Password Attacks

Hints:

Default Credentials
Generate a dictionary based on the website company (CEWL tool) or OSINT techniques.
Before to credentials attack either Bruteforce or Password Spraying try to get the password policy.
Re-use credentials on everywhere (Services, Platforms ,users , software , apps, etc.)
User as password (Ex: James:James)
Simple Passwords (Password1, Welcome123)
Create a dictionary with hashcat rules

GitHub - ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers identifying devices with default password 🛡️GitHub

Google Search - Default Credentials

Default Router Password to Login for all Top Routers 2026Software Testing Help - FREE IT Courses and Business Software/Service Reviews

Hashcat

Hashcat rules

Default Path: /usr/share/hashcat/rules/

How to create rules: rule_based_attack

Example Hashcat file rules provided by Hackthebox

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

#Brute for with rules
Intrusionz3r0X@htb[/htb]$ hashcat -m <mode> -r hashes.txt -r /usr/share/hashcat/rules/test.rule
#Generating rule-based wordlist with hashcat rules
Intrusionz3r0X@htb[/htb]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Mask attack table

Placeholder

Meaning

Character Set

?l

Lowercase letter

abcdefghijklmnopqrstuvwxyz

?u

Uppercase letter

ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d

Digit

0123456789

?s

Special character

`!"#$%&'()*+,-./:;<=>?@[]^_{

?a

All characters (lowercase + uppercase + digits + special)

?b

All printable ASCII characters (includes space)

?h

Lowercase hex character

0123456789abcdef

?H

Uppercase hex character

0123456789ABCDEF

example.hcmask

Intrusionz3r0?d
Intrusionz3r0?d?d
Intrusionz3r0?d?d?d
Intrusionz3r0?d?d?d?d

#Mask attack (Mode 3) Define the password format
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt ?l?l?l?l?l?l?d?d
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt example.hcmask

#Hybrid Attack (Mode 6)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:Password5555

#Hybrid Attack (Mode 7) (mask first)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:5555Password

Cracking using combinator attack in hashcat

Intrusionz3r0X@htb[/htb]$ cat list1.txt
purple

Intrusionz3r0X@htb[/htb]$ cat list2.txt
monkey
dishwasher

Intrusionz3r0X@htb[/htb]$ hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!
0528bfe7e3995e7e895275ce552fa505:purple-monkey!

Crafting Wordlists

Generating Wordlists Using CEWL

Intrusionz3r0X@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Generating Wordlists of Username Conventions using username-anarchy

Intrusionz3r0X@htb[/htb]$ ./username-anarchy -i /home/ltnbob/names.txt 
Intrusionz3r0@htb[/htb]$ ./username-anarchy Jane Smith > jane_smith_usernames.txt

Create a custom wordlist with a OSINT

Intrusionz3r0@htb[/htb]$ cupp -i

Generate 16,679,616 possible username combinations.

#!/bin/bash

for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
    do echo $x;
done

Crafting wordlist using kwprocessor

Advanced keyboard-walk generator with configureable basechars, keymap and routes

GitHub - hashcat/kwprocessor: Advanced keyboard-walk generator with configureable basechars, keymap and routesGitHub

Examples:

John the Ripper

Locate john converter scripts

Intrusionz3r0X@htb[/htb]$ locate *2john*

Something to John

#SSH to John
Intrusionz3r0X@htb[/htb]$ ssh2john.py SSH.private > ssh.hash
#docx to John
Intrusionz3r0X@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash
#PDF to John
Intrusionz3r0X@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
#ZIP to John
Intrusionz3r0X@htb[/htb]$ zip2john ZIP.zip > zip.hash
#GPG
Intrusionz3r0X@htb[/htb]$ gpg2john gpg.private > hash

Keepass to John

Intrusionz3r0@kali~$ keepass-dump-extractor KeePassDumpFull.dmp -f all > wordlist.txt
Intrusionz3r0@kali~$ keepass2john passcodes.kdbx > hash
Intrusionz3r0@kali~$ hashcat -a 0 -m 13400 hash wordlist.txt --username
Intrusionz3r0@kali~$ kpcli -kdb=passcodes.kdbx

If you get the next error: File version '40000' is currently not supported! then use Keepass4Brute.sh or findkeepassword

Cracking examples

Putty ppk to SSH

Intrusionz3r0@kali~$ sudo apt install putty-tools  
Intrusionz3r0@kali~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
Intrusionz3r0@kali~$ chmod 600 id_rsa
Intrusionz3r0@kali~$ ssh -i id_rsa root@10.10.11.227

Cracking BitLocker Encrypted Drives

Intrusionz3r0X@htb[/htb]$ bitlocker2john -i Backup.vhd > backup.hashes
Intrusionz3r0X@htb[/htb]$ grep "bitlocker\\$0" backup.hashes > backup.hash
Intrusionz3r0X@htb[/htb]$ cat backup.hash
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

Cracking OpenSSL Encrypted Archives

Intrusionz3r0X@htb[/htb]$ file GZIP.gzip 
#-----GZIP.gzip: openssl enc'd data with salted password
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

Hashes known

#MD5
Intrusionz3r0X@htb[/htb]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

#NTLM
Intrusionz3r0X@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

#NTLMv2
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

#SHA-512 (passwd/shadow/)
Intrusionz3r0X@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Intrusionz3r0X@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

#Bitlocker Password
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

#Kerberosting attack (TGS-REP)
Intrusionz3r0X@htb[/htb]$ hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

#ASREPRoasting (AS_REP)
Intrusionz3r0X@htb[/htb]$ john --wordlist=passwords_kerb.txt hashes.asreproast
Intrusionz3r0X@htb[/htb]$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

# Keccak-384 (Multimaste Machine)
hashcat -m 17900 unknown.hashes /usr/share/wordlists/rockyou.txt --show

#jbcrypt - Found on Jenkins
hashcat -m 3200 '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' /usr/share/wordlists/rockyou.txt

Hash identifier tools

hashid 'hash'
hash-identifier

Password Spraying Office 365 (Microsoft Exchange environment)

PreviousFile Transfer Techniques NextEnumeration

Last updated 9 months ago

hashtagGoogle Search - Default Credentials

hashtagDefault Router Login Password For Top Router Models (2024 List)

hashtagHashcat

hashtagHashcat rules

hashtagMask attack table

hashtagCracking using combinator attack in hashcat

hashtagCrafting Wordlists

hashtagGenerating Wordlists Using CEWL

hashtagGenerating Wordlists of Username Conventions using username-anarchy

hashtagCreate a custom wordlist with a OSINT

hashtagGenerate 16,679,616 possible username combinations.

hashtagCrafting wordlist using kwprocessor

hashtagExamples:

hashtagJohn the Ripper

hashtagLocate john converter scripts

hashtagSomething to John

hashtagKeepass to John

hashtagCracking examples

hashtagPutty ppk to SSH

hashtagCracking BitLocker Encrypted Drives

hashtagCracking OpenSSL Encrypted Archives

hashtagHashes known

hashtagHash identifier tools

hashtagPassword Spraying Office 365 (Microsoft Exchange environment)