Offline Attack

Extracting Password Hashes from Windows

fgdump

Run fgdump to dump local hash

fgdump.exe

Meterpreter's Hashdump

meterpreter > hashdump

Volume Shadow Copy Services to copy ntds.dit

Hash identification

There are generally speaking three pieces of data we can use to identify a hash.

• The length of the hash
• The character set
• Any special characters

We can use hash-identifier to identify the hash algorithm from the hashed password.

hash-identifier

Cracking the Password

Hashcat

Put the hashed password file (test.hash) and dictionary (rockyou.txt) in the same directory and execute the below command:

hashcat -m 100 test.hash rockyou.txt
-m
-m 100

John the ripper (*)

Use the program "unshadow" which is included in John the Ripper to convert obtained /etc/passwd and /etc/shadow files to a combined file for John (e.g. crackme.txt below)

unshadow /etc/passwd /etc/shadow >> crackme.txt

Cracking the file generated by unshadow (crackme.txt) using the wordlist rockyou.txt using a dictionary/wordlist brute-force

john crackme.txt--wordlist=rockyou.txt

Convert an encrypted SSH key to a format readable by John

ssh2john encrypted-key >> crackme-ssh

Cracking the file generated by ssh2john (crackme-ssh) using the wordlist rockyou.txt using a dictionary/wordlist brute-force

john crackme-ssh --wordlist=rockyou.txt

Crack MD5 hashes that are in a file called hashes using a dictionary/wordlist brute-force

john--format=md5 hashes --wordlist=rockyou.txt

John configurationfile

• Linux

  john.conf

• Windows

  john.ini

john.pot file is where the cracking results stored.

john --show [password_file]

john.rec is the recovery file in the event of a crash. To restore cracking

john --restore