Joined Adversary Simulation Manual
  • Joined Adversary Simulation Manual
  • Reconnaissance
    • Active Scanning
    • Gather Victim Host Information
    • Gather Victim Identity Information
    • Gather Victim Network Information
    • Gather Victim Org Information
    • Phishing for Information
    • Search Closed Sources
    • Search Open Technical Databases
    • Search Open Websites/Domains
    • Search Victim-Owned Websites
  • Resource Development
    • Acquire Infrastructure
    • Compromise Accounts
    • Compromise Infrastructure
    • Develop Capabilities
    • Establish Accounts
    • Obtain Capabilities
  • Initial Access
    • Drive-by Compromise
      • WiFi Attacks
    • Exploit Public-Facing Application
    • External Remote Services
    • Hardware Additions
    • Phishing
    • Replication Through Removable Media
    • Supply Chain Compromise
    • Trusted Relationship
    • Valid Accounts
  • Execution
    • Command and Scripting Interpreter
    • Exploitation for Client Execution
    • Inter-Process Communication
    • Native API
    • Scheduled Task-Job
    • Shared Modules
    • Software Deployment Tools
    • System Services
    • User Execution
    • Windows Management Instrumentation
  • Persistence
    • Account Manipulation
    • BITS Jobs
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Browser Extensions
    • Compromise Client Software Binary
    • Create Account
    • Create or Modify System Process
    • Event Triggered Execution
    • External Remote Services
    • Hijack Execution Flow
    • Implant Container Image
    • Office Application Startup
    • Pre-OS Boot
    • Scheduled Task-Job
    • Server Software Component
    • Traffic Signaling
    • Valid Accounts
  • Privilege Escalation
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Create or Modify System Process
    • Event Triggered Execution
    • Exploitation for Privilege Escalation
    • Group Policy Modification
    • Hijack Execution Flow
    • Scheduled Task-Job
    • Process Injection
    • Valid Accounts
  • Defense Evasion
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • BITS Jobs
    • Deobfuscate-Decode Files or Information
    • Direct Volume Access
    • Execution Guardrails
    • Exploitation for Defense Evasion
    • File and Directory Permissions Modification
    • Group Policy Modification
    • Hide Artifacts
    • Hijack Execution Flow
    • Impair Defenses
    • Indicator Removal on Host
    • Indirect Command Execution
    • Masquerading
    • Modify Authentication Process
    • Modify Cloud Compute Infrastructure
    • Modify Registry
    • Modify System Image
    • Network Boundary Bridging
    • Obfuscated Files or Information
    • Pre-OS Boot
    • Process Injection
    • Rogue Domain Controller
    • Rootkit
    • Signed Binary Proxy Execution
    • Signed Script Proxy Execution
    • Subvert Trust Controls
    • Template Injection
    • Traffic Signaling
    • Trusted Developer Utilities Proxy Execution
    • Unused-Unsupported Cloud Regions
    • Use Alternate Authentication Material
    • Valid Accounts
    • Virtualization-Sandbox Evasion
    • Weaken Encryption
    • XSL Script Processing
  • Credential Access
    • Brute Force
    • Credentials from Password Stores
    • Exploitation for Credential Access
    • Forced Authentication
    • Input Capture
    • Man-in-the-Middle
    • Modify Authentication Process
    • Network Sniffing
    • OS Credential Dumping
    • Steal Application Access Token
    • Steal or Forge Kerberos Tickets
    • Steal Web Session Cookie
    • Two-Factor Authentication Interception
    • Unsecured Credentials
  • Discovery
    • Account Discovery
    • Application Window Discovery
    • Browser Bookmark Discovery
    • Cloud Infrastructure Discovery
    • Cloud Service Dashboard
    • Cloud Service Discovery
    • Cloud Trust Discovery
    • Domain Trust Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Share Discovery
    • Network Sniffing
    • Password Policy Discovery
    • Peripheral Device Discovery
    • Permission Groups Discovery
    • Process Discovery
    • Query Registry
    • Remote System Discovery
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner-User Discovery
    • System Service Discovery
    • System Time Discovery
    • Virtualization-Sandbox Evasion
  • Lateral Movement
    • Exploitation of Remote Services
    • Internal Spearphishing
    • Lateral Tool Transfer
    • Remote Service Session Hijacking
    • Remote Services
    • Replication Through Removable Media
    • Software Deployment Tools
    • Taint Shared Content
    • Use Alternate Authentication Material
  • Collection
    • Archive Collected Data
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Cloud Storage Object
    • Data from Configuration Repository
    • Data from Information Repositories
    • Data from Local System
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Email Collection
    • Input Capture
    • Man in the Browser
    • Man-in-the-Middle
    • Screen Capture
    • Video Capture
  • Command and Control
    • Application Layer Protocol
    • Communication Through Removable Media
    • Data Encoding
    • Data Obfuscation
    • Dynamic Resolution
    • Encrypted Channel
    • Fallback Channels
    • Ingress Tool Transfer
    • Multi-Stage Channels
    • Non-Application Layer Protocol
    • Non-Standard Port
    • Protocol Tunneling
    • Proxy
    • Remote Access Software
    • Traffic Signaling
    • Web Service
  • Exfiltration
    • Automated Exfiltration
    • Data Transfer Size Limits
    • Exfiltration Over Web Service
    • Exfiltration Over Alternative Protocol
    • Exfiltration Over C2 Channel
    • Exfiltration Over Other Network Medium
    • Exfiltration Over Physical Medium
    • Exfiltration Over Web Service
    • Scheduled Transfer
    • Transfer Data to Cloud Account
  • Impact
    • Account Access Removal
    • Data Destruction
    • Data Encrypted for Impact
    • Data Manipulation
    • Defacement
    • Disk Wipe
    • Endpoint Denial of Service
    • Firmware Corruption
    • Inhibit System Recovery
    • Network Denial of Service
    • Resource Hijacking
    • Service Stop
    • System Shutdown-Reboot
  • General Pentesting
    • Services
    • SSL related Commands
    • Web useful commands
    • Reverse Shells
    • DB related Commands
    • VLAN Attacks
    • AD Bruteforcing
    • JWT Attacks
  • Tricks
  • Tools
    • AD Tools
    • Mobile Tools
    • Tools
    • WiFi Tools
    • LAN Tools
    • LAN Tools
  • Contributors
  • Kudos, References and Further Reading
Powered by GitBook
On this page
  • Credential Stuffing
  • Password Cracking
  • Hashes Examples
  • LM
  • NTLM
  • NTLMv1 (A.K.A. Net-NTLMv1)
  • NetNTLMv2 (A.K.A. Net-NTLMv2)
  • DCC2
  • Kerberos
  • ZIP
  • Unshadow
  • RSA Keys
  • Wordlists
  • Password Guessing
  • Password Spraying

