Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

464 lines
49 KiB

5 years ago
5 years ago
4 years ago
4 years ago
4 years ago
3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
  1. # Password Bruting and Hashcracking
  2. ----------------------------------------------------
  3. ## Table of Contents
  4. - [General](#general)
  5. - [BruteForce](#brute)
  6. - [CAPTCHA](#captcha)
  7. - [Password Auditing](#audit)
  8. - [Default Credentials](#default)
  9. - [Password Statistics](#stats)
  10. - [Password Spraying](#spray)
  11. - [Wordlist Generation](#wordlistgen)
  12. - [Wordlists](#wordlists)
  13. - [Cracking Passwords/Hashes](#crack)
  14. - [CAPTCHA](#captcha)
  15. - [John-the-Ripper](#jtr)
  16. - [Hashcat](#hashcat)
  17. - [Automating Hashcat](#hauto)
  18. - [Hashcat Attacks](#hattack)
  19. - [Hashcat Rules](#hrules)
  20. - [Hashcat Tools](#htools)
  21. - [App Specific Tools(as in single application focus)](#appt)
  22. - [KeePass](#keepass)
  23. - [MS Office](#msoffice)
  24. - [PDFs](#pdf)
  25. - [Zip Files](#zip)
  26. - [General Cracking Tools](#generalt)
  27. - [Papers](#papers)
  28. ----------------------------------------------------
  29. * **To-Do**
  30. * Crackmeifyoucan contests
  31. * Other contests
  32. * Other stuff
  33. ---------------------------
  34. ### <a name="general"></a> General
  35. * **101**
  36. * **Account Validation**
  37. * [Six Methods to Determine Valid User Accounts in Web Applications - Dave](
  38. * **Articles/Papers/Talks/Writeups**
  39. * [RockYou Wordlist Origin](
  40. * [How I fcame a password cracker](
  41. * [Th3 L@s7 0f u$: Analysis of Survival Password Genetics - @netmux](
  42. * [A cr4cking g00d time � 12 challenges. 1 cryptocurrency prize! - @stealthsploit](
  43. * [A cr4cking g00d time � walkthrough](
  44. * [Authentication Research Paper Index -](
  45. * This project is an ongoing effort to compile and share a comprehensive, but curated, index of password and authentication related research produced by academic, industry, and government experts. We share the details of useful research, provide links to free copies of the papers (when possible), and encourage collaboration between authors and other security professionals.
  46. * **Building a Hash Cracking Rig**
  47. * [Why Most Passwords Suck - Brett Dewall(2019)](
  48. * [How To Build A Password Cracking Rig](
  49. * **BruteForce**<a name="brute"></a>
  50. * **Tools**
  51. * [Crowbar](
  52. * Crowbar is brute forcing tool that can be used during penetration tests. It is developed to support protocols that are not currently supported by thc-hydra and other popular brute forcing tools.
  53. * **CAPTCHA**<a name="captcha"></a>
  54. * **Default Credentials**<a name="default"></a>
  55. * [Web Application Defaults DB(2012)](
  56. * A DB of known Web Application Admin URLS, Username/Password Combos and Exploits
  57. * [Web Application Defaults DB(2013)](
  58. * [Default Oracle Creds](
  59. * **Password Analysis/Auditing**<a name="audit"></a>
  60. * **101**
  61. * [Validating the user password selection in Azure AD B2C by invoking Troy Hunt�s �Pwned Passwords� API - Rory Braybrook](
  62. * **Articles/Papers/Talks/Writeups**
  63. * [Analyzing large password dumps with Elastic Stack and Python - Victor Pasknel(2018)](
  64. * **Tools**
  65. * **Active Directory**
  66. * [Domain Password Audit Tool (DPAT)](
  67. * This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
  68. * [Match-ADHashes](
  69. * Builds a hashmap of AD NTLM hashes/usernames and iterates through a second list of hashes checking for the existence of each entry in the AD NTLM hashmap
  70. * **General**
  71. * [Cryptbreaker](
  72. * Upload files and use AWS Spot Instances to crack passwords. Using cloud capabilities you can even prevent plaintext credentials from leaving the isolated cracking box ensuring that you get usable statistics on passwords while minimizing plaintext credential exposure.
