Password Attacks
Connecting to Target
Command | Description |
| CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol. |
| Uses Evil-WinRM to establish a Powershell session with a target. |
| Uses SSH to connect to a target using a specified user. |
| Uses smbclient to connect to an SMB share using a specified user. |
| Uses smbserver.py to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host. |
Password Mutations
Command | Description |
| Uses cewl to generate a wordlist based on keywords present on a website. |
| Uses Hashcat to generate a rule-based word list. |
| Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username. |
| Uses Linux-based commands curl, awk, grep and tee to download a list of file extensions to be used in searching for files that could contain passwords. |
Remote Password Attacks
Command | Description |
| Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target. |
| Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials. |
| Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service. |
| Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service. |
| Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service. |
| Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack. |
| Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network. |
| Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way. |
| Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network. |
| Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of |
Windows Local Password Attacks
Command | Description |
| A command-line-based utility in Windows used to list running processes. |
| Uses Windows command-line based utility findstr to search for the string "password" in many different file type. |
| A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line. |
| Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials. |
| Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file. |
| Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system). |
| Uses move in Windows to transfer a file to a specified file share over the network. |
| Uses Secretsdump.py to dump password hashes from the SAM database. |
| Uses Windows command line based tool vssadmin to create a volume shadow copy for |
| Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of |
Linux Local Password Attacks
Command | Description |
| Script that can be used to find .conf, .config and .cnf files on a Linux system. |
| Script that can be used to find credentials in specified file types. |
| Script that can be used to find common database files. |
| Uses Linux-based find command to search for text files. |
| Script that can be used to search for common file types used with scripts. |
| Script used to look for common types of documents. |
| Uses Linux-based cat command to view the contents of crontab in search for credentials. |
| Uses Linux-based ls -la command to list all files that start with |
| Uses Linux-based command grep to search the file system for key terms |
| Uses Linux-based grep command to search for the keywords |
| Uses Linux-based grep command to search for keywords |
| Uses Linux-based tail command to search the through bash history files and output the last 5 lines. |
| Runs Mimipenguin.py using python3. |
| Runs Mimipenguin.sh using bash. |
| Runs Lazagne.py with all modules using python2.7 |
| Uses Linux-based command to search for credentials stored by Firefox then searches for the keyword |
| Uses Linux-based command cat to search for credentials stored by Firefox in JSON. |
| Runs Firefox_decrypt.py to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9. |
| Runs Lazagne.py browsers module using Python 3. |
Cracking Passwords
Command | Description |
| Uses Hashcat to crack NTLM hashes using a specified wordlist. |
| Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output. |
| Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking. |
| Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked. |
| Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file. |
| Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked. |
| Runs Ssh2john.pl script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash. |
| Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal. |
| Runs Office2john.py against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash. |
| Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash. |
| Runs Pdf2john.pl script to convert a pdf file to a pdf has to be cracked. |
| Runs John in conjunction with a wordlist to crack a pdf hash. |
| Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash. |
| Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash. |
| Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes. |
| Uses the Linux-based file tool to gather file format information. |
| Script that runs a for-loop to extract files from an archive. |
Last updated