Brute Force

Credential Stuffing

Password Cracking

Hashes Examples

Mode	Name	Example
900	MD4	afe04867ec7a3845145579a95f72eca7
0	MD5	8743b52063cd84097a65d1633f5c74f5
100	SHA1	b89eaac7e61417341b710b727768294d0e6a277b
1400	SHA256	127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
1700	SHA512	82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f
5000	SHA-3(Keccak)	203f88777f18bb4ee1226627b547808f38d90d3e106262b5de9ca943b57137b6
6000	RipeMD160	012cb9b334ec1aeb71a9c8ce85586082467f7eb6
6100	Whirlpool	7ca8eaaaa15eaa4c038b4c47b9313e92da827c06940e69947f85bc0fbef3eb8fd254da220ad9e208b6b28f6bb9be31dd760f1fdb26112d83f87d96b416a4d258
3000	LM	299bd128c1101fd6
1000	NTLM	b4b9b02e6f09a9bd760f388b67351e2b
5600	NetNTLMv2	admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
5500	NetNTLMv1	u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
2100	DCC2	$DCC2$10240#testuser#042641eb192965b665a9e720869c1dbc
2500	WPA/WPA2	[http://hashcat.net/misc/example_hashes/hashcat.hccap](http://hashcat.net/misc/example_hashes/hashcat.hccap\

LM

hashcat -m 3000 -a 3 hash.txt

john --format=lm hash.txt

NTLM

john --format=nt hash.txt

hashcat -m 1000 -a 3 hash.txt

NTLMv1 (A.K.A. Net-NTLMv1)

john --format=netntlm hash.txt

hashcat -m 5500 -a 3 hash.txt

NetNTLMv2 (A.K.A. Net-NTLMv2)

john --format=netntlmv2 hash.txt

hashcat -m 5600 -a 3 hash.txt

DCC2

hashcat64.exe -a 0 -m 2100 --status -r .\OneRuleToRuleThemAll.rule -o found.txt hashes.txt rockyou.txt

Kerberos

hashcat64.exe -m 13100 hash passwords.txt --rules .\OneRuleToRuleThemAll.rule -O -w 3

ZIP

Zip password cracker, similar to fzc, zipcrack

fcrackzip -D -v -u -p /word/list/ fileZip

Unshadow

unshadow passwd shadow > result

john --wordlist=/....../rockyou.txt result

RSA Keys

RSA Keys' passphrases can be brute-forced using JTR by converting the key to the appropriate input format john can work with:

ssh2john id_rsa > id_rsa.john; john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

Wordlists

• https://github.com/danielmiessler/SecLists/tree/master/Passwords

• https://weakpass.com/wordlist

• https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-count.7z

Password Guessing

Password Spraying