  73. * **Password Generation**
  74. * **Tools**
  75. * [DPG](
  76. * DPG is a deterministic password generator that does not store data or keep state. Its output is based purely on user input.
  77. * [Password Guessing Framework](
  78. * The Password Guessing Framework is an open source tool to provide an automated and reliable way to compare password guessers. It can help to identify individual strengths and weaknesses of a guesser, its modes of operation or even the underlying guessing strategies. Therefor, it gathers information about how many passwords from an input file (password leak) have been cracked in relation to the amount of generated guesses. Subsequent to the guessing process an analysis of the cracked passwords is performed.
  79. * **Password Strength/Usage Statistics**<a name="stats"></a>
  80. * [Password Statistics - ldapwiki(2018)](
  81. * [Authentication Statistic Index -](
  82. * This page offers an categorized index of useful and commonly requested authentication statistics. Want to see how your organization's password practices compare to others? Interested in targeting a topic for user awareness training? Find the statistics that interest you and click on the title to read the details.
  83. * [A Study of Chinese Passwords - Sunnia Ye(2018)](
  84. * [Analysing over 1M leaked passwords from the UK's biggest companies - passlo](
  85. * [Uncovering Password Habits: Are Users� Password Security Habits Improving? (Infographic) - Nate Lord(2018)](
  86. * [44 million Microsoft users reused passwords in the first three months of 2019 - Catalin Cimpanu(2019)]
  87. * [Most hacked passwords revealed as UK cyber survey exposes gaps in online security](
  88. * The NCSC's first 'UK cyber survey' published alongside global password risk list
  89. * [Ranked: The World�s Top 100 Worst Passwords - Davey Winder(2019)](
  90. * **Password Spraying <a name="spray"></a>**
  91. * **General**
  92. * **Articles/Papers/Talks/Writeups**
  93. * [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target�s Network: Part 1 - Beau Bullock](
  94. * [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 -](
  95. * **Tools**
  96. * [brut3k1t](
  97. * brute is a Python-based library framework and engine that enables security professionals to rapidly construct bruteforce / credential stuffing attacks. It features both a multi-purpose command-line application (brute), and a software library that can be used in tandem to quickly generate standalone module scripts for attack.
  98. * **Linux**
  99. * [Raining shells on Linux environments with Hwacha](
  100. * [Hwacha](
  101. * Hwacha is a tool to quickly execute payloads on `*`Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.
  102. * **MS Outlook/Office365**
  103. * **Articles/Papers/Talks/Writeups**
  104. * [Password Spraying Outlook Web Access � How to Gain Access to Domain Credentials Without Being on a Target�s Network: Part 2 - Beau Bullock](
  105. * **Tools**
  106. * [MSOLSpray](
  107. * A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
  108. * [SprayingToolkit](
  109. * Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
  110. * **Windows**
  111. * [Use PowerShell to Get Account Lockout and Password Policy](
  112. * [DomainPasswordSpray](
  113. * DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
  114. * [NTLM - Open-source script from root9B for manipulating NTLM authentication](
  115. * This script tests a single hash or file of hashes against an ntlmv2 challenge/response e.g. from auxiliary/server/capture/smb The idea is that you can identify re-used passwords between accounts that you do have the hash for and accounts that you do not have the hash for, offline and without cracking the password hashes. This saves you from trying your hashes against other accounts live, which triggers lockouts and alerts.
  116. * [CredNinja](
  117. * A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter.
  118. * [SprayingToolkit](
  119. * A set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient.
