Cracking Passwords

# Crack NTLM hashes with Hashcat
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt

# Crack single NTLM hash and show results
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show

# Combine passwd and shadow files for cracking
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

# Crack unshadowed hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

# Extract SSH key hashes and crack them
python3 ssh2john.py SSH.private > ssh.hash
john ssh.hash --show

# Extract and crack Office file hashes
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash

# Crack PDF and ZIP file hashes
pdf2john.pl PDF.pdf > pdf.hash
john --wordlist=rockyou.txt pdf.hash
zip2john ZIP.zip > zip.hash
john --wordlist=rockyou.txt zip.hash

# Extract and crack BitLocker hashes
bitlocker2john -i Backup.vhd > backup.hashes

# Decrypt encrypted files with OpenSSL
for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done

Use seclists/Names/names.txt for finding names/user enum

Password spraying (crackmapexec, smb, winrm, rdp)

Tools:

• John

--format <hash format>
--wordlist <password list>

• Hashcat

-a 0  # Brute force mode
-m <attack_mode>  # Check hashcat --help for available modes
--force  # For non-native GPU support
--rule <mangling rules>