Password attacks

Online Brute force

Hydra

Brute forcing SSH 

hydra -l <username> -P <password_wordlist> -s <ssh_port> ssh://<target>

Password spraying RDP

hydra -L <username_wordlist> -p <password> rdp://<target>

Brute forcing website login form

hydra -l <username> -P <wordlist> <target> http-post-form "/<login_page_route>:<username_paramter>=user&<password_paramter>=^PASS^:<failed_login_string>"

Brute forcing basic authentication

hydra -l <username> -P <wordlist> <target> http-get

Offline Brute force

John the ripper

Perform offline hash crack:

john --wordlist=<wordlist> <hashfile>

Hashcat

Find hash types:

Perform offline hash crack:

Password Manager

In case the foothold is achieved and the victims uses KeePass is possible to offline crack the master password.

Finding the database file on target machine:

Creating a crackable hash using keepass2john :

Cracking the hash using hashcat:

Identify the hash

Hash-Identifier

hash-identifier

Hashid

hashid

Wordlists

Modify wordlists according to target password policy using Hashcat and a rule file:

More rule functions:

Logorule_based_attack [hashcat wiki]hashcat.net
Rule Functions

There are commonly rule files in the Hashcat directory:

Create and print the new rule based wordlist

Hashcat

Crack using the new rule based wordlist

John

Create rule file for example:

Append the rule file into /etc/john/john.conf:

Crack using the new rule based wordlist

PreviousAntivirus EvasionNextReverse Shells

Last updated