  120. * [RDPassSpray](
  121. * Python3 tool to perform password spraying using RDP
  122. * **Wordlist Generation** <a name="wordlistgen"></a>
  123. * **Articles/Writeups**
  124. * [Generating Wordlists](
  125. * [Weak in, Weak out: Keeping Password Lists Current - @NYXGEEK](
  126. * [Efficient Wordlists - Why you don't need 25GB To Be a Pro - Dimitri Fousekis(2015)](
  127. * [Generating Custom Wordlists For Targeted Attacks - securethelogs(2019)](
  128. * **Source: From Nothing**
  129. * [Creating Wordlists with Crunch](
  130. * [weakpass_generator](
  131. * generates weak passwords based on current date
  132. * **Source: Keyboard Walks**
  133. * [Generating Keyboard Walks -](
  134. * [Methods to Generate Keyboard Walks for Password Cracking - Rich Kelley](
  135. * **Source: Permutations Based on User Input**
  136. * [Creating Wordlists with Crunch](
  137. * [OMEN: Ordered Markov ENumerator](
  138. * OMEN is a Markov model-based password guesser written in C. It generates password candidates according to their occurrence probabilities, i.e., it outputs most likely passwords first. OMEN significantly improves guessing speed over existing proposals. If you are interested in the details on how OMEN improves on existing Markov model-based password guessing approaches, please refer to OMEN: Faster Password Guessing Using an Ordered Markov Enumerator.
  139. * **Source: User Profiling**
  140. * [Mentalist](
  141. * Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
  142. * [Wiki](
  143. * [ - Common User Passwords Profiler](
  144. * The most common form of authentication is the combination of a username and a password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values. A weak password might be very short or only use alphanumberic characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password. That is why CUPP has born, and it can be used in situations like legal penetration tests or forensic crime investigations.
  145. * **Source: Designated website/resource**
  146. * [GitDigger](
  147. * gitDigger: Creating realworld wordlists from github hosted data.
  148. * [Wikigen](
  149. * A script to generate wordlists out of wikipedia pages. Should support most of the subdomains. Some ugly code may occur
  150. * [CeWL](
  151. * CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
  152. * [Comprehensive Guide on Cewl Tool - Raj Chandel](
  153. * [rhodiola](
  154. * Rhodiola tool is developed to narrow the brute force combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.
  155. * [Generating Personalized Wordlists by Analyzing Targets Tweets - Utku Sen(DEFCON27 ReconVillage)](
  156. * **BigData**
  157. * [Commonspeak2](
  158. * Commonspeak2 leverages publicly available datasets from Google BigQuery to generate content discovery and subdomain wordlists. As these datasets are updated on a regular basis, the wordlists generated via Commonspeak2 reflect the current technologies used on the web. By using the Golang client for BigQuery, we can stream the data and process it very quickly. The future of this project will revolve around improving the quality of wordlists generated by creating automated filters and substitution functions. Let's turn creating wordlists from a manual task, into a reproducible and reliable science with BigQuery.
  159. * **Modifying Wordlists**
  160. * [HVAZARD Dictionary Modifier](
  161. * Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
  162. * [duprule](
  163. * Detect & filter duplicate hashcat rules
  164. * [rurasort](
  165. * This utility is used to help you streamline your worldlists by performing tasks on them. Note that output is made to STDOUT and you have to pipe data to where you want it to go. Usually to a file with > myfile.txt
  166. * [cauldera](
  167. * Distillations, expansions and riffs on Rocktastic Why cauldera? As potent as I've found rocktastic to be, and wickedly effective using PACK has been, I picture the gargantuon results of their combination to be a massive, simmering pool of doom. Like Yellowstone.
  168. * [cudaMergeSort](
  169. * cudaMergeSort is a highly parallel hybrid mergesort for sorting large files of arbitrary ASCII text (such as password cracking wordlists.) It is intended to be a fast replacement for sort(1) for large files. A parallel radix sort is performed on each chunk of the input file on GPU (complements of Thrust), while each chunk is merged in parallel on the host CPU. Only unique lines are merged, and cudaMergeSort is therefore directly analogous to performing sort -u on an ASCII text file.
