Basic Approach

This guide will serve as a starting point for getting familiar with a general password cracking workflow. This guide assumes that you have the ability to execute applictations from the command line. For this attack plan, the password hashes are NTLM (1000) targets containing plain text user passwords. NTLM is a "faster" hash, meaning that the computational burden to create NTLM hashed data is low. Fast hashes like NTLM allow us to run tests in a greater keyspace area without trading away too much of our valuable (and usally limited) time. The hashed passwords will contain plaintext values so a wordlist/dictionary attack will be a good starting point. If the hashes being evaluated contained data other than plain text, it would be prudent to start with a different approach. [[HashCat]] is the tool of choice for the examples below but you can use this method with any cracking software. At every step in this process you have the opportunity to consider any new data that has been revealed and tune your attack plan to be more efficient. If you are trying to get your hands on some local Windows hashes you can use some of the methods described in the [[Windows Local Password Hashes]] section. If you are trying to extract hashes from a Windows domain, you can find multiple extraction methods in the [[Windows Domain Password Hashes]] section. If you are already in posesssion of NTLM hashes for cracking and you need to format them for processing, you can find some useful information [[Data Dumps|here]]. If you are here to learn and just want a good set of hashes in a complexity gradient, you can find them right [[Example NTLM Hashes|here]]. Alternatively, there are several tools available online to generate your own test hashes. Follow this list in the order it appears as a high level strategy to cracking your data set. ## Custom Wordlist Attack #wordlists #hashcat_attacks Compile your known plain text passwords into a [[Wordlist Generation|custom wordlist]] file. Pass this to your tool of choice as a straight [[HashCat#Dictionary Attacks|dictionary attack]]. ```bash hashcat -a 0 -m 1000 -w 4 hash.txt custom_list.txt ``` ## Custom Wordlist Attack + Rules #wordlists #hashcat_attacks Run your [[Wordlist Generation|custom wordlist]] with permutation [[Rules|rules]] to crack slight variations. ```bash hashcat -a 0 -m 1000 -w 4 hash.txt custom_list.txt -r best64.rule --loopback ``` ## Wordlist Attacks #wordlists #hashcat_attacks Perform a broad dictionary attack, looking for common passwords and leaked passwords in well-known [[Wordlists and Dictionaries|dictionaries/wordlists]]. ```bash hashcat -a 0 -m 1000 -w 4 hash.txt dict.txt ``` ## Wordlist Attacks + Rules #wordlists #hashcat_attacks Add [[Rules|rule]] permutations to the broad dictionary attack, looking for subtle changes to common words/phrases and leaked passwords. ```bash hashcat -a 0 -m 1000 -w 4 hash.txt dict.txt -r best64.rule --loopback ``` ## Fingerprint Custom Wordlist + Rules #wordlists #hashcat_attacks #awk Add any newly discovered passwords to your [[Custom Dictionary Generation|custom wordlist]] and run an attack again with permutation [[Rules|rules]]; looking for any other subtle variations. ```bash awk -F ":" '{print $2}' hashcat.potfile » custom_list.txt ``` run custom rule: ```bash hashcat -a 0 -m 1000 -w 4 hash.txt custom_list.txt -r dive.rule --loopback ``` ## Mask Attacks #wordlists #hashcat_attacks Now we will use [[Mask Attacks|mask attacks]] included with Hashcat to search the keyspace for common password lengths and patterns, based on the [[Wordlists and Dictionaries#Rockyou.txt|RockYou]] dataset. ```bash hashcat -a 3 -m 1000 -w 4 hash.txt rockyou-1-60.hcmask ``` ## Hybrid Wordlist + Rules #wordlists #hashcat_attacks Using a dictionary of your choice, conduct [[HashCat#Hybrid Attacks|hybrid attacks]] looking for larger variations of common words or known passwords by appending/prepending masks to those candidates. ```bash hashcat -a 6 -m 1000 -w 4 hash.txt dict.txt rockyou-1-60.hcmask hashcat -a 7 -m 1000 -w 4 hash.txt rockyou-1-60.hcmask dict.txt ``` ## Update Fingerprint Custom Wordlist + Rules #wordlists #hashcat_attacks #awk Add any newly discovered passwords back to your custom wordlist and run an attack again with permutation rules; looking for any other subtle variations. ```bash awk -F ":" '{print $2}' hashcat.potfile » custom_list.txt ``` ```bash hashcat -a 0 -m 1000 -w 4 hash.txt custom_list.txt -r dive.rule --loopback 8 ``` ## Combinator Attacks #wordlists #hashcat_attacks Using a dictionary of your choice, perform a [[HashCat#Combinator Attacks| combinator attack]] by individually combining the dictionary's password candidates together to form new candidates. ```bash hashcat -a 1 -m 1000 -w 4 hash.txt dict.txt dict.txt ``` ## Update Fingerprint Custom Wordlist + Rules #wordlists #hashcat_attacks #awk Add any newly discovered passwords back to your custom wordlist and perform a hybrid attack against those new acquired passwords. ```bash awk -F "·" '{print $2}' hashcat.potfile » custom_list.txt ``` ```bash hashcat -a 6 -m 1000 -w 4 hash.txt custom_list.txt rockyou-1-60.hcmask ``` ```bash hashcat -a 7 -m 1000 -w 4 hash.txt rockyou-1-60.hcmask custom_list.txt ``` ## Custom Mask Attacks #wordlists #hashcat_attacks By now the easier, weaker passwords may have fallen to cracking, but still some remain. Using [[PACK - Password Analysis and Cracking Kit|P.A.C.K.]] create custom mask attacks based on your currently cracked passwords. Be sure to sort out masks that match the previous *rockyou-1-60.hcmask list. ```bash hashcat -a 3 -m 1000 -w 4 hash.txt custom_masks.hcmask ``` ## Brute Force Attacks #bruteforce #hashcat_attacks When all else fails begin a standard [[HashCat#Brute Force Attacks|brute force attacks]], being selective as to how large a keyspace your machine can adequately brute-force. Above 10 characters is usually pointless due to hardware limitations and password entropy/complexity. ```bash hashcat -a 3 -m 1000 -w 4 hash.txt -i ?a?a?a?a?a?a?a?a ``` [[Home]] #methodology #reference