Password Attacks

Hints:

Default Credentials
Generate a dictionary based on the website company (CEWL tool) or OSINT techniques.
Before to credentials attack either Bruteforce or Password Spraying try to get the password policy.
Re-use credentials on everywhere (Services, Platforms ,users , software , apps, etc.)
User as password (Ex: James:James)
Simple Passwords (Password1, Welcome123)
Create a dictionary with hashcat rules

GitHub - ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers identifying devices with default password 🛡️GitHub

Google Search - Default Credentials

Default Router Login Password For Top Router Models (2026 List)Software Testing Help - FREE IT Courses and Business Software/Service Reviews

Hashcat

Hashcat rules

Default Path: /usr/share/hashcat/rules/

How to create rules: rule_based_attack

Example Hashcat file rules provided by Hackthebox

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

#Brute for with rules
Intrusionz3r0X@htb[/htb]$ hashcat -m <mode> -r hashes.txt -r /usr/share/hashcat/rules/test.rule
#Generating rule-based wordlist with hashcat rules
Intrusionz3r0X@htb[/htb]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Mask attack table

Placeholder

Meaning

Character Set

?l

Lowercase letter

abcdefghijklmnopqrstuvwxyz

?u

Uppercase letter

ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d

Digit

0123456789

?s

Special character

`!"#$%&'()*+,-./:;<=>?@[]^_{

?a

All characters (lowercase + uppercase + digits + special)

?b

All printable ASCII characters (includes space)

?h

Lowercase hex character

0123456789abcdef

?H

Uppercase hex character

0123456789ABCDEF

example.hcmask

Intrusionz3r0?d
Intrusionz3r0?d?d
Intrusionz3r0?d?d?d
Intrusionz3r0?d?d?d?d

#Mask attack (Mode 3) Define the password format
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt ?l?l?l?l?l?l?d?d
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt example.hcmask

#Hybrid Attack (Mode 6)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:Password5555

#Hybrid Attack (Mode 7) (mask first)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:5555Password

Cracking using combinator attack in hashcat

Intrusionz3r0X@htb[/htb]$ cat list1.txt
purple

Intrusionz3r0X@htb[/htb]$ cat list2.txt
monkey
dishwasher

Intrusionz3r0X@htb[/htb]$ hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!
0528bfe7e3995e7e895275ce552fa505:purple-monkey!

Crafting Wordlists

Generating Wordlists Using CEWL

Intrusionz3r0X@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Generating Wordlists of Username Conventions using username-anarchy

Intrusionz3r0X@htb[/htb]$ ./username-anarchy -i /home/ltnbob/names.txt 
Intrusionz3r0@htb[/htb]$ ./username-anarchy Jane Smith > jane_smith_usernames.txt

Create a custom wordlist with a OSINT

Intrusionz3r0@htb[/htb]$ cupp -i

Generate 16,679,616 possible username combinations.

#!/bin/bash

for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
    do echo $x;
done

Crafting wordlist using kwprocessor

Advanced keyboard-walk generator with configureable basechars, keymap and routes

GitHub - hashcat/kwprocessor: Advanced keyboard-walk generator with configureable basechars, keymap and routesGitHub

Examples:

John the Ripper

Locate john converter scripts

Intrusionz3r0X@htb[/htb]$ locate *2john*

Something to John

#SSH to John
Intrusionz3r0X@htb[/htb]$ ssh2john.py SSH.private > ssh.hash
#docx to John
Intrusionz3r0X@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash
#PDF to John
Intrusionz3r0X@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
#ZIP to John
Intrusionz3r0X@htb[/htb]$ zip2john ZIP.zip > zip.hash
#GPG
Intrusionz3r0X@htb[/htb]$ gpg2john gpg.private > hash

Keepass to John

Intrusionz3r0@kali~$ keepass-dump-extractor KeePassDumpFull.dmp -f all > wordlist.txt
Intrusionz3r0@kali~$ keepass2john passcodes.kdbx > hash
Intrusionz3r0@kali~$ hashcat -a 0 -m 13400 hash wordlist.txt --username
Intrusionz3r0@kali~$ kpcli -kdb=passcodes.kdbx

If you get the next error: File version '40000' is currently not supported! then use Keepass4Brute.sh or findkeepassword

Cracking examples

Putty ppk to SSH

Intrusionz3r0@kali~$ sudo apt install putty-tools  
Intrusionz3r0@kali~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
Intrusionz3r0@kali~$ chmod 600 id_rsa
Intrusionz3r0@kali~$ ssh -i id_rsa root@10.10.11.227

Cracking BitLocker Encrypted Drives

Intrusionz3r0X@htb[/htb]$ bitlocker2john -i Backup.vhd > backup.hashes
Intrusionz3r0X@htb[/htb]$ grep "bitlocker\\$0" backup.hashes > backup.hash
Intrusionz3r0X@htb[/htb]$ cat backup.hash
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

Cracking OpenSSL Encrypted Archives

Intrusionz3r0X@htb[/htb]$ file GZIP.gzip 
#-----GZIP.gzip: openssl enc'd data with salted password
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

Hashes known

#MD5
Intrusionz3r0X@htb[/htb]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

#NTLM
Intrusionz3r0X@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

#NTLMv2
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

#SHA-512 (passwd/shadow/)
Intrusionz3r0X@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Intrusionz3r0X@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

#Bitlocker Password
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

#Kerberosting attack (TGS-REP)
Intrusionz3r0X@htb[/htb]$ hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

#ASREPRoasting (AS_REP)
Intrusionz3r0X@htb[/htb]$ john --wordlist=passwords_kerb.txt hashes.asreproast
Intrusionz3r0X@htb[/htb]$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

# Keccak-384 (Multimaste Machine)
hashcat -m 17900 unknown.hashes /usr/share/wordlists/rockyou.txt --show

#jbcrypt - Found on Jenkins
hashcat -m 3200 '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' /usr/share/wordlists/rockyou.txt

Hash identifier tools

hashid 'hash'
hash-identifier

Password Spraying Office 365 (Microsoft Exchange environment)

PreviousFile Transfer Techniques NextEnumeration

Last updated 7 months ago