  170. * **Lists of Wordlists** <a name="wordlists"></a>
  171. * [Probable-Wordlists](
  172. * Wordlists sorted by probability originally created for password generation and testing
  173. * [statistically-likely-usernames](
  174. * This resource contains wordlists for creating statistically likely usernames for use in username-enumeration, simulated password-attacks and other security testing tasks.
  175. * [SecLists](
  176. * [Crackstation�s Password Cracking Dictionary 1.5b words](
  177. * HIGHLY recommended
  178. * [WPA/WPA2 Dictionaries](
  179. * [SkullSecurity Password lists](
  180. * [Crack Me if You Can - Defcon 2010](
  181. * [BEWGor](
  182. * Bull's Eye Wordlist Generator
  183. * [SecLists](
  184. * [Oracle Default Password List](
  185. * [Passhunt](
  186. * Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.
  187. * [Rocktastic: a word list on steroids - nettitude](
  188. * [Commonspeak: Content discovery wordlists built with BigQuery - Shubham Shah](
  189. * [passphrase-wordlist](
  190. * Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords
  191. * [Google Fuzzing dictionaries](
  192. * **Wordlist Tools**
  193. * [HVAZARD Dictionary Modifier](
  194. * Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
  195. * **Other**
  196. * [HashView](
  197. * Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat ( commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
  198. * [Password cracking, mining, and GPUs](
  199. * [CredKing](
  200. * Password spraying using AWS Lambda for IP rotation
  201. --------------------
  202. ### Cracking Hashes
  203. * **Cracking Passwords/Hashes**<a name="crack"></a>
  204. * **101**
  205. * [Introduction to Cracking Hashes](
  206. /)
  207. * Good introduction source to hash cracking.
  208. * [Example hashes -](
  209. * [A Practical Guide to Cracking Password Hashes - Matt Marx(2015)](
  210. * [My password cracking brings all the hashes to the yard.. - Larry Pesce(Hackfest2015)](
  211. * [Password Cracking 201: Beyond the Basics - Royce Williams(2017)](
  212. * [Slides](
  213. * [Password Cracking � Here�s How the Pros Do It - Nick VanGilder(2018)](
  214. * [Let's Get Cracking: A Beginner's Guide to Password Analysis - Steve Tornio(2019)](
  215. * [Hashcat: How to discard words of length less than N after rules have been applied? - StackExchange(2018)](
  216. * **Reference**
  217. * [List of hash types/examples](
  218. * [Password Recovery Speeds](
  219. * Password cracking time measurements
  220. * **Articles & Writeups**
  221. * [Cracking Active Directory Passwords or �How to Cook AD Crack"](
  222. * [How to crack password hashes efficiently](
  223. * Excellent writeup/methodology explanation
  224. * [Building a Better GPU based hash cracking methodology]( Penr-methodology/)
  225. * Bit basic advice but still great advice nonetheless
  226. * [5min Guide to setting up a GPU cracker in the cloud on AWS + a script to automate it all](
  227. * [GPU Password Cracking � Building a Better Methodology - Karl Fosaaen](
  228. * [oclHashcat, HalfLM (netlm), and Bruteforcing the Second Half -](
  229. * [Hashdumps and Passwords(2010-2014) - adeptus-mechanicus](
  230. * [Statistics Will Crack Your Password - Julian Dunning](
  231. * [Unmasked: What 10 million passwords reveal about the people who choose them](
  232. * [Password cracking and auditing - DarthSidious](
  233. * [Estimating Password Cracking Times - BetterBuys(2016)](
  234. * **Talks/Videos/Presentations**
  235. * [Cracking Corporate Passwords � Exploiting Password Policy Weaknesses - Rick Redman(Derbycon2013)](
  236. * �Cracking corporate passwords is no different than cracking public MD5 leaks off of pastebin. Except, it totally is. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters.�Cracking corporate passwords is no different than cracking public MD5 leaks off of pastebin. Except, it totally is. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters. - How can we use this knowledge to our advantage?; - What sort of tricks are users doing when they think no one is looking?; - What other types of vulnerabilities is Password policy introducing?; - What patterns is password rotation policy creating?
