Password Cracking

Sections Password Cracking

Offline hash cracking. Online brute force is in 02 Service Enum under each service.

WL=/usr/share/wordlists/rockyou.txt
RULES=/usr/share/hashcat/rules/best64.rule

i. Identify the hash first

hashid 'hash-here'
hash-identifier
nth hash-here                              ## name-that-hash, most accurate

Common modes you will hit on every box:

Hash	hashcat -m	Notes
MD5	0	almost never alone, often wrapped
SHA1	100	same
NTLM	1000	local Windows accounts, from SAM
NetNTLMv2	5600	from responder / smb relay
Kerberos TGS (kerberoast)	13100	`$krb5tgs$23$*`
Kerberos AS-REP	18200	`$krb5asrep$23$`
MD5crypt	500	$1$ Linux shadow
sha256crypt	7400	$5$
sha512crypt	1800	$6$ Linux shadow, SLOW
bcrypt	3200	$2a$ , $2b$ , SLOW
MSSQL 2012+	1731	`0x0200...`
WPA-PBKDF2	22000	new format, replaces 2500
LUKS	14600	also 29541 for LUKS2
7-Zip	11600	$7z$
KeePass	13400	use `keepass2john` first

ii. Hashcat basics

Dictionary attack:

hashcat -m 1000 hash.txt "$WL"

Dictionary + rules, the workhorse:

hashcat -m 1000 hash.txt "$WL" -r "$RULES"
hashcat -m 1000 hash.txt "$WL" -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule

Mask attack, you know the structure:

## 8 chars, 1 upper + 6 lower + 1 digit
hashcat -m 1000 hash.txt -a 3 '?u?l?l?l?l?l?l?d'
## Custom charset, ?1 = digits + special
hashcat -m 1000 hash.txt -a 3 -1 '?d!@#$' 'Pass?1?1?1?1'

Combinator, two dicts joined:

hashcat -m 1000 hash.txt -a 1 names.txt years.txt

Hybrid, dict + mask:

hashcat -m 1000 hash.txt -a 6 "$WL" '?d?d?d?d'    ## word + 4 digits
hashcat -m 1000 hash.txt -a 7 '?d?d?d?d' "$WL"    ## 4 digits + word

Show cracked:

hashcat -m 1000 hash.txt --show

Useful flags:

-w 3                                ## workload high
-O                                  ## optimized kernel, password len <= 27
--username                          ## file is user:hash format
--status --status-timer 10          ## live progress
-d 1,2                              ## use specific GPU devices
--session=name --restore            ## resumable sessions

iii. John when hashcat won’t load

Fast for small/quick stuff or when GPU is unavailable. Auto-detects format:

john --wordlist="$WL" hash.txt
john --wordlist="$WL" --rules=Jumbo hash.txt
john --format=NT --wordlist="$WL" hash.txt
john --show hash.txt

John helpers convert weird formats to crackable hash strings:

zip2john file.zip > z.hash
ssh2john id_rsa > k.hash
keepass2john db.kdbx > kp.hash
office2john.py file.docx > o.hash
pdf2john.pl file.pdf > p.hash

iv. Wordlists

Defaults worth knowing:

/usr/share/wordlists/rockyou.txt-start here
/usr/share/wordlists/seclists/Passwords/-categorized lists
/usr/share/wordlists/seclists/Usernames/-for spraying

Better ones to download:

SecLists -broad
Probable-Wordlists -ordered by likelihood
weakpass.com -huge breach-derived lists
Extreme_Breach_Masks -hashmasks ordered by time-to-crack

Build a custom list from the target:

cewl -d 3 -m 6 -w cewl.txt https://target.htb
## Then permute with hashcat rules:
hashcat --stdout cewl.txt -r "$RULES" | sort -u > custom.txt

v. Kerberos hash cracking

Kerberoasting output from GetUserSPNs.py or nxc:

hashcat -m 13100 spn.hash "$WL" -r "$RULES"

AS-REP roasting output:

hashcat -m 18200 asrep.hash "$WL" -r "$RULES"

6

and bcrypt are slow

sha512crypt and bcrypt cost millions of cycles per attempt. Even on a 4090 you get a few thousand hashes/sec. Use targeted wordlists, masks, and -O. For full brute, rent GPUs (see below).

vi. Cracking SSH known_hosts

Reveals internal IPs the user has connected to:

curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/kh-converter.py -O
curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/ipv4_hcmask.txt -O
python3 kh-converter.py ~/.ssh/known_hosts > kh.hash
hashcat -m 160 --hex-salt kh.hash -a 3 ipv4_hcmask.txt

vii. Cloud cracking when local GPU is weak

vast.ai -rent RTX 4090s by the hour
runpod.io -same idea, hashcat docker image
Use dizcza/docker-hashcat:cuda to skip setup

viii. Online lookup before brute force

Always try these first, they are free:

crackstation.net -straight MD5/SHA1/NTLM lookup
ntlm.pw -NTLM lookup
hashes.com -many algorithms

ix. Generate strong test hashes (for box-making)

## NTLM
python3 -c 'import hashlib; print(hashlib.new("md4","Passw0rd!".encode("utf-16le")).hexdigest())'
## sha512crypt
mkpasswd -m sha-512 Passw0rd!
## bcrypt
htpasswd -bnBC 10 "" Passw0rd! | tr -d ':\n'

i. Identify the hash first #

ii. Hashcat basics #

iii. John when hashcat won’t load #

iv. Wordlists #

v. Kerberos hash cracking #

vi. Cracking SSH known_hosts #

vii. Cloud cracking when local GPU is weak #

viii. Online lookup before brute force #

ix. Generate strong test hashes (for box-making) #