Cracking

Hashcat

To check the hash mode -m value
https://hashcat.net/wiki/doku.php?id=example_hashes

find mode powershell

.\hashcat.exe --example-hashes | Select-String -Pattern "krb5asrep" -Context 11,2

find mode linux

hashcat --example-hashes | grep -B12 -A2 "\$xmpp-scram"

drupal 7 - crack

Cracking drupal 7 password hash
mode -m 7900

.\hashcat.exe --user -a 0 -m 7900 password_hash.txt ..\SecLists\rockyou.txt

--user - option allows us to keep the user name along side the hash in the hash file as shown in the password.txt file
-a 0 - brutforce with password list
-m <> - specify the type of hash

file format of password.txt user:hash

administrator:$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE

shadow file - crack

hashcat command to crack unshadow file
mode -m 7400

hashcat.exe --user -a 0 -m 7400 ..\htb\sunday\unshadow_hash.txt ..\SecLists\rockyou.txt

unshadow command to create the unshadow.txt file from /etc/passwd and /etc/shadow

unshadow passwd shadow > unshadow_hash.txt

unshadow file format

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB

keepass hash - crack

Generate hash of the keepass to crack

keepass2john CEH.kdbx > ceh_kdbx_hash.txt

.\hashcat.exe --user -m 13400 -a 0 ..\htb\jeeves\ceh_kdbx_hash.txt ..\SecLists\rockyou.txt --show

kerberos hash - crack

Assuming the TGT ticket is exported and is of the form below

$krb5asrep$23$support@blackfield@BLACKFIELD:89a878dcaa7d489e318462ebce6cd917$898e0380895c9a3dfe6d91ab24d28f6e1424b577739897fc757008af3c6f42a2ea5fcddd359e64d52d81722efc3fde59661cf70124de392708ecb3cd8406952e2dec9bb9e6ff592f1c59ded5262ad8a186ab3534443e6dacf83d12b936aa08fcaa0f24b87ccb2aa82b697c0491819d870b312ce375bf0e78c3ddb86a62b86c6bf4df99414c52cf111a34f2a8d0adf5f838a7d8f2e855dd6ff75d759503ad8fb4e9cf52e906ef00d7b62b25c7f4ab34240639af81a1af3adafe5e942c66b3635905baca04c31f4f85073a4e27939850f6f82be69dffd02196fc08f8e5d1be9b83f169a331ed9888064c0e0b1a42da

command:

.\hashcat.exe -m 18200 ..\htb\blackfield\kerberos-hash ..\SecLists\rockyou.txt

zip - crack

zip cract with john

zip2john bank-account.zip > hash.txt
john hash.txt

wordpress hash - crack -- todo

detecting hash

hashcat --example-hashes | grep -B12 -A2 '\$P\$'

mode: 400

command:

Create Custom wordlist

Custom wordlist with cewl

cewl www.yahoo.com -m 6 -w yahoo-cewl.txt

-m 6 : create a wordlist with word length of 6 char's
-w : write to a file

Mutate with john

Configure john to apply certain rules in /etc/john/john.conf

john --wordlist=yahoo-cewl.txt --rules --stdout > mutated-list.txt

Custom wordlist with bash

custom wordlist

pwlist.txt
January
February
March
April
May
June
July
August
September
October
November
Password
P@ssw0rd
Forest
htb
Secret

Add year and ! to each word in the list

January
January!
January2019
January2019!
January2020
January2020!

for i in $(cat pwlist.txt);do echo $i; echo $i\!; echo ${i}2019; echo ${i}2019\!;echo ${i}2020; echo ${i}2020\!; done > temp_list.txt

todo

grep -oP '\w{7,9}[$&*@#][\w$&*@#]+' final_list.txt > withchars.txt

custom wordlist with hashcat

Apply hashcat rules best64 and toogles1 rule to the temp_list.txt And get unique And word length greater than 7 less than 9

hashcat --force --stdout temp_list.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule | sort -u | awk 'length($0) > 7' | awk 'length($0) < 9'> final_list.txt

note

temp_list.txt contains the list of word.
best64.rule and toggles1.rule rules are applied on the list

Hashcat​

find mode powershell​

find mode linux​

drupal 7 - crack​

shadow file - crack​

keepass hash - crack​

kerberos hash - crack​

zip - crack​

zip cract with john​

wordpress hash - crack -- todo​

Create Custom wordlist​

Custom wordlist with cewl​

Mutate with john​

Custom wordlist with bash​

custom wordlist with hashcat​