OSCP Notes
Search…
Cracking Password

Cracking Password

Identify hash

Use hash-identifier to determine the hash type. https://hashkiller.co.uk
In kali,
1
hash-identifier
Copied!
1
hashid
Copied!
Online,

Crack shadow using john

Paste the entire /etc/shadow file in a test file and run hashcat with the text file after john.
1
john hashes.txt
2
3
hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt
Copied!

Cracking the hash

Hashcat

    -m - mode
    -a 0 - straight
    -o found.txt - where the cracked hash outputs
    admin.hash - the hash you want to crack.
    /usr/share/hashcat/rules/rockyou-30000.rule - the wordlist we use
    1
    hashcat -m 11 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule
    Copied!

John the ripper

1
john --wordlist=wordlist.txt dump.txt
Copied!
1
john --rules --wordlist=wordlist.txt dump.txt
Copied!

Linux shadow passwd

Combine the passwd file with the shadow file using the unshadow-program.
1
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
2
john --rules --wordlist=wordlist.txt unshadowed.txt
Copied!

Crack using online tools

findmyhash

1
findmyhash LM -h 6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364
Copied!

Cracking

Others file format

zip

1
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
Copied!
1
zip2john file.zip > zip.john
2
3
john zip.john
Copied!

7z

1
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
Copied!
1
#Download and install requirements for 7z2john
2
3
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
4
5
apt-get install libcompress-raw-lzma-perl
6
7
./7z2john.pl file.7z > 7zhash.john
Copied!

PDF

1
apt-get install pdfcrack
2
3
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
4
#pdf2john didnt worked well, john didnt know which hash type was
Copied!
1
#To permanently decrypt the pdf
2
3
sudo apt-get install qpdf
4
5
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
Copied!

JWT

1
git clone https://github.com/Sjord/jwtcrack.git
2
3
cd jwtcrack
Copied!
1
#Bruteforce using crackjwt.py
2
3
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
Copied!
1
#Bruteforce using john
2
3
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
4
5
john jwt.john #It does not work with Kali-John
Copied!

NTLM cracking

1
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2
3
jhon --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hashes
4
5
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Copied!

Keepass

1
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
2
3
keepass2john file.kdbx > hash #The keepass is only using password
4
5
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
Copied!
1
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Copied!

Lucks image

Method 1
1
bruteforce-luks -f ./list.txt ./backup.img
2
3
cryptsetup luksOpen backup.img mylucksopen
4
5
ls /dev/mapper/ #You should find here the image mylucksopen
6
7
mount /dev/mapper/mylucksopen /mnt
Copied!
Method 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
1
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
2
3
hashcat -m 14600 luckshash
4
5
cryptsetup luksOpen backup.img mylucksopen
6
7
ls /dev/mapper/ #You should find here the image mylucksopen
8
9
mount /dev/mapper/mylucksopen /mnt
Copied!
Last modified 1yr ago