Password Cracking
MITRE ATT&CK, Credential Access, Sub-technique T1110.002
Common Cracking Modes
1000
- Crack NTLM hash.1100
- Crack DCC hash.5500
- Crack Net-NTLMv15600
- Crack Net-NTLMv213100
- Crack Kerberoast(ed) hash.27100
- Crack Net-NTLMv2 to an NTLM hash.
Create a Custom Wordlist for Cracking
1. Create a simple wordlist or use cewl
to generate one:
Acme (Domain)
Autumn
Winter
Spring
Summer
Welcome
2. Utilize hashcat to run rules on the previous wordlist:
hashcat $wordlist -r /usr/share/hashcat/rules/best64.rule --stdout > newwordlist
Masks
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
Password Length Increment
A Mask attack is always specific to a password length. For example, if we use the mask “?l?l?l?l?l?l?l?l” we can only crack a password of the length 8. But if the password we try to crack has the length 7 we will not find it. Thats why we have to repeat the attack several times, each time with one placeholder added to the mask. This is transparently automated by using the “--increment” flag (Attention: the mask length itself is the limiting factor for hashcat. That implies that if i.e. the mask is only of length 4 --increment won't increment the length of the password candidates above 4. A mask of length, therefore, won't increase at all even if --increment was specified).
?l
?l?l
?l?l?l
?l?l?l?l
?l?l?l?l?l
?l?l?l?l?l?l
?l?l?l?l?l?l?l
?l?l?l?l?l?l?l?l
Password Cracking Tips
Loopback will take all of the discovered passwords from cracking and apply the rules specified when beginning the attack against them. Simply append
--loopback
to your Hashcat command.If you are experiencing the error
CL_OUT_OF_RESOURCES
on Windows 10 when running Hashcat, then you can add the following to the registry to remove it:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers
then add "TdrLevel" as a DWORD with value 0.A longer password list != better.
Wordlists
Hashcat Rulesets
Last updated