Password Attacks
Hints:
Default Credentials
Generate a dictionary based on the website company (CEWL tool) or OSINT techniques.
Before to credentials attack either Bruteforce or Password Spraying try to get the password policy.
Re-use credentials on everywhere (Services, Platforms ,users , software , apps, etc.)
User as password (Ex: James:James)
Simple Passwords (Password1, Welcome123)
Create a dictionary with hashcat rules
Google Search - Default Credentials
Default Router Login Password For Top Router Models (2024 List)
Hashcat
Hashcat rules
Default Path: /usr/share/hashcat/rules/
How to create rules: rule_based_attack
Example Hashcat file rules provided by Hackthebox
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@#Brute for with rules
Intrusionz3r0X@htb[/htb]$ hashcat -m <mode> -r hashes.txt -r /usr/share/hashcat/rules/test.rule
#Generating rule-based wordlist with hashcat rules
Intrusionz3r0X@htb[/htb]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.listMask attack table
Placeholder
Meaning
Character Set
?l
Lowercase letter
abcdefghijklmnopqrstuvwxyz
?u
Uppercase letter
ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d
Digit
0123456789
?s
Special character
`!"#$%&'()*+,-./:;<=>?@[]^_{
?a
All characters (lowercase + uppercase + digits + special)
?b
All printable ASCII characters (includes space)
?h
Lowercase hex character
0123456789abcdef
?H
Uppercase hex character
0123456789ABCDEF
example.hcmask
Intrusionz3r0?d
Intrusionz3r0?d?d
Intrusionz3r0?d?d?d
Intrusionz3r0?d?d?d?d#Mask attack (Mode 3) Define the password format
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt ?l?l?l?l?l?l?d?d
Intrusionz3r0X@htb[/htb]$ hashcat -a 3 -m 100 ntlm.txt example.hcmask
#Hybrid Attack (Mode 6)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:Password5555
#Hybrid Attack (Mode 7) (mask first)
Intrusionz3r0X@htb[/htb]$ hashcat -a 6 -m 1000 ntlm.txt wordlist.txt ?d?d?d?d
0528bfe7e3995e7e895275ce552fa505:5555PasswordCracking using combinator attack in hashcat
Intrusionz3r0X@htb[/htb]$ cat list1.txt
purple
Intrusionz3r0X@htb[/htb]$ cat list2.txt
monkey
dishwasher
Intrusionz3r0X@htb[/htb]$ hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!
0528bfe7e3995e7e895275ce552fa505:purple-monkey!Crafting Wordlists
Generating Wordlists Using CEWL
Intrusionz3r0X@htb[/htb]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist Generating Wordlists of Username Conventions using username-anarchy
Intrusionz3r0X@htb[/htb]$ ./username-anarchy -i /home/ltnbob/names.txt
Intrusionz3r0@htb[/htb]$ ./username-anarchy Jane Smith > jane_smith_usernames.txtCreate a custom wordlist with a OSINT
Intrusionz3r0@htb[/htb]$ cupp -iGenerate 16,679,616 possible username combinations.
#!/bin/bash
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
do echo $x;
doneCrafting wordlist using kwprocessor
Advanced keyboard-walk generator with configureable basechars, keymap and routes
Examples:
John the Ripper
Locate john converter scripts
Intrusionz3r0X@htb[/htb]$ locate *2john*Something to John
#SSH to John
Intrusionz3r0X@htb[/htb]$ ssh2john.py SSH.private > ssh.hash
#docx to John
Intrusionz3r0X@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash
#PDF to John
Intrusionz3r0X@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
#ZIP to John
Intrusionz3r0X@htb[/htb]$ zip2john ZIP.zip > zip.hash
#GPG
Intrusionz3r0X@htb[/htb]$ gpg2john gpg.private > hashKeepass to John
Intrusionz3r0@kali~$ keepass-dump-extractor KeePassDumpFull.dmp -f all > wordlist.txt
Intrusionz3r0@kali~$ keepass2john passcodes.kdbx > hash
Intrusionz3r0@kali~$ hashcat -a 0 -m 13400 hash wordlist.txt --username
Intrusionz3r0@kali~$ kpcli -kdb=passcodes.kdbxCracking examples
Putty ppk to SSH
Intrusionz3r0@kali~$ sudo apt install putty-tools
Intrusionz3r0@kali~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
Intrusionz3r0@kali~$ chmod 600 id_rsa
Intrusionz3r0@kali~$ ssh -i id_rsa root@10.10.11.227Cracking BitLocker Encrypted Drives
Intrusionz3r0X@htb[/htb]$ bitlocker2john -i Backup.vhd > backup.hashes
Intrusionz3r0X@htb[/htb]$ grep "bitlocker\\$0" backup.hashes > backup.hash
Intrusionz3r0X@htb[/htb]$ cat backup.hash
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.crackedCracking OpenSSL Encrypted Archives
Intrusionz3r0X@htb[/htb]$ file GZIP.gzip
#-----GZIP.gzip: openssl enc'd data with salted password
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;doneHashes known
#MD5
Intrusionz3r0X@htb[/htb]$ hashcat -m 500 -a 0 md5-hashes.list rockyou.txt
#NTLM
Intrusionz3r0X@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt
#NTLMv2
Intrusionz3r0X@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
#SHA-512 (passwd/shadow/)
Intrusionz3r0X@htb[/htb]$ unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Intrusionz3r0X@htb[/htb]$ hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
#Bitlocker Password
Intrusionz3r0X@htb[/htb]$ hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked
#Kerberosting attack (TGS-REP)
Intrusionz3r0X@htb[/htb]$ hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt
#ASREPRoasting (AS_REP)
Intrusionz3r0X@htb[/htb]$ john --wordlist=passwords_kerb.txt hashes.asreproast
Intrusionz3r0X@htb[/htb]$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
# Keccak-384 (Multimaste Machine)
hashcat -m 17900 unknown.hashes /usr/share/wordlists/rockyou.txt --show
#jbcrypt - Found on Jenkins
hashcat -m 3200 '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' /usr/share/wordlists/rockyou.txt Hash identifier tools
hashid 'hash'
hash-identifier Password Spraying Office 365 (Microsoft Exchange environment)
Last updated