Password Attacks

Hints:

• Default Credentials

• Generate a dictionary based on the website company (CEWL tool) or OSINT techniques.

• Before to credentials attack either Bruteforce or Password Spraying try to get the password policy.

• Re-use credentials on everywhere (Services, Platforms ,users , software , apps, etc.)

• User as password (Ex: James:James)

• Simple Passwords (Password1, Welcome123)

• Create a dictionary with hashcat rules

GitHub - ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️GitHub

Google Search - Default Credentials

Default Router Login Password For Top Router Models (2024 List)

Default Router Login Password For Top Router Models (2023 List)Software Testing Help

Hashcat Rules

The best custome rule files for hashcat

hashcat/rules/d3ad0ne.rule at master · hashcat/hashcatGitHub

#Brute for with rules
hashcat -m <mode> -r hashes.txt -r /usr/share/hashcat/rules/test.rule

Simple Custom Rule file provided by hackthebox

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

Generating rule-based wordlist with hashcat rules

Intrusionz3r0X@htb[/htb]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Generating Wordlists Using CEWL

Intrusionz3r0X@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist 

Generating Wordlists of Username Conventions using username-anarchy

Intrusionz3r0X@htb[/htb]$ ./username-anarchy -i /home/ltnbob/names.txt 
Intrusionz3r0@htb[/htb]$ ./username-anarchy Jane Smith > jane_smith_usernames.txt

Create a custom wordlist with a OSINT

Intrusionz3r0@htb[/htb]$ cupp -i

Linkedln user enumeration

• LinkedInt
• linkedin2username

John Hashing Scripts

Intrusionz3r0X@htb[/htb]$ locate *2john*

Something to John

#SSH to John
Intrusionz3r0X@htb[/htb]$ ssh2john.py SSH.private > ssh.hash
#docx to John
Intrusionz3r0X@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash
#PDF to John
Intrusionz3r0X@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
#ZIP to John
Intrusionz3r0X@htb[/htb]$ zip2john ZIP.zip > zip.hash
#GPG
Intrusionz3r0X@htb[/htb]$ gpg2john gpg.private > hash

Keepass to John

Intrusionz3r0@kali~$ keepass-dump-extractor KeePassDumpFull.dmp -f all > wordlist.txt
Intrusionz3r0@kali~$ keepass2john passcodes.kdbx > hash
Intrusionz3r0@kali~$ hashcat -a 0 -m 13400 hash wordlist.txt --username
Intrusionz3r0@kali~$ kpcli -kdb=passcodes.kdbx

If you get the next error: File version '40000' is currently not supported! then use Keepass4Brute.sh or findkeepassword

Putty ppk to SSH

Intrusionz3r0@kali~$ sudo apt install putty-tools  
Intrusionz3r0@kali~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
Intrusionz3r0@kali~$ chmod 600 id_rsa
Intrusionz3r0@kali~$ ssh -i id_rsa root@10.10.11.227

Cracking BitLocker Encrypted Drives

Intrusionz3r0X@htb[/htb]$ bitlocker2john -i Backup.vhd > backup.hashes
Intrusionz3r0X@htb[/htb]$ grep "bitlocker\\$0" backup.hashes > backup.hash
Intrusionz3r0X@htb[/htb]$ cat backup.hash
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

Cracking OpenSSL Encrypted Archives

Intrusionz3r0X@htb[/htb]$ file GZIP.gzip 
#-----GZIP.gzip: openssl enc'd data with salted password
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

Filter to specific password policy

• Minimum Length: 6 characters

• Must Include:

  • At least one uppercase letter

  • At least one lowercase letter

  • At least one number

  • At least two special characters (from the set !@#$%^&*)

Intrusionz3r0@htb[/htb]$ grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > jane-filtered.txt

Hashes known

#MD5
Intrusionz3r0X@htb[/htb]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

#NTLM
Intrusionz3r0X@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

#NTLMv2
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

#SHA-512 (passwd/shadow/)
Intrusionz3r0X@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Intrusionz3r0X@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

#Bitlocker Password
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

#Kerberosting attack (TGS-REP)
Intrusionz3r0X@htb[/htb]$ hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

#ASREPRoasting (AS_REP)
Intrusionz3r0X@htb[/htb]$ john --wordlist=passwords_kerb.txt hashes.asreproast
Intrusionz3r0X@htb[/htb]$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

# Keccak-384 (Multimaste Machine)
hashcat -m 17900 unknown.hashes /usr/share/wordlists/rockyou.txt --show

#jbcrypt - Found on Jenkins
hashcat -m 3200 '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' /usr/share/wordlists/rockyou.txt 

Identify Hash tools

#How linux encrypt the hashes
man 5 crypt

#Tools
hashid 'hash'
hash-identifier 

Generate 16,679,616 possible username combinations.

#!/bin/bash

for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
    do echo $x;
done

Password Spraying tools for Office 365 (Microsoft Exchange environment)

• MailSniper
• SprayingToolkit

Useful tools and resources

https://github.com/initstring/linkedin2username

https://github.com/insidetrust/statistically-likely-usernames

https://github.com/dafthack/DomainPasswordSpray

Creating a good password

Password Strength Meter

A Secure, Strong Password Generator | 1Password

Online password Managers

1. 1Password
2. Bitwarden
3. Dashlane
4. Keeper
5. Lastpass
6. NordPass
7. RoboForm

Local Password Managers

1. KeePass
2. KWalletManager
3. Pleasant Password Server
4. Password Safe

Alternatives

1. Multi-factor Authentication.
2. FIDO2 open authentication standard, which enables users to leverage common devices like Yubikey, to authenticate easily. For a more extended device list, you can see Microsoft FIDO2 security key providers.
3. One-Time Password (OTP).
4. Time-based one-time password (TOTP).
5. IP restriction.
6. Device Compliance. Examples: Endpoint Manager or Workspace ONE

Passwordless

1. Microsoft Passwordless
2. Auth0 Passwordless
3. Okta Passwordless
4. PingIdentity