers, regex.
  • Cookies fuzzing
  • Multi-threading
  • Proxy support
  • SOCK support
  • Time delays between requests
  • Authentication support (NTLM, Basic)
  • All parameters brute forcing (POST and GET)
  • Multiple encoders per payload
  • Payload combinations with iterators
  • Baseline request (to filter results against)
  • Brute force HTTP methods
  • Multiple proxy support (each request through a different proxy)
  • HEAD scan (faster for resource discovery)
  • Dictionaries tailored for known applications (Weblogic, iPlanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and much more).


  • File
  • List
  • hexrand
  • range
  • names
  • hexrange


  • random_uppercase
  • urlencode
  • binary_ascii
  • base64
  • double_nibble_hex
  • uri_hex
  • sha1
  • md5
  • double_urlencode
  • utf8
  • utf8_binary
  • HTML
  • HTML decimal
  • custom

Wfuzz can be downloaded from here.

Cain and Abel

Cain and Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Cain and Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons.


  • WEP cracking
  • Speeding up packet capture speed by wireless packet injection
  • Ability to record VoIP conversations
  • Decoding scrambled passwords
  • Calculating hashes
  • Traceroute
  • Revealing password boxes
  • Uncovering cached passwords
  • Dumping protected storage passwords
  • ARP spoofing
  • IP to MAC Address Resolver
  • Network Password Sniffer
  • LSA secret dumper

Cain and Abel can be downloaded from here.

THC Hydra

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including Telnet, FTP, HTTP, https, smb, several databases, and much more.

THC Hydra is a fast network logon password cracking tool. When it is compared with other similar tools, it shows why it is faster. New modules are easy to install in the tool. You can easily add modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OS X.

THC-Hydra can be downloaded from here.


Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. It allows for rapid, yet reliable, large-scale auditing of multiple hosts.

Ncrack's features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated brute forcing attacks, timing templates for ease of use, runtime interaction similar to Nmap's and much more. Protocols supported include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

Ncrack can be downloaded from here.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The list is not limited to above-defined tools; there are some password auditing tools available, and most of them are pretty good and secure. You will want to evaluate them to find the one that best suits your needs, but at the root, they all work along the same principles.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.