  237. * [PRINCE: modern password guessing algorithm - Jens Steube(2014)](
  238. * [Tutorial - atom(2015)](
  239. * [Modeling Password Creation Habits with Probabilistic Context Free Grammars - Dr Matt Weir(BSidesLV2016)](
  240. * [Slides](
  241. * [Hashcat: GPU password cracking for maximum win - `_NSAKEY`(PhreakNIC 19)](
  242. * After briefly touching on the general concept of password cracking, the focus of the talk will be on the effectiveness of different attack modes in hashcat, with a heavy emphasis on rule-based attacks. While the name of the talk is “hashcat,�� this talk will almost exclusively discuss the GPU-enabled versions (Specifically cudahashcat). The final phase of the talk will include the results of my own experiments in creating rule sets for password cracking, along with an analysis of the known plaintext passwords from the test hash list.
  243. * [Slides](
  244. * [SecTalks SYD0x37 (55th)-Password Cracking in 2020 (or) why does this still work? - Raaqim Mohammed(2020)](
  245. * It was the 90s, I was but a child and LM hashes ruled the day. Windows didn't salt their hashes. It is 2020, I grew up and NTLM hashes ruled the day. Windows didn't salt their hashes. This presentation will provide a guide of what to do once you get your hands on these tasty hashes and need to figure out how to 'crack' them when things aren't as easy as you expected...
  246. * **Password Rulesets**
  247. * [Statistics Will Crack Your Password - Julian Dunning(2015)](
  248. * [Hob0Rules Released: Statistics Based Password Cracking Rules - Julian Dunning(2016)](
  249. * [One Rule to Rule Them All - notsosecure(2017)](
  250. * [rulesfinder](
  251. * This tool finds efficient password mangling rules (for John the Ripper or Hashcat) for a given dictionary and a list of passwords.
  252. * **Tools**
  253. * [Hashtag](
  254. * Password hash identification tool written in python
  255. * [hcxtools](
  256. * Small set of tools to capture and convert packets from wlan devices (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ( "bleeding-jumbo").
  257. * [PACK (Password Analysis and Cracking Toolkit)](
  258. * PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
  259. * [BarsWF](
  260. * MD5 Cracker
  261. * [Cryptbreaker](
  262. * Upload files and use AWS Spot Instances to crack passwords. Using cloud capabilities you can even prevent plaintext credentials from leaving the isolated cracking box ensuring that you get usable statistics on passwords while minimizing plaintext credential exposure.
  263. * [princeprocessor](
  264. * Standalone password candidate generator using the PRINCE algorithm
  265. * **Miscellaneous**
  266. * **Cisco**
  267. * [Cisco Password Cracking and Decrypting Guide -](
  268. * In this guide we will go through Cisco password types that can be found in Cisco IOS-based network devices. We will cover all common Cisco password types (0, 4, 5, 7, 8 and 9) and provide instructions on how to decrypt them or crack them using popular open-source password crackers such as John the Ripper or Hashcat.
  269. * **Windows**
  270. * **Articles/Papers/Talks/Writeups**
  271. * [Cracking NTLMv1 \w ESS/SSP -](
  272. * [LM, NTLM, Net-NTLMv2, oh my! A Pentester�s Guide to Windows Hashes- Peter Gombos](
  273. * **Talks/Presentations/Videos**
  274. * **Tools**
  275. * [Rainbow Crackalack v1.2](
  276. * This project produces open-source code to generate rainbow tables as well as use them to look up password hashes. While the current release only supports NTLM, future releases may support MD5, SHA-1, SHA-256, and possibly more. Both Linux and Windows are supported!