Was this helpful?

  1. Credential Access

Brute Force

Credential Stuffing

Password Cracking

Hashes Examples

Mode

Name

Example

900

MD4

afe04867ec7a3845145579a95f72eca7

0

MD5

8743b52063cd84097a65d1633f5c74f5

100

SHA1

b89eaac7e61417341b710b727768294d0e6a277b

1400

SHA256

127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935

1700

SHA512

82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f

5000

SHA-3(Keccak)

203f88777f18bb4ee1226627b547808f38d90d3e106262b5de9ca943b57137b6

6000

RipeMD160

012cb9b334ec1aeb71a9c8ce85586082467f7eb6

6100

Whirlpool

7ca8eaaaa15eaa4c038b4c47b9313e92da827c06940e69947f85bc0fbef3eb8fd254da220ad9e208b6b28f6bb9be31dd760f1fdb26112d83f87d96b416a4d258

3000

LM

299bd128c1101fd6

1000

NTLM

b4b9b02e6f09a9bd760f388b67351e2b

5600

NetNTLMv2

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

5500

NetNTLMv1

u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

2100

DCC2

$DCC2$10240#testuser#042641eb192965b665a9e720869c1dbc

2500

WPA/WPA2

LM

hashcat -m 3000 -a 3 hash.txt
john --format=lm hash.txt

NTLM

john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt

NTLMv1 (A.K.A. Net-NTLMv1)

john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

NetNTLMv2 (A.K.A. Net-NTLMv2)

john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt

DCC2

hashcat64.exe -a 0 -m 2100 --status -r .\OneRuleToRuleThemAll.rule -o found.txt hashes.txt rockyou.txt

Kerberos

hashcat64.exe -m 13100 hash passwords.txt --rules .\OneRuleToRuleThemAll.rule -O -w 3

ZIP

Zip password cracker, similar to fzc, zipcrack

fcrackzip -D -v -u -p /word/list/ fileZip

Unshadow

unshadow passwd shadow > result
john --wordlist=/....../rockyou.txt result

RSA Keys

RSA Keys' passphrases can be brute-forced using JTR by converting the key to the appropriate input format john can work with:

ssh2john id_rsa > id_rsa.john; john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

Wordlists

  • https://github.com/danielmiessler/SecLists/tree/master/Passwords

  • https://weakpass.com/wordlist

  • https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-count.7z

Password Guessing

Password Spraying

PreviousCredential AccessNextCredentials from Password Stores

Last updated 4 years ago

Was this helpful?

[

http://hashcat.net/misc/example_hashes/hashcat.hccap](http://hashcat.net/misc/example_hashes/hashcat.hccap\