Password Attacks
Password1234!
Guides and Resources
Operator Handbook: Password Cracking Methodology - pg. 243
Penetration Testing: Password Attacks - pg.197
SecLists - Daniel Miessler's gold standard of wordlists
WeakPass - Open source project containing collected wordlists from across the web
Jhaddix's wordlist - Bug Bounty master Jason Haddix's master wordlist made from every dns enumeration tool... ever. Please excuse the lewd entries =/
https://github.com/kaonashi-passwords/Kaonashi - Wordlist, rules and masks from Kaonashi project (RootedCON 2019)
CEWL - CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
Crunch - Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.
BruteScrape - A web scraper for generating password files based on plain text found
Mentalist - Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
Wordlist Rules
Tools
Password Spraying
SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Trident - automated password spraying tool
CredKing - Spray with AWS Lambda
Fireprox - Spray with AWS proxies
SharpHose - C# spray utility for Cobalt Strike
Patator - flexible brute/spray tool
DomainPasswordSpray - PS spray tool
Spray - A Password Spraying tool for Active Directory Credentials
Ruler - Remote exchange server spray and utility
kerbrute - A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
brutespray - This Python script takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa.
o365spray - o365spray ia a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365).
ShadowSpray - A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
Reference
Password Guessing Tools
Password Cracking
HateCrack - A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
Password Analysis and Cracking Kit - Collection of utilities for analyzing passwords for cracking and guessing
MDXFind - the CPU-based hash-cracking tool
Operator Handbook: MDXFind - pg. 195
Ciphey - Fully automated decryption/decoding/cracking tool using natural language processing & artificial intelligence, along with some common sense.
cmospwd - a cross-platform tool to decrypt password stored in CMOS used to access a computer’s BIOS setup.
crack - Crack is program designed to quickly locate vulnerabilities in Unix (or other) password files by scanning the contents of a password file, looking for users who have misguidedly chosen a weak login password.
rainbowcrack - RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It crack hashes with rainbow tables.
hashview - A web front-end for password cracking and analytics
World's fastest and most advanced password recovery utility
HashCat Wiki - https://hashcat.net/wiki/
HAT- Hashcat Automation Tool - An Automated Hashcat Tool for common wordlists and rules to speed up the process of cracking hashes during engagements.
crackerjack - Web GUI for HashCat
hcxtools - Portable solution for capturing wlan traffic and conversion to hashcat formats (recommended by hashcat) and to John the Ripper formats.
Operator Handbook: Hashcat - pg. 90
GPU cracking:
$ hashcat -m 500 -a 0 -o output.txt -remove hashes.txt /usr/share/wordlists/rockyou.txtJohnTheRipper
John The Ripper - The John The Ripper module is used to identify weak passwords that have been acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal of this module is to find trivial passwords in a short amount of time. To crack complex passwords or use large wordlists, John the Ripper should be used outside of Metasploit.
Jumbo John - John the Ripper distro with added features
Operator Handbook: John the Ripper - pg. 104
Useage
Basic usage with auto guessing of hash type
#john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
ID Hash type
#wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py#
python3 hash-identifier.py
Specific format hash crack
#john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Crack NTLM Hashes
--format=NT
Cracking /etc/shadow hashes
The unshadow tool can crack an encrypted copy of the /etc/shadow file with a copy of the /etc/passwd file
# unshadow local_passwd local_shadow > unshadowed.txt
# john --format=sha512crypt unshadowed.txt
Single Crack Mode
Used for Word mangling using the username
# john --single --format=raw-sha256 hashes.txt
Cracking a Zip File
Use zip2john tool to convert the zip file into a hash format that john can use.
#zip2john [opt] [zip file] > [out file]
#john --wordlist=/word/list.txt out_file.txt
Cracking a RAR archive
rar2john will convert hte rar file into a hash that john can crack
#rar2john [rarfile] > [out file]
#john --wordlist=/word/list.txt out_file.txt
#unrar -p password out_file.txt
Password Brute Forcing
Password Brute Forcing
Cerbrutus-BruteForcer - The fastest brute-forceing and spraying tool available. Currently supports SSH and FTP with other protocols in development.
Hydra - Super powerful, multi-protocol password brute forceing tool
Medusa - Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible.
Crowbar - Crowbar (formally known as Levye) is a brute forcing tool that can be used during penetration tests. It was developed to brute force some protocols in a different manner according to other popular brute forcing tools.
WBruter - wbruter is is the first tool which has been released as open source wich can guarantee 100% that your pin code will be cracked as long as usb debugging has been enable. wbruter also includes some other brute methods like dictionary attacks for gmail, ftp, rar, zip and some other file extensions.
RSA Tools
RSA Tools
RSACTFTool - RSA multi attacks tool : uncipher data from weak public key and try to recover private key Automatic selection of best attack for the given public key
RSATool - rsatool calculates RSA (p, q, n, d, e) and RSA-CRT (dP, dQ, qInv) parameters given either two primes (p, q) or modulus and private exponent (n, d). Resulting parameters are displayed and can optionally be written as an OpenSSL compatible DER or PEM encoded RSA private key.
Rainbow Table Attacks
Rainbow Crack - RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It crack hashes with rainbow tables.
dcipher - Decipher hashes using online rainbow & lookup table attack services.
Last updated