  277. * [Homepage](
  278. * [ntlmv1-multi](
  279. * This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
  280. * **CAPTCHA**
  281. * **Talks & Presentations**
  282. * [Releasing the CAPTCHA Cracken - Sean Brodie, Tinus Green](
  283. * **Tools**
  284. * [CAPTCHA22](
  285. * CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks. These models can then be used to crack CAPTCHAs with a high degree of accuracy. When used in conjunction with other scripts, CAPTCHA22 gives rise to attack automation; subverting the very control that aims to stop it.
  286. * **Cracking Specific Application Passwords/Hashes**<a name="appt"></a>
  287. * **KeePass**<a name="keepass"></a>
  288. * [mod0keecrack](
  289. * mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.
  290. * **MS Office**<a name="msoffice"></a>
  291. * [crackxls2003 0.4](
  292. * This program may be used to break the encryption on Microsoft Excel and Microsoft Word file which have been encrypted using the RC4 method, which uses a 40-bit-long key. This was the default encryption method in Word and Excel 97/2000/2002/2003. This program will not work on files encrypted using Word or Excel 2007 or later, or for versions 95 or earlier. It will not work if a file was encrypted with a non-default method. Additionally, documents created with the Windows system locale set to France may use a different encryption method.
  293. * **NTLM**
  294. * [LM, NTLM, Net-NTLMv2, oh my! - P�ter Gombos](
  295. * [A 9-step recipe to crack a NTLMv2 Hash from a freshly acquired .pcap - kimvb3r](
  296. * [How to Dump NTLM Hashes & Crack Windows Passwords - Tokyoneon](
  297. * [The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge](
  298. * [Live off the Land and Crack the NTLMSSP Protocol](
  299. * Last month Bleeping Computer published an article about PKTMON.EXE, a little known utility in Windows 10 that provides the ability to sniff and monitor network traffic. I quickly wondered if it would be feasible to use this utility, and other native tools within Windows, to capture NTLMv2 network authentication handshakes. TL;DR: Yes it is possible and I wrote a Python3 script called NTLMRawUnHide that can extract NTLMv2 password hashes from packet dumps of many formats!
  300. * [](
  301. * is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.
  302. * **PDF**<a name="pdf"></a>
  303. * [PDFCrack](
  304. * PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).
  305. * **SAP**
  306. * [SAP password hacking Part I: SAP BCODE hash hacking -](
  307. * This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.
  308. * [SAP password hash hacking Part II: SAP PASSCODE hash hacking](
  309. * [SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking](
  310. * [SAP password hash hacking Part IV: rule based attack](
  311. * **Wordpress**
  312. * [Cracking WordPress Passwords with Hashcat - Jonas Lejon(2019)](
  313. * **WPA2**
  314. * [WPA2 Cracking Using HashCat - rootsh3ll](
  315. * **ZIP Archives**<a name="zip"></a>
  316. * [Cracking ZIP files with fcrackzip - Allan Feid(2009)](
  317. * [fcrackzip](
  318. * A braindead program for cracking encrypted ZIP archives. Forked from
  319. * **John the Ripper**<a name="jtr"></a>
  320. * **101**
  321. * [John the Ripper benchmarks - openwall](
  322. * [John The Ripper Hash Formats - pentestmonkey](
  323. * [JTR Docs](
  324. * **Rules**
  325. * [KoreLogic Custom Rules(2010)](
  326. * "KoreLogic used a variety of custom rules to generate the passwords. These _same_ rules can be used to crack passwords in corporate environments. These rules were originally created because the default ruleset for John the Ripper fails to crack passwords with more complex patterns used in corporate environments."
  327. * **OCL/Hashcat** <a name="hashcat"></a>
  328. * **101**
  329. * [OCL hashcat](
  330. * It�s OCL hashcat
  331. * [OCL hashcat wiki](
  332. * Its the Wiki
  333. * [Hashcat FAQ](
  334. * **Articles/Blogposts/Writeups**
  335. * [Password Analysis To Hashcat (PATH) script](
  336. * [Advanced Password Guessing: Hashcat techniques for the last 20%](
  337. * **Automating Hashcat**<a name="hauto"></a>
  338. * [Hate_Crack](
  339. * A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
  340. * [HAT - Hashcat Automation Tool](
  341. * An automated Hashcat tool for common wordlists and rules to speed up the process of cracking hashes during engagements. HAT is simply a wrapper for Hashcat (with a few extra features) -, however I take no credit for that superb tool.
