> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/password-attacks.md).

# Password Attacks

Hints:

* Default Credentials
* Generate a dictionary based on the website company (CEWL tool) or OSINT techniques.
* Before to credentials attack either Bruteforce or Password Spraying try to get the password policy.
* Re-use credentials on everywhere (Services, Platforms ,users , software , apps, etc.)
* User as password (Ex: James:James)
* Simple Passwords (Password1, Welcome123)
* Create a dictionary with hashcat rules

{% embed url="<https://github.com/ihebski/DefaultCreds-cheat-sheet>" %}

## **Google Search - Default Credentials**

<figure><img src="/files/Tvi4TefpzwpKZC9QUWN3" alt=""><figcaption></figcaption></figure>

## **Default Router Login Password For Top Router Models (2024 List)**

{% embed url="<https://www.softwaretestinghelp.com/default-router-username-and-password-list/>" %}

## Hashcat&#x20;

### Hashcat rules

Default Path: `/usr/share/hashcat/rules/`

**How to create rules:** [**rule\_based\_attack**](https://hashcat.net/wiki/doku.php?id=rule_based_attack)

**Example Hashcat file rules provided by Hackthebox**

```sh
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@
```

```sh
#Brute for with rules
Intrusionz3r0X@htb[/htb]$ hashcat -m <mode> -r hashes.txt -r /usr/share/hashcat/rules/test.rule
#Generating rule-based wordlist with hashcat rules
Intrusionz3r0X@htb[/htb]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
```

### Mask attack table

| Placeholder | Meaning                                                   | Character Set                    |
| ----------- | --------------------------------------------------------- | -------------------------------- |
| `?l`        | Lowercase letter                                          | `abcdefghijklmnopqrstuvwxyz`     |
| `?u`        | Uppercase letter                                          | `ABCDEFGHIJKLMNOPQRSTUVWXYZ`     |
| `?d`        | Digit                                                     | `0123456789`                     |
| `?s`        | Special character                                         | \`!"#$%&'()\*+,-./:;<=>?@\[]^\_{ |
| `?a`        | All characters (lowercase + uppercase + digits + special) |                                  |
| `?b`        | All *printable* ASCII characters (includes space)         |                                  |
| `?h`        | Lowercase hex character                                   | `0123456789abcdef`               |
| `?H`        | Uppercase hex character                                   | `0123456789ABCDEF`               |

&#x20;**example.hcmask**

```
Intrusionz3r0?d
Intrusionz3r0?d?d
Intrusionz3r0?d?d?d
Intrusionz3r0?d?d?d?d
```

```sh
#Mask attack (Mode 3) Define the password format
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt ?l?l?l?l?l?l?d?d
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt example.hcmask

#Hybrid Attack (Mode 6)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:Password5555

#Hybrid Attack (Mode 7) (mask first)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:5555Password
```

#### Cracking using combinator attack in hashcat

```sh
Intrusionz3r0X@htb[/htb]$ cat list1.txt
purple

Intrusionz3r0X@htb[/htb]$ cat list2.txt
monkey
dishwasher

Intrusionz3r0X@htb[/htb]$ hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!
0528bfe7e3995e7e895275ce552fa505:purple-monkey!
```

## Crafting Wordlists

### Generating Wordlists Using CEWL

```sh
Intrusionz3r0X@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist 
```

### **Generating Wordlists of Username Conventions using** username-anarchy

```sh
Intrusionz3r0X@htb[/htb]$ ./username-anarchy -i /home/ltnbob/names.txt 
Intrusionz3r0@htb[/htb]$ ./username-anarchy Jane Smith > jane_smith_usernames.txt
```

### Create a custom wordlist with a OSINT&#x20;

```sh
Intrusionz3r0@htb[/htb]$ cupp -i
```

### Generate 16,679,616 possible username combinations.

```bash
#!/bin/bash

for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
    do echo $x;
done
```

#### Crafting wordlist using kwprocessor

Advanced keyboard-walk generator with configureable basechars, keymap and routes

{% embed url="<https://github.com/hashcat/kwprocessor>" %}

#### Examples:

<figure><img src="/files/1ZZUGDlCAL7yI37LVnR0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/3cND3WizrYTbhKTkqmWa" alt=""><figcaption></figcaption></figure>

## John the Ripper

#### Locate john converter scripts

```
Intrusionz3r0X@htb[/htb]$ locate *2john*
```

#### Something to John

```sql
#SSH to John
Intrusionz3r0X@htb[/htb]$ ssh2john.py SSH.private > ssh.hash
#docx to John
Intrusionz3r0X@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash
#PDF to John
Intrusionz3r0X@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
#ZIP to John
Intrusionz3r0X@htb[/htb]$ zip2john ZIP.zip > zip.hash
#GPG
Intrusionz3r0X@htb[/htb]$ gpg2john gpg.private > hash
```

#### Keepass to John

```sh
Intrusionz3r0@kali~$ keepass-dump-extractor KeePassDumpFull.dmp -f all > wordlist.txt
Intrusionz3r0@kali~$ keepass2john passcodes.kdbx > hash
Intrusionz3r0@kali~$ hashcat -a 0 -m 13400 hash wordlist.txt --username
Intrusionz3r0@kali~$ kpcli -kdb=passcodes.kdbx
```

{% hint style="info" %}
If you get the next error: File version '40000' is currently not supported! then use [Keepass4Brute.sh](https://raw.githubusercontent.com/r3nt0n/keepass4brute/refs/heads/master/keepass4brute.sh) or [findkeepassword](https://github.com/evenfurther/findkeepassword)
{% endhint %}

## Cracking examples

### Putty ppk to SSH

```sh
Intrusionz3r0@kali~$ sudo apt install putty-tools  
Intrusionz3r0@kali~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
Intrusionz3r0@kali~$ chmod 600 id_rsa
Intrusionz3r0@kali~$ ssh -i id_rsa root@10.10.11.227
```

### Cracking BitLocker Encrypted Drives

```sh
Intrusionz3r0X@htb[/htb]$ bitlocker2john -i Backup.vhd > backup.hashes
Intrusionz3r0X@htb[/htb]$ grep "bitlocker\\$0" backup.hashes > backup.hash
Intrusionz3r0X@htb[/htb]$ cat backup.hash
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked
```

### Cracking OpenSSL Encrypted Archives

```
Intrusionz3r0X@htb[/htb]$ file GZIP.gzip 
#-----GZIP.gzip: openssl enc'd data with salted password
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done
```

### Hashes known

```sql
#MD5
Intrusionz3r0X@htb[/htb]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

#NTLM
Intrusionz3r0X@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

#NTLMv2
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

#SHA-512 (passwd/shadow/)
Intrusionz3r0X@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Intrusionz3r0X@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

#Bitlocker Password
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

#Kerberosting attack (TGS-REP)
Intrusionz3r0X@htb[/htb]$ hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

#ASREPRoasting (AS_REP)
Intrusionz3r0X@htb[/htb]$ john --wordlist=passwords_kerb.txt hashes.asreproast
Intrusionz3r0X@htb[/htb]$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

# Keccak-384 (Multimaste Machine)
hashcat -m 17900 unknown.hashes /usr/share/wordlists/rockyou.txt --show

#jbcrypt - Found on Jenkins
hashcat -m 3200 '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' /usr/share/wordlists/rockyou.txt 
```

### Hash identifier tools

```sh
hashid 'hash'
hash-identifier 
```

## Password Spraying Office 365 (Microsoft Exchange environment)

* [MailSniper](https://github.com/dafthack/MailSniper)
* [SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/password-attacks.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.