Use content from webpages to build a dictionary. This can include company pages, Facebook, twitter, and any other resource gathered when doing OSINT on the target. To grab all words from a page, Use Cewl.
Password Manglers:
Building Wordlists:
# Grab words form a site
cewl https://example.com -v --with-numbers -w words.txt
# Password Mangeling, High storage cost for longer lists.
python pydictor.py -extend words.txt --leet 0 1 2 11 21 --level 1 --len 4 16 --occur "<=10" ">0" "<=2" -o /possbile/wordlist.lst
# This will create a multiple GB file. You dont have the storage.
./rsmangler.rb words.txt -yieulcp
John Custom word lists
# Edit the john.conf to adda new rule
vim /opt/john/john.conf
# Adds a year from 1900 to 2099 followd by a special char to each word
[List.Rules:YearSpecialChar]
Az"19[0-9][0-9]"$[!@#$%^&*]
Az"20[0-9][0-9]"$[!@#$%^&*]
# Build the list
john --wordlist=words.lst --rules=YearSpecialChar --stdout > withYearAndChar.txt
Brute forcing tools
Hydra:
hydra -l <username> -P <LIST> <ip> <Protocol>
when bruteforcing SSH, you need to specify a timing interval:
hydra -l <username> -P <LIST> <ip> ssh -t4
John to crack windows hashdump:
john --format=NT <hashes.txt> --wordlist=<wordlist.txt>
john --show --fromat=LM <hashfile.txt>
John to crack /etc/shadow
# Create a txt file for /etc/passwd and shadow
cp /etc/passwd passwd.txt
cp /etc/shadow shadow.txt
# Unshadow
unshadow passwd.txt shadow.txt > unshadowed.txt
# Crack with john
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Specify speed when bruteforcing SSH or you will hit a wall quickly. Using hydra, this is done using the T4 parameter.
Stop after gaining access to one account. Try its creds on everything, and use its creds for further enumeration. Never forget to try sudo -i for easy escalation.
Always take a look around the host machines file system when possible. potential low hanging fruit for enumeration. EX: Local user list at /etc/passwd.
Never crack hashes on target machine. Speed and stealth will be abysmal.