Hashes
Online Databases
LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults
NT Hash (SAM)
Unix password
/etc/shadow
/etc/shadow
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Username | Encrypted password | Last PW change | Min. PW age | Max. PW age | Warning period | Inactivity period | Expiration date | Unused |
$<type>$<salt>$<hashed>
ID | Cryptographic Hash Algorithm |
| |
| |
| Eksblowfish |
| |
| |
| |
| |
| |
| |
| Argon2 |
Crack /etc/shadow hashes
Hash Identifier
Online:
See Privilege escalation - Linux
Linux/etc/passwd
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cracking Linux Credentials |
Unshadow
Create custom password list
Username listsPassword listsHashcat generating rule-based Wordlist
Hashcat Existing Rules
Try best64.rule
first
OneRuleToRuleThemAll
Crunch
Password listsCupp
Password listsCeWL
Improve the custom wordlist
As we all know few password are just simple words. Many use numbers and special characters. To improve our password list we can use john the ripper. We can input our own rules, or we can just use the standard john-the-ripper rules
John The Ripper
John will output the cracked passwords to the console and the file "john.pot" (~/.john/john.pot
) to the current user's home directory.
Hash Format | Example Command | Description |
afs |
| AFS (Andrew File System) password hashes |
bfegg |
| bfegg hashes used in Eggdrop IRC bots |
bf |
| Blowfish-based crypt(3) hashes |
bsdi |
| BSDi crypt(3) hashes |
crypt(3) |
| Traditional Unix crypt(3) hashes |
des |
| Traditional DES-based crypt(3) hashes |
dmd5 |
| DMD5 (Dragonfly BSD MD5) password hashes |
dominosec |
| IBM Lotus Domino 6/7 password hashes |
EPiServer SID hashes |
| EPiServer SID (Security Identifier) password hashes |
hdaa |
| hdaa password hashes used in Openwall GNU/Linux |
hmac-md5 |
| hmac-md5 password hashes |
hmailserver |
| hmailserver password hashes |
ipb2 |
| Invision Power Board 2 password hashes |
krb4 |
| Kerberos 4 password hashes |
krb5 |
| Kerberos 5 password hashes |
LM |
| LM (Lan Manager) password hashes |
lotus5 |
| Lotus Notes/Domino 5 password hashes |
mscash |
| MS Cache password hashes |
mscash2 |
| MS Cache v2 password hashes |
mschapv2 |
| MS CHAP v2 password hashes |
mskrb5 |
| MS Kerberos 5 password hashes |
mssql05 |
| MS SQL 2005 password hashes |
mssql |
| MS SQL password hashes |
mysql-fast |
| MySQL fast password hashes |
mysql |
| MySQL password hashes |
mysql-sha1 |
| MySQL SHA1 password hashes |
NETLM |
| NETLM (NT LAN Manager) password hashes |
NETLMv2 |
| NETLMv2 (NT LAN Manager version 2) password hashes |
NETNTLM |
| NETNTLM (NT LAN Manager) password hashes |
NETNTLMv2 |
| NETNTLMv2 (NT LAN Manager version 2) password hashes |
NEThalfLM |
| NEThalfLM (NT LAN Manager) password hashes |
md5ns |
| md5ns (MD5 namespace) password hashes |
nsldap |
| nsldap (OpenLDAP SHA) password hashes |
ssha |
| ssha (Salted SHA) password hashes |
NT |
| NT (Windows NT) password hashes |
openssha |
| OPENSSH private key password hashes |
oracle11 |
| Oracle 11 password hashes |
oracle |
| Oracle password hashes |
| PDF (Portable Document Format) password hashes | |
phpass-md5 |
| PHPass-MD5 (Portable PHP password hashing framework) password hashes |
phps |
| PHPS password hashes |
pix-md5 |
| Cisco PIX MD5 password hashes |
po |
| Po (Sybase SQL Anywhere) password hashes |
rar |
| RAR (WinRAR) password hashes |
raw-md4 |
| Raw MD4 password hashes |
raw-md5 |
| Raw MD5 password hashes |
raw-md5-unicode |
| Raw MD5 Unicode password hashes |
raw-sha1 |
| Raw SHA1 password hashes |
raw-sha224 |
| Raw SHA224 password hashes |
raw-sha256 |
| Raw SHA256 password hashes |
raw-sha384 |
| Raw SHA384 password hashes |
raw-sha512 |
| Raw SHA512 password hashes |
salted-sha |
| Salted SHA password hashes |
sapb |
| SAP CODVN B (BCODE) password hashes |
sapg |
| SAP CODVN G (PASSCODE) password hashes |
sha1-gen |
| Generic SHA1 password hashes |
skey |
| S/Key (One-time password) hashes |
ssh |
| SSH (Secure Shell) password hashes |
sybasease |
| Sybase ASE password hashes |
xsha |
| xsha (Extended SHA) password hashes |
zip |
| ZIP (WinZip) password hashes |
John - SHA-256
Hashcat
Hashcat - Generic hash types
Crunch Wordlist Generator - Create Single Characters
With bash:
SHA1
IPMI
IPMI (623 UDP)General
Tool
HP iLO
Exegol:
SAM - NT hash
Online
MD5
Mysql bcrypt Blowfish (Unix) $2*$
MySQL (3306)$2*$
NTMLv2 - Responder
LLMNR NBT-NS PoisoningKerberoast - SPN
Kerberoast $krb5tgs$23$*:
RC4 (type 23) encrypted ticket
$krb5tgs$18$*:
AES-256 (Type 18)
While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket
$krb5tgs$23$
$krb5tgs$23$
If extracted with Mimikatz - Also see Internal