Password Cracking

Building words lists

Use content from webpages to build a dictionary. This can include company pages, Facebook, twitter, and any other resource gathered when doing OSINT on the target. To grab all words from a page, Use Cewl.

cewl:

cewl https://example.com

Brute forcing tools

• Burpsuite (intruder): https://portswigger.net/burp
• Hydra: https://github.com/vanhauser-thc/thc-hydra

Hydra:

hydra -u <username> -P <LIST> <ip> <Protocol>

when bruteforcing SSH, you need to specify a timing interval:

hydra -u <username> -P <LIST> <ip> ssh -t4

Protocols to target

Protocols: telnet, smtp, http, https, smb, rpc, rdp, pop, sql.

Easy ports to hit: 20-23, 25, 80, 443, 135, 139.

General advice

• Specify speed when bruteforcing SSH or you will hit a wall quickly. Using hydra, this is done using the T4 parameter.
• Stop after gaining access to one account. Try its creds on everything, and use its creds for further enumeration. Never forget to try sudo -i for easy escalation.
• Always take a look around the host machines file system when possible. potential low hanging fruit for enumeration. EX: Local user list at /etc/passwd.
• Never crack hashes on target machine. Speed and stealth will be abysmal.