Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Password Attacks
  • Non-Electronic attacks
  • Active Online Attacks - Directly Communicating with the target.
  • Passive Online Attacks
  • Offline attacks
  • Look up breached passwords
  • Hashes
  • Location of password hashes
  • Windows
  • Linux
  • Salting
  • Hash types
  • Tools
  • LLMNR and NBT-NS poisoning
  • Tools to extract password hashes
  • Tools for password cracking
  1. Red Team
  2. Initial Access

Obtaining credentials

Gaining access to a system through credential acquisition involves obtaining valid usernames and passwords or other authentication tokens.

Password Attacks

Non-Electronic attacks

Non-electronic attacks are methods of compromising passwords or security measures without the use of digital technology.

  • Shoulder Surfing - Watch over the shoulder of a user to observe them entering their password or personal identification number (PIN)

  • Social Engineering - Convince people to reveal their credentials.

  • Dumpster Diving - Searching through discarded materials, such as paper documents, to find information that may include passwords or other confidential data.

Active Online Attacks - Directly Communicating with the target.

Active online attacks involve direct interaction with the target system or user to compromise passwords.

  • Dictionary, Brute Force and Rule-based attacks - Try different combinations of words, phrases, or characters to guess a password. "Dictionary" attacks use common words or phrases, "brute force" attacks try all possible combinations, and "rule-based" attacks apply patterns or rules to password guessing.

  • Trojan, Spyware, Keylogger - Malware that can be deployed to capture passwords and other sensitive information. Trojans, spyware, and keyloggers discreetly monitor and record user activities, including keystrokes and login credentials.

  • Password spraying - Target multiple users simultaneously with a small set of common password. This helps avoid account lock outs.

  • Pash-the-Hash - Instead of attempting to crack a user's password, use stolen password hashes to gain access.

  • Kerberoasting / AS_REP Roasting - Request a TGS (Ticket Granting Service) for SPN (Service Principal Name) of the target service account or a TGT (Ticket Granting Ticket) form the KDC (Key Distribution Center) and crack the ticket to obtain user's password.

Passive Online Attacks

Passive online attacks involve monitoring or eavesdropping on network traffic without actively interacting with the target.

  • Sniffing - Intercept and capture network traffic to obtain sensitive data, such as passwords, as it traverses the network. Think unencrypted protocols like HTTP, FTP, Telnet or rlogin.

  • Man-in-the-Middle - Intercept communication between two parties and may capture passwords or sensitive information exchanged between them.

  • Replay Attack - Capture and reusing previously intercepted data, such as authentication credentials, only work if no challenge response is in place.

Offline attacks

Offline attacks involve attempting to crack passwords without direct access to the target system or network. Attackers work on stolen password databases or hashed files. Usually preferable!

  • Dictionary, Brute Force and Rule-based attacks - Try different combinations of words, phrases, or characters to guess a password. "Dictionary" attacks use common words or phrases, "brute force" attacks try all possible combinations, and "rule-based" attacks apply patterns or rules to password guessing.

  • Rainbow Table Attack - Offline attack in which precomputed tables are used to quickly crack hashed passwords by matching them to their plaintext equivalents.

  • Distributed Attack - Involves multiple attackers or systems working together to launch coordinated password attacks.

Look up breached passwords

Hashes

When successfully breached a system an important objective is to obtain the password hashes of user accounts. Password hashes are cryptographic one-way representations of passwords. A hash function that takes an input (or "message") and returns a fixed-size string of characters, the hash of said message.

Location of password hashes

Windows

In Windows systems, the password hashes are typically stored in the Security Account Manager (SAM) database. The SAM database is a part of the Windows operating system that stores user account information, including username and password hash.

Linux

In Linux systems, the password hashes are usually stored in the /etc/shadow file. The /etc/shadow file is a configuration file that holds user account information, including password hashes, in a more secure manner compared to the older /etc/passwd file.

Salting

Salts are random data values that are combined with a user's password before it is hashed. When a password is hashed with a salt, it creates a unique and unpredictable output. This added complexity makes it significantly more challenging for attackers to use precomputed tables and techniques like rainbow table attacks to crack password hashes.

Hash types

hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions.

Tools

LLMNR and NBT-NS poisoning

LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are integral components of Windows operating systems responsible for resolving host names within the same network segment. These services are typically enabled by default in Windows operating systems and, if exploited, can potentially lead to the extraction of user password hashes.

Given the limited awareness of this attack, there is a significant potential for obtaining user credentials during internal network penetration tests.

  1. Clone repository

  2. sudo ./responder.py -I <interface>

Responder starts capturing the access logs.

By default, Responder stores the logs in Home/Responder/logs

Tools to extract password hashes

    • Impacket-secretsdump is used for extracting and dumping credential information from Windows systems, specifically from the Security Account Manager (SAM) database and the Active Directory (AD) NTDS.dit database. Default in Kali.

Tools for password cracking

  • John the Ripper is a widely used open-source password cracking tool designed for offline password attacks.

  • Hashcat is a powerful, open-source password cracking tool that is optimized for offline attacks. It excels at accelerating the cracking of hashed passwords through the use of GPUs and CPUs.

  • THC-Hydra is a versatile online password-cracking tool that is used to perform attacks on network services.

All are default in Kali

PreviousInitial AccessNextVulnerability Exploitation

Last updated 1 year ago

As a first step try look up breached password at - combine this with lookup tool or brute force.

Hashcat maintains a nice list of example hashes which can be used to manually identify the type of a hash.

is a tool designed to exploit LLMNR, NBT-NS, and MDNS (Multicast DNS) protocols. It responds to specific NBT-NS queries based on their name suffix, but it typically responds primarily to File Server Service requests, often associated with the SMB (Server Message Block) protocol.

is a powerful and well-known post-exploitation tool used to extract sensitive information from Windows systems. It specializes in retrieving credentials, including plaintext passwords, password hashes, and Kerberos tickets.

is a password hashing extraction tool that extracts password hashes from Windows systems from the SAM database.

DSInternals is a collection of PowerShell modules designed for Active Directory (AD) administration, auditing, and penetration testing. Can also be used as a password hashing extraction tool. Since PowerShell 5, you can install the DSInternals module directly from the official by running the following command: Install-Module DSInternals -Force

BreachDirectory
hash
Link
Responder
Mimikatz
Pwdump7
PowerShell Gallery