Password Cracking

/etc/shadow

unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/sqlmap.txt passwords.txt
#Hashcat this file

Brute-Force Authentication

hydra -l harvey -P bart-dic-lower.txt -t 60 monitor.bart.htb http-form-post "/index.php:csrf=36bd695fd918999000a766aa80a90a17a8b26db85908e5443f3c50740ac2c317&user_name=^USER^&user_password=^PASS^&action=login:F=incorrect:H=Cookie\: PHPSESSID=ndr7g22cjhoj6e2hk0put97j0p"

#Custom port:
hydra -L users.txt -P pass.txt "http-post-form://<IP>:Port/:<parameters>:Invalid"

John The Ripper

  • Brute-force RAR/Zip files

#Make john friendly file
rar2john keys.rar > jail
./zip2john test.zip > zip.hashes

john jail
john --wordlist=/usr/share/wordlists/rockyou.txt hash_file
john zip.hashes

#7z file. In order to crack the password with John
#we first need to convert it to JtR format using the 7z2john script.
/usr/share/john/7z2john.pl backup.7z > backup-john.txt
john --wordlist=rockyou.txt backup-john.txt

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt data.zip

#LDAP 
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

#Excel files
python2 /usr/share/john/office2john.py
john --rules --wordlist=yourwordlist.txt hash.txt 
  • From KeePass

    • Clue: .kdbx Extension

    • Represents an encrypted data store for a password manager program named KeePass.

    • keepass2john utility could extract a password hash from this file

    • Load John The Ripper

keepass2john CEH.kdbx > CEHjohnable
john CEHjohnable -w:/usr/share/wordlists/rockyou.txt
./hashcat -m 13400 hash.keepass rockyou.txt

#Open using open keepassx/keepass2
  • SSH-Keys

locate ssh2john.py
ssh2john.py id_rsa > id_rsa.hsh
john id_rsa.hash -w=wordlist.txt

Cracking weak RSA SSH Public Key

./RsaCtfTool.py --publickey /root/Desktop/rootauthorizedsshkey.pub --private > /root/Desktop/id_rsa

OpenSSL Encoded Data with Salted Password

./openssl-brute -file filename.enc

Last updated