Tools
1. Identify Hash type
hashid {hash}
hash-identifier {hash}
Hash identification website: TunnelsUp (tunnelsup.com/hash-analyzer)
2. Online Decryption
https://hashes.com/en/decrypt/hash
https://www.onlinehashcrack.com/
http://cracker.offensive-security.com/
Search That Hash (github.com/HashPals/)
Execute the following to search a hash within multiple online converters.
sth --text "5f4dcc365aa765d61d8327deb882cf99"
3. Hashcat
Linux password
hashcat -m 1800 -a 0 hash.txt rockyou.txt
hashcat -m 1800 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule
Windows password
hashcat -m 1000 -a 0 hash.txt rockyou.txt
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule
hashcat -m 13100 --force hash.txt rockyou.txt
hashcat -m 13100 hash.txt complete_wordlist.txt -r custom_rule.txt
Others
hashcat --example-hashes | grep -i '<BEGINNING_OF_HASH>'
Rules
https://github.com/NotSoSecure/password_cracking_rules
Masks:
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
Where:
-a 3 specifies the mask attack.
?u?l?l?l?l?l?l?l?d is the mask.
hashcat.exe -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
Where:
-1 ?d?s defines a custom charset (digits and specials).
?u?l?l?l?l?l?l?l?1 is the mask, where ?1 is the custom charset.
Example of a mask file to crack passwords of different lengths (We can also include static strings)
Combinators:
If we want to combine the entries from two dictionaries into single-word candidates, for example (applying also a rule to each word on the left- or right-hand side using the options -j and -k):
hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!
Hybrid:
Hashcat modes 6 and 7 are hybrid's based on wordlists, masks and the combinator. You specify both a wordlist and mask on the command line, and the mask is appended or prepended to the words within the list. For example, your dictionary contains the word Password, then -a 6 [...] list.txt ?d?d?d?d will produce Password0000 to Password9999.
3. 1 NTLM Hash Cracking
NTLMv1 and NTLMv2 can be relayed to connect to another machine.
Hash | Hashcat | Attack method |
LM | 3000 | crack/pass the hash |
NTLM/NTHash | 1000 | crack/pass the hash |
NTLMv1/Net-NTLMv1 | 5500 | crack/relay attack |
NTLMv2/Net-NTLMv2 | 5600 | crack/relay attack |
To crack the hash with hashcat:
hashcat -m 5600 -a 0 hash.txt crackstation.txt
3. 2 Kerberoasting Ticket Cracking
Hashcat mode ($krb5tgs$23= etype 23) ! Remember adding $23
Mode | Description |
13100 | Kerberos 5 TGS-REP etype 23 (RC4) |
19600 | Kerberos 5 TGS-REP etype 17 (AES128-CTS-HMAC-SHA1-96) |
19700 | Kerberos 5 TGS-REP etype 18 (AES256-CTS-HMAC-SHA1-96) |
Example:
hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt
For KRB_AS_REP Roasting tickets:
hashcat -m 18200 --force -a 3 hashes.asreproast passwords_kerb.txt
3. 3 Domain Cached Credentials (lsadump::cache)
$DCC2$10240#username#hash
echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt
hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable
4. John
john --wordlist=<PASSWORDS_LIST> hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john -w:$(locate rockyou.txt) hash.txt
To crack kerberos tickets:
john --format=krb5tgs --wordlist=rockyou.txt hash.txt
john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt
john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast
5. ssh key cracking
python /usr/share/john/ssh2john.py svuser.key > svuser.hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash
6. gpp-decrypt
In AD we can crack some gpp passwords:
gpp-decrypt 'hash'
7. .zip password cracking
fcrackzip
zip2john, then john
8. .pfx password cracking
pfx2john, then john
Then we can convert that .pfx file into a pem key
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem
9. Tools to exploit weak and default passwords
medusa -h {IP} -M {protocol} -U {usr_list} -P {pwd_list}
medusa -h {IP} -M {protocol} -u {usrname} -P {pwd_list}
medusa -h 192.168.102.149 -M telnet -U username.lst -P password.lst
ncrack <service_name>://target:<port_number>
Services for ncrack:
FTP
SSH
Telnet
HTTP(S)
POP3(S)
SMB
RDP
VNC
Examples:
ncrack telnet:/10.10.10.130:25
ncrack ssh://10.10.10.130:120
ncrack ssh://10.10.10.130 telnet://10.10.10.60:218
EyeWitness https://github.com/FortyNorthSecurity/EyeWitness
Getting up and running with EyeWitness is straightforward. Once we have downloaded the tool from the github repository, we can run setup.sh script from within the setup directory. This will install everything needed to run the tool. root@tester:~/tools/EyeWitness/setup# ./setup.sh
Once installed, a typical command line we can use to kick-off a scan is like so, where urls.txt is a file containing a list of URLs or IP addresses:
python EyeWitness.py --headless --prepend-https -f urls.txt
It then will generate an HTML report (see image).
Important: EyeWitness also contains an --active-scan option which will actively attempt to log into any and all devices found using known default credentials.
Keep in mind that using this option however, can results in account lockouts and will likely generate IDS or HDS alerts. Use --active-scan option with caution.
Last updated