Password cracking
Identify hash
Cracking
Hash (with rainbow tables)
https://crackstation.net CrackStation uses massive pre-computed lookup tables to crack password hashes
Shadow file
# unshadow use also GECOS information (field containing information about the user).
unshadow passwd.txt shadow.txt > unshadowed.txt
# sha512crypt [$6$] - With wordlist
hashcat -a 0 -m 1800 hash.txt wordlist.txt
# sha512crypt [$6$] - With wordlist and rules
hashcat -a 0 -m 1800 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
NTLM hash
hashcat -a 0 -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
Services
hydra -L user.txt -P pass.txt <ip> <protocol>
Basic Authentication
hydra -L users.txt -P password.txt -vV example.com http-get /basic # Basic Authentication
Note: /basic and /basic/ are different… so pay attention to set the correct path
HTTP login
hydra -L <users_file> -P <password_file> <url> http[s]-[post|get]-form \ "index.php:param1=value1¶m2=value2&user=^USER^&pwd=^PASS^¶mn=valn:[F|S]=messageshowed"
KeePass
- We need to use
keepass2johnscript to format the database file.
keepass2john Database.kdbx > keepass.hash
cat keepass.hash
Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba[...]
- The script adds filename to the beginning of the hash to use it as the username. Because KeePass uses only a master password and no username, we need to delete the filename string part. You can use a text editor.
cat keepass.hash
$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba[...]
- Crack the hash
hashcat -m 13400 keepass.hash wordlist.txt
SSH key passphrase
- We need to use
ssh2johnscript to format the ssh key file.
ssh2john id_rsa > ssh.hash
cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea[...]
-
The script adds filename to the beginning of the hash to use it as the username. We’ll remove the filename string part. You can use a text editor.
-
Crack the hash
john --wordlist=wordlist.txt ssh.hash
Rules (password bruteforce)
- FIRST CHOICE: best64 (now best66). Fast, works well.
- SECOND/THIRD CHOICE: InsidePro-PasswordsPro (~3000) && InsidePro-Hashmanager (~7000)
- (2) InsidePro-PasswordsPro.rule
- (3) InsidePro-HashManager.rule
- You can also combine them…
- FOURTH CHOICE: OneRuleToRuleThemAll. (~50k). The best.
Generate wordlist based on rules
- Online tool: https://weakpass.com/generate
- Hashcat:
hashcat -r best66.rule --stdout file.txt
More info about rules:
- https://notsosecure.com/one-rule-to-rule-them-all
- https://trustedsec.com/blog/better-hacking-through-cracking-know-your-rules
Generate wordlist
# Generate words of length 4 with only characters a, b, and c
crunch 4 4 abc -o wordlist.txt
# Generate words of length 6 to 8 with only characters a, b, c, 1, 2, 3
crunch 6 8 abc123 -o wordlist.txt
# Pattern
# @ = Lowercase letters (a–z)
# , = Uppercase letters (A–Z)
# % = Numbers (0–9)
# ^ = Symbols
crunch 6 6 -t a@^^%% -o mix.txt