Password cracking
Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.
Last updated
Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource.
Last updated
Passwords can be brute-forced (e.g. just iterating through different letter/number combinations) but it is probably more efficient to use a dictionary. In Kali, wordlists can be found in /usr/share/wordlists. Both fasttrack and rockyou are good for testing weak passwords. Many applications and services are installed with , so always check for those before attempting to crack them.
Passwords will often be hashed in databases, sometimes with a salt. If the database/application includes a salt with the password, you'll need to some research to figure out how it is used in the hashed password. For example, it might be concatenated with the password (salt + password, password + salt) before hashing, or it may be hashed multiple times.
Identifying hashes using hash-identifer:
John is useful for offline password cracking, with a hash stored in a text file.
Usage:
The format option is not always necessary as john does a decent job of guessing. Here's a .
Hydra is a command-line tool for online password attacks, such as website login pages and ssh. The options can be tricky, so you can use as an alternative for websites. However, it seems to have trouble loading large wordlists such as rockyou.
General format for website attacks:
Attack WordPress login page with a known username, success parameter S= instead of failure parameter, verbose output:
It's a pain in the ass, but you can submit API responses and read them using Hydra. You just have to escape every " and : in the JSON messages:
Because of issues like throttling and API lockouts, you may want to use Burp Intruder instead, because it lets you read different server responses.
General usage:
SSH with a non-standard port (22022):
SSH with a username wordlist, non-standard port, limited threads and verbose output:
General usage:
m is the hash format (e.g. m 13100 is Kerberos 5)
a 0 is a dictionary attack
o cracked.txt is the output file for the cracked password
target_hashes.txt is the hash to be cracked
/usr/share/wordlists/rockyou.txt is the absolute path to the wordlist
--force is something I always have to add (think it's GPU-related)
Ncrack can be used to crack RDP passwords:
Group Policy Preferences (GPP) has been used in the past to allow Windows administrators to create domain policies with embedded credentials. These policies allowed administrators to set local accounts, embed credentials for the purposes of mapping drives, or perform other tasks that may otherwise require an embedded password in a script.
Once you find and download the groups.xml file, extract the contents of cpassword and use gpp-decrypt:
With Metasploit:
With Metasploit:
By default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with set username or run a custom list with set user_file. You can also run a longer password list with set pass_file. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt.
Custom wordlists are useful when targeting a specific organization or individual, to generate more relevant password lists.
Crunch generates a custom password lists that can be used to guess passwords. These include:
All combinations for a number of letters.
All combinations for a range of characters followed by static text.
Password lists based on default password ranges (default router passwords for example).
General usage:
Generates a password list with all possible combinations of 4 capital letters:
Generate a list with all combinations for 5 digits:
Generate a wordlist that contains all possible combinations with four letters followed by 1980:
Use the -p option defining the charset which eliminates repeating characters or words. This is creates a wordlist using different combinations of specific words.
Generate all combinations of the words ‘Dog Cat Mouse’:
Cewl scrapes websites for text to generate a custom password list.
Options:
-m is the minimum word length for words to save to the wordlist.
-d is the maximum depth the spider is allowed to scrape.
-o is offsite, used to allow the spider to leave the current website to another website.
-w is write to output file, specify the output file here.
Example: use Cewl on the Kali Linux website to find words with 8 letters or greater and go 1 level deep:
Hydra is useful for brute-forcing website login pages, but you'll need to and parameters for success or failure.
Attack login page:
Hashcat is a very fast password-cracking tool, with .
Unfortunately, the password that is stored in the policy is , meaning anyone who can access the GPP . Since GPPs are stored on the domain controller in the SYSVOL share, this means that at a minimum all domain users can access the encrypted credentials.