Password cracking notes
- 1. Default password resources
- 2. Weak and leaked password wordlists
- 3. Bash tricks
- 4. Hash extraction
- 5. Passwords list generators
- 6. Offline hash cracking
- 7. Online password attacks
1. Default password resources
2. Weak and leaked password wordlists
3. Bash tricks
cat file1.txt file2.txt > combined.txt # Combine password files
sort combined.txt | uniq -u > cleaned.txt # Remove duplicates4. Hash extraction
One of the files from which the hash can be extracted for cracking is the password manager database. John-The-Ripper package has several tools to help extract hashes from popular formats. Also, archive files are great for extracting hashes.
# Examples:
keepass2john $kdbx > hash
ssh2john $id_rsa > hash
7z2john $7z > hash
zip2john $zip > hash
pdf2john $pdf > hash5. Passwords list generators
5.1. Cewl
Cewl tool crawles through a website and generates a wordlist specific to a given target. The generated wordlist might include employee names, locations and brand names.
cewl
-w <file> # Output file
-m <num> # Collect words with length >= 5
-d <num> # Depth level of crawling
<url> # Url to be crawled5.2. Crunch
Crunch tool generates a list of strings based on specified parameters and patterns (-t <pattern>).
- @ - lower case alpha char
- , - upper case alpha char
- % - numeric char
- ^ - special char (spaces included)
crunch <min-chars> <max-chars> <allowed-chars> -o <output-file>
# Example
crunch 2 4 abcd12345 -o out.txt
crunch 2 4 -t pass%% -o out.txt6. Offline hash cracking
NOTE: To determine a hash format the command: hashid -m <hash|file> can be used. -m flag prints a corresponding Hashcat mode number.
6.1. Dictionary attack
hashcat -a 0 -m $mode $hash $wordlist Rule-based attack: Hashcat has ability to create a set of complex password rules. It mutates the provided dictionary according to these rules. Built-in rules are available at /usr/share/hashcat/rules/. Keep in mind that it's always most efficient to discover information about existing password policies, or to look up typically-used default policies for the target software environment. Check out all Hashcat rule-based attack functions.
Most common rules:
/usr/share/hashcat/rules/best64.rule
# Hashcat with rule
hashcat -m $mode $hash $wordlist -r $rule_file --force
# Common usage (MD5 hash cracking)
hashcat -m 0 md5.hash /usr/share/wordlists/rockyou.txt --force --rules /usr/share/hashcat/rules/best64.rule 6.2. John The Ripper vs HashCat
John-The-Ripper is more of a CPU-based cracking tool, which also supports GPUs, while Hashcat is mainly a GPU-based cracking tool that also supports CPUs. JtR can be run without any additional drivers using only CPUs for password cracking. Hashcat requires OpenCL17 or CUDA18 for the GPU cracking process. For most algorithms, a GPU is much faster than a CPU since modern GPUs contain thousands of cores, each of which can share part of the workload. However, some slow hashing algorithms (like bcrypt) work better on CPUs.
# Benchmark CPU
john -b
# Benchmark GPU
hashcat -b7. Online password attacks
Hydra is a versatile tool to perform online password attacks. It's able to crack usernames and passwords to many different services: ftp, smtp, ssh, http.
# Brute-force default services
hydra $service://$ip
-l $username || -L $user_list # Username(s)
-p $password || -P $pass_list # Password(s)
-s $port # Port
-t $tasks_number # Number of concurrent tasks
-V # Show all attempts
# Brute-force HTTP POST login
# Example body: usr=user&pwd=^PASS^
hydra -l $user -p $pass $ip http-post-form "$path:$body:$failed_login_string"It might be difficult to try millions of passwords online. It's worth to try with limited password wordlists:
- /usr/share/seclists/Passwords/darkweb2017-top10.txt
- /usr/share/seclists/Passwords/darkweb2017-top100.txt