Tools

1. Identify Hash type

hashid {hash}

hash-identifier {hash}

Hash identification website: TunnelsUp (tunnelsup.com/hash-analyzer)

2. Online Decryption

https://hashes.com/en/decrypt/hash

https://hashkiller.io/

https://www.cmd5.org/

https://www.onlinehashcrack.com/

https://gpuhash.me/

https://crackstation.net/

https://passwordrecovery.io/

https://md5decrypt.net/en/

http://cracker.offensive-security.com/

https://osint.sh/md5/ https://www.md5online.org/md5-decrypt.html https://md5decrypt.net/en/ https://md5decrypt.net/en/Sha1/ https://www.dcode.fr/shal-hash https://md5hashing.net/hash/sha1

Search That Hash (github.com/HashPals/)

Execute the following to search a hash within multiple online converters.

sth --text "5f4dcc365aa765d61d8327deb882cf99"

3. Hashcat

Linux password

hashcat -m 1800 -a 0 hash.txt rockyou.txt hashcat -m 1800 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

Windows password

hashcat -m 1000 -a 0 hash.txt rockyou.txt hashcat -m 1000 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

hashcat -m 13100 --force hash.txt rockyou.txt

hashcat -m 13100 hash.txt complete_wordlist.txt -r custom_rule.txt

Others

hashcat --example-hashes | grep -i '<BEGINNING_OF_HASH>'

Rules

https://github.com/NotSoSecure/password_cracking_rules

Masks:

hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

Where:

-a 3 specifies the mask attack.

?u?l?l?l?l?l?l?l?d is the mask.

hashcat.exe -a 3 -m 1000 ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1

Where:

-1 ?d?s defines a custom charset (digits and specials).

?u?l?l?l?l?l?l?l?1 is the mask, where ?1 is the custom charset.

Example of a mask file to crack passwords of different lengths (We can also include static strings)

?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1

Combinators:

If we want to combine the entries from two dictionaries into single-word candidates, for example (applying also a rule to each word on the left- or right-hand side using the options -j and -k):

hashcat.exe -a 1 -m 1000 ntlm.txt list1.txt list2.txt -j $- -k $!

Hybrid:

Hashcat modes 6 and 7 are hybrid's based on wordlists, masks and the combinator. You specify both a wordlist and mask on the command line, and the mask is appended or prepended to the words within the list. For example, your dictionary contains the word Password, then -a 6 [...] list.txt ?d?d?d?d will produce Password0000 to Password9999.

3. 1 NTLM Hash Cracking

NTLMv1 and NTLMv2 can be relayed to connect to another machine.

To crack the hash with hashcat:

hashcat -m 5600 -a 0 hash.txt crackstation.txt

3. 2 Kerberoasting Ticket Cracking

Hashcat mode ($krb5tgs$23= etype 23) ! Remember adding $23

Example:

hashcat -m 13100 -a 0 kerberos_hashes.txt crackstation.txt

For KRB_AS_REP Roasting tickets:

hashcat -m 18200 --force -a 3 hashes.asreproast passwords_kerb.txt

3. 3 Domain Cached Credentials (lsadump::cache)

$DCC2$10240#username#hash

echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt

hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

4. John

john --wordlist=<PASSWORDS_LIST> hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

john -w:$(locate rockyou.txt) hash.txt

To crack kerberos tickets:

john --format=krb5tgs --wordlist=rockyou.txt hash.txt

john --wordlist=/opt/wordlists/rockyou.txt --fork=4 --format=krb5tgs ~/kerberos_hashes.txt

john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproast

5. ssh key cracking

python /usr/share/john/ssh2john.py svuser.key > svuser.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./svuser.hash

6. gpp-decrypt

In AD we can crack some gpp passwords:

gpp-decrypt 'hash'

7. .zip password cracking

fcrackzip

zip2john, then john

8. .pfx password cracking

pfx2john, then john

Then we can convert that .pfx file into a pem key

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes

openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem

9. Tools to exploit weak and default passwords

medusa -h {IP} -M {protocol} -U {usr_list} -P {pwd_list}

medusa -h {IP} -M {protocol} -u {usrname} -P {pwd_list}

medusa -h 192.168.102.149 -M telnet -U username.lst -P password.lst

ncrack <service_name>://target:<port_number>

  • Services for ncrack:

    • FTP

    • SSH

    • Telnet

    • HTTP(S)

    • POP3(S)

    • SMB

    • RDP

    • VNC

Examples:

ncrack telnet:/10.10.10.130:25

ncrack ssh://10.10.10.130:120

ncrack ssh://10.10.10.130 telnet://10.10.10.60:218

EyeWitness https://github.com/FortyNorthSecurity/EyeWitness

Getting up and running with EyeWitness is straightforward. Once we have downloaded the tool from the github repository, we can run setup.sh script from within the setup directory. This will install everything needed to run the tool. root@tester:~/tools/EyeWitness/setup# ./setup.sh

Once installed, a typical command line we can use to kick-off a scan is like so, where urls.txt is a file containing a list of URLs or IP addresses:

python EyeWitness.py --headless --prepend-https -f urls.txt

It then will generate an HTML report (see image).

Important: EyeWitness also contains an --active-scan option which will actively attempt to log into any and all devices found using known default credentials.

Keep in mind that using this option however, can results in account lockouts and will likely generate IDS or HDS alerts. Use --active-scan option with caution.

PreviousWordlist BuildingNextPayloads - File Transfer - Coding - MalDev - ExploitDev

Last updated