Skip to content

Files

Latest commit

 

History

History
161 lines (104 loc) · 4.01 KB

passwordcracking.md

File metadata and controls

161 lines (104 loc) · 4.01 KB

Password Cracking

This is for educational / ethical purposes only. Do not perform testing on systems you do not have permission to.

Wordlists

Utilizing and generating wordlists for the use of password cracking.

Default Credential Vendor Lists

Kali Wordlists

Kali linux has multiple wordlists available for password cracking.

  • /usr/share/wordlists - contains multiple lists available to use.

cewl

cewl is a custom word list generator that spiders a given URL and returns a list of words to be used for password crackers.

  • cewl -w list.txt -d 5 -m 5 url

crunch

Generate wordlists from a character set by specifying min / max length, character strings, and options.

See man page for examples

cupp

The reason one shouldn't post answers to online survey questions on social media.

Username Wordlist

Names found during recon can be useful to try to utilize. A simple script can help generate a targeted user list for specific users.

Example tool: https://github.com/therodri2/username_generator.git

Add first and last names to a wordlist

  • echo "Joseph Eliot" > user.lst

python3 username_generator.py -w user.lst joseph eliot j.eliot j-eliot j_eliot j+eliot jeliot josepheliot eliotjoseph joseph.eliot eliot.joseph

Cracking Hashes

Password Hash Locations

Linux

  • Usernames - /etc/passwd
  • Password Hash - /etc/shadow

Windows

  • SAM - \HKLM\SAM
  • System - \HKLM\system

Hashcat: Use -m 1000 for NTLM.

Offline Cracking

Password guessing with tools by using wordlist / dictionaries. Useful for bruteforce cracking passwords offline.

Dictionary Attack

Password guessing using well known words, phrases, and passwords through wordlists.

  1. Determine type of hash.
  2. Determine wordlist or attack mode.

Brute Force

Attack aims to try all combinations of characters.

  • Example 1: brute force PIN number attack starts at 0000 to 9999 to guess the valid PIN.

  • Example 2: sequence can be added to the end of an existing word in a list, such as password123, echo999, etc

Hybrid

Rules based attacks that assume some knowledge about the password policy.

hashid / hash-identifier

Determine the type of hash being used on a given string.

Example hash

f806fc5a2a0d5ba2471600758452799c

hashid f806fc5a2a0d5ba2471600758452799c alt text

hash-identifier f806fc5a2a0d5ba2471600758452799c

alt text

In the example above, hash-identifier guesses that the hash provided is MD5. This can be used with hashcat.

Hashcat

Password recovery utility used to crack hashes.

Common Usage

Flag Long Flag Description
-a --attack-mode=NUM Determine Attack Combination
-m --hash-type=NUM Select Hash Type

Example cracking an MD5 hash with a straight attack mode using the rockyou wordlist.

  • hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt --show

Example for SHA1

  • SHA1 hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt

  • 8d6e34f987851aa599257d3831a1af040886842f:sunshine

Brute Force

?d?d?d?d - tells hashcat to use a digit

hashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d

1337

alt text

--stdout prints result to the terminal

John the Ripper