This is for educational / ethical purposes only. Do not perform testing on systems you do not have permission to.
Utilizing and generating wordlists for the use of password cracking.
- https://cirt.net/passwords
- https://default-password.info/
- https://datarecovery.com/rd/default-passwords/
Kali linux has multiple wordlists available for password cracking.
- /usr/share/wordlists - contains multiple lists available to use.
cewl is a custom word list generator that spiders a given URL and returns a list of words to be used for password crackers.
- cewl -w list.txt -d 5 -m 5 url
Generate wordlists from a character set by specifying min / max length, character strings, and options.
See man page for examples
The reason one shouldn't post answers to online survey questions on social media.
Names found during recon can be useful to try to utilize. A simple script can help generate a targeted user list for specific users.
Example tool: https://github.com/therodri2/username_generator.git
Add first and last names to a wordlist
- echo "Joseph Eliot" > user.lst
python3 username_generator.py -w user.lst joseph eliot j.eliot j-eliot j_eliot j+eliot jeliot josepheliot eliotjoseph joseph.eliot eliot.joseph
- Usernames - /etc/passwd
- Password Hash - /etc/shadow
- SAM - \HKLM\SAM
- System - \HKLM\system
Hashcat: Use -m 1000 for NTLM.
Password guessing with tools by using wordlist / dictionaries. Useful for bruteforce cracking passwords offline.
Dictionary Attack
Password guessing using well known words, phrases, and passwords through wordlists.
- Determine type of hash.
- Determine wordlist or attack mode.
Brute Force
Attack aims to try all combinations of characters.
-
Example 1: brute force PIN number attack starts at 0000 to 9999 to guess the valid PIN.
-
Example 2: sequence can be added to the end of an existing word in a list, such as password123, echo999, etc
Hybrid
Rules based attacks that assume some knowledge about the password policy.
Determine the type of hash being used on a given string.
Example hash
f806fc5a2a0d5ba2471600758452799c
hashid f806fc5a2a0d5ba2471600758452799c
hash-identifier f806fc5a2a0d5ba2471600758452799c
In the example above, hash-identifier guesses that the hash provided is MD5. This can be used with hashcat.
Password recovery utility used to crack hashes.
Flag | Long Flag | Description |
---|---|---|
-a | --attack-mode=NUM | Determine Attack Combination |
-m | --hash-type=NUM | Select Hash Type |
Example cracking an MD5 hash with a straight attack mode using the rockyou wordlist.
- hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt --show
Example for SHA1
-
SHA1 hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt
-
8d6e34f987851aa599257d3831a1af040886842f:sunshine
?d?d?d?d - tells hashcat to use a digit
hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d
1337
--stdout prints result to the terminal