Password cracking
Passwords can be brute-forced (e.g. just iterating through different letter/number combinations) but it is probably more efficient to use a dictionary. In Kali, wordlists can be found in /usr/share/wordlists
. Both fasttrack
and rockyou
are good for testing weak passwords. Many applications and services are installed with default passwords, so always check for those before attempting to crack them.
Identifying hashes
Passwords will often be hashed in databases, sometimes with a salt. If the database/application includes a salt with the password, you'll need to some research to figure out how it is used in the hashed password. For example, it might be concatenated with the password (salt + password, password + salt) before hashing, or it may be hashed multiple times.
Identifying hashes using hash-identifer:
John the Ripper
John is useful for offline password cracking, with a hash stored in a text file.
Usage:
The format
option is not always necessary as john does a decent job of guessing. Here's a list of supported formats.
Hydra
Hydra is a command-line tool for online password attacks, such as website login pages and ssh. The options can be tricky, so you can use Burp Intruder as an alternative for websites. However, it seems to have trouble loading large wordlists such as rockyou.
Websites
Hydra is useful for brute-forcing website login pages, but you'll need to pass it the HTTP request string using Burp's proxy and parameters for success or failure.
General format for website attacks:
Attack DVWA login page:
Attack WordPress login page with a known username, success parameter S=
instead of failure parameter, verbose output:
JSON and APIs
It's a pain in the ass, but you can submit API responses and read them using Hydra. You just have to escape every "
and :
in the JSON messages:
Because of issues like throttling and API lockouts, you may want to use Burp Intruder instead, because it lets you read different server responses.
SSH
General usage:
SSH with a non-standard port (22022):
SSH with a username wordlist, non-standard port, limited threads and verbose output:
Hashcat
Hashcat is a very fast password-cracking tool, with many supported formats.
General usage:
m
is the hash format (e.g. m 13100 is Kerberos 5)a 0
is a dictionary attacko cracked.txt
is the output file for the cracked passwordtarget_hashes.txt
is the hash to be cracked/usr/share/wordlists/rockyou.txt
is the absolute path to the wordlist--force
is something I always have to add (think it's GPU-related)
Ncrack
Ncrack can be used to crack RDP passwords:
GPP-decrypt
Group Policy Preferences (GPP) has been used in the past to allow Windows administrators to create domain policies with embedded credentials. These policies allowed administrators to set local accounts, embed credentials for the purposes of mapping drives, or perform other tasks that may otherwise require an embedded password in a script.
Unfortunately, the password that is stored in the policy is encrypted with a known key, meaning anyone who can access the GPP can obtain the plain text password. Since GPPs are stored on the domain controller in the SYSVOL share, this means that at a minimum all domain users can access the encrypted credentials.
Once you find and download the groups.xml file, extract the contents of cpassword
and use gpp-decrypt:
MySQL brute force
With Metasploit:
Apache Tomcat brute force
With Metasploit:
By default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with set username
or run a custom list with set user_file
. You can also run a longer password list with set pass_file
. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt
.
Custom wordlists
Custom wordlists are useful when targeting a specific organization or individual, to generate more relevant password lists.
Crunch
Crunch generates a custom password lists that can be used to guess passwords. These include:
All combinations for a number of letters.
All combinations for a range of characters followed by static text.
Password lists based on default password ranges (default router passwords for example).
General usage:
Generates a password list with all possible combinations of 4 capital letters:
Generate a list with all combinations for 5 digits:
Generate a wordlist that contains all possible combinations with four letters followed by 1980:
Use the -p option defining the charset which eliminates repeating characters or words. This is creates a wordlist using different combinations of specific words.
Generate all combinations of the words ‘Dog Cat Mouse’:
Cewl
Cewl scrapes websites for text to generate a custom password list.
Options:
-m
is the minimum word length for words to save to the wordlist.-d
is the maximum depth the spider is allowed to scrape.-o
is offsite, used to allow the spider to leave the current website to another website.-w
is write to output file, specify the output file here.
Example: use Cewl on the Kali Linux website to find words with 8 letters or greater and go 1 level deep:
Last updated