created: 2022-04-19T19:53:25 (UTC +08:00)
tags: []
source: https://pentestwiki.org/password-cracking/
author:

✅ Password cracking - pentestwiki.org

Excerpt

Learn password cracking with tools like john the ripper, hashcat, … Also make your own dictionary lists with cewl and crunch

Create tailored wordlists

cewl www.example.com -m 6 -w example-cewl.txt

cewl www.example.com -m 6 -w example-cewl.txt

  1. cewl www.example.com -m 6 -w example-cewl.txt
  1. vim /etc/john/john.conf
  1. [...]
  2. Try the second half of split passwords
  3. -s x**
  4. -s-c x** M l Q
  5. # NEW RULES:
  6. # Add two numbers at the end of each password
  7. $[0-9]$[0-9]
  8. # Add two numbers at the end of each password and a special character such as $!./?
  9. $[0-9]$[0-9]$[$!./?]
  10. $[0-9]$[$!./?]
  11. # ADD HERE MORE RULES

Password cracking - 图1

As root:

john —wordlist=example-cewl.txt —rules —stdout > example-cewl-john.txt

john —wordlist=example-cewl.txt —rules —stdout > example-cewl-john.txt

  1. john --wordlist=example-cewl.txt --rules --stdout > example-cewl-john.txt
  1. hash-identifier

crunch 6 6 0123456789ABCDEF -o crunch.txt

crunch 6 6 0123456789ABCDEF -o crunch.txt

  1. crunch 6 6 0123456789ABCDEF -o crunch.txt

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

  1. crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
  1. crunch 8 8 -t ,@@^^%%%

crunch

crunch 

  1. crunch <min lengh> <max length> <alphabet>

Cracking Windows passwords

john —wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

john —rules —wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

john 127.0.0.1.pwdump john —wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump john —rules —wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

  1. john 127.0.0.1.pwdump
  2. john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
  3. john --rules --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump

Cracking Linux passwords

/etc/shadow syntax:

  • $1 = MD5
  • $2, $2a, $2x, $2y, $2b = Blowfish
  • $5 = SHA-256
  • $6 = SHA-512

Using John the Ripper (as root)

unshadow passwd.txt shadow.txt > unshadowed.txt

john —rules —wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

unshadow passwd.txt shadow.txt > unshadowed.txt john —rules —wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

  1. unshadow passwd.txt shadow.txt > unshadowed.txt
  2. john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Using Hashcat (as root)

Straight attack for MD5:

hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt

hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt

  1. hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt

Combination attack for MD5:

hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt

hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt

  1. hashcat -m 0 -a 0 /root/hashes.txt /usr/share/wordlists/rockyou.txt