  342. * **Hashcat Attacks**<a name="hattack"></a>
  343. * **Types of**
  344. * [Mask atttack](
  345. * Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
  346. * [Combinator attack](
  347. * Each word of a dictionary is appended to each word in a dictionary.
  348. * [Dictionary attack](
  349. * The dictionary attack is a very simple attack mode. It is also known as a �Wordlist attack�.
  350. * [Fingerprint Attack](
  351. * The Fingerprint attack is a combination of the results of the expander with a combination engine. It is an automatically generated attack on pattern that works fine on GPGPU.
  352. * [Hybrid attack](
  353. * Basically, the hybrid attack is just a Combinator attack. One side is simply a dictionary, the other is the result of a Brute-Force attack. In other words, the full Brute-Force keyspace is either appended or prepended to each of the words from the dictionary. That's why it's called �hybrid�.
  354. * [Mask attack](
  355. * Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
  356. * [Permutation attack[(
  357. * Each word in a dictionary generates all permutations of itself.
  358. * [Rule Based attack](
  359. * The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
  360. * [Table Lookup attack](
  361. * With each word in our dictionary, it automatically generates masks as in a batch of Mask attack.
  362. * [Toggle-Case attack](
  363. * For each word in a dictionary, all possible combinations of upper- and lower-case variants are generated.
  364. * [Purple Rain Attack: Password Cracking With Random Generation - netmux](
  365. * [OCLHashcat Hash Examples + hash code](
  366. * **Performing**
  367. * [How To Perform a Combinator Attack Using Hashcat - William Hurer-Mackay(2016)](
  368. * [How to Perform a Mask Attack Using hashcat - William Hurer-Mackay(2016)](
  369. * [Hashcat Mask Attack - Sevenlayers](
  370. * [How To Perform A Rule-Based Attack Using Hashcat - William Hurer-Mackay(2016)](
  371. * [Performing Rule Based Attack Using Hashcat - Shubhankar Singh](
  372. * [Run All Rules for Hashcat - mubix(2020)](
  373. * "This is just a quick script to demonstrate using PowerShell to run all the rules against a specific hash (or hash file), starting from the smallest file (usually the simplest rules)"
  374. * [Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack](
  375. * **Hashcat Masks**
  376. * [Corporate_Masks](
  377. * 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting
  378. * **Hashcat Rules**<a name="hrules"></a>
  379. * **101**
  380. * [Rule Based Attack - Hashcat Wiki](
  381. * [Hashcat Tutorial � Rule Writing - LaconicWolf](
  382. * **Articles/Blogposts/Writeups**
  383. * [How To Perform A Rule-Based Attack Using Hashcat - William Hurer-Mackay(2016)](
  384. * [An Explanation of Hashcat Rules - Kaotic Creations(2011)](
  385. * [RevsUp Lab: Hashcat 06](
  386. * Rulesets
  387. * [nsa-rules](
  388. * Password cracking rules and masks for hashcat that I generated from cracked passwords.
  389. * [Hob0Rules](
  390. * Password cracking rules for Hashcat based on statistics and industry patterns.
  391. * [password_cracking_rule - notsosecure](
  392. * [One Rule to Rule Them All - ](
  393. * **Hashcat-related Tools**<a name="htools"></a>
  394. * [CrackerJack](
  395. * Web Interface for Hashcat by Context Information Security
  396. * **Tools** <a name="generalt"></a>
  397. * **General**
  398. * **Distributed Hash-Cracking**
  399. * [Hashtopolis](
  400. * Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis's development are portability, robustness, multi-user support, and multiple groups management.
  401. * [Automating Hashtopolis - EvilMog(NolaCon2019)](
  402. * [Cracklord](
  403. * CrackLord is a system designed to provide a scalable, pluggable, and distributed system for both password cracking as well as any other jobs needing lots of computing resources. Better said, CrackLord is a way to load balance the resources, such as CPU, GPU, Network, etc. from multiple hardware systems into a single queueing service across two primary services: the Resource and Queue. It won't make these tasks faster, but it will make it easier to manage them.
  404. * [NPK](
  405. * NPK is a distributed hash-cracking platform built entirely of serverless components in AWS including Cognito, DynamoDB, and S3. It was designed for easy deployment and the intuitive UI brings high-power hash-cracking to everyone.
  406. * [High-Power Hash Cracking with NPK - Brad Woodward(2019)](
  407. * [Firefox password cracker](
  408. * [Dagon](
  409. * Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more.
  410. * [Gladius](
  411. * Automated Responder/ cracking. Gladius provides an automated method for cracking credentials from various sources during an engagement. We currently crack hashes from Responder,, and smart_hashdump.
  412. * **Papers** <a name="papers"></a>
  413. * [Optimizing computation of Hash Algorithms as an attacker](
  414. * [Attacking NTLM with Precomputed Hashtables](
  415. * Breaking encrypted passwords has been of interest to hackers for a long time, and protecting them has always been one of the biggest security problems operating systems have faced, with Microsoft's Windows being no exception. Due to errors in the design of the password encryption scheme, especially in the LanMan(LM) scheme, Windows has a bad track in this field of information security. Especially in the last couple of years, where the outdated DES encryption algorithm that LanMan is based on faced more and more processing power in the average household, combined with ever increasing harddisk size, made it crystal clear that LanMan nowadays is not just outdated, but even antiquated.
  416. * [Website Dedicated to Password Research](
  417. * A core objective of the Password Research Institute is to improve the industry awareness of existing authentication research. Many valuable solutions for the problems associated with authentication have gone unnoticed by the people interested in, or responsible for, authentication security. This project will compile and share a comprehensive, but moderated, index of password and authentication related research papers. We aim to share the details of useful papers, provide access to the papers, and encourage collaboration between authors and other security professionals.
  418. * [When Privacy meets Security: Leveraging personal information for password cracking - M. D�rmuth,A. ChaabaneD. Perito,C. Castelluccia](
  419. * Passwords are widely used for user authentication and, de- spite their weaknesses, will likely remain in use in the fore seeable future. Human-generated passwords typically have a rich structure , which makes them susceptible to guessing attacks. In this paper, we stud y the effectiveness of guessing attacks based on Markov models. Our contrib utions are two-fold. First, we propose a novel password cracker based o n Markov models, which builds upon and extends ideas used by Narayana n and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than a ll probabilistic password crackers we compared against. Second, we systematically analyze the idea that additional personal informatio n about a user helps in speeding up password guessing. We find that, on avera ge and by carefully choosing parameters, we can guess up to 5% more pas swords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually b ased on personal attributes. These passwords are clearly weaker an d should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to syst ematically study the relationship between chosen passwords and users� personal in- formation. We test and validate our results over a wide colle ction of leaked password databases.
  420. * [PassGAN](
  421. * This repository contains code for the [PassGAN: A Deep Learning Approach for Password Guessing paper]( The model from PassGAN is taken from [Improved Training of Wasserstein GANs]( and it is assumed that the authors of PassGAN used the [improved_wgan_training tensorflow]( implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train ( and sample ( from.
  422. * [Mnemonic Password Formulas](
  423. * The current information technology landscape is cluttered with a large number of information systems that each have their own individual authentication schemes. Even with single sign-on and multi-system authentication methods, systems within disparate management domains are likely to be utilized by users of various levels of involvement within the landscape as a whole. Due to this complexity and the abundance of authentication requirements, many users are required to manage numerous credentials across various systems. This has given rise to many different insecurities relating to the selection and management of passwords. This paper details a subset of issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and finally introduces a new method for password management and recalls termed Mnemonic Password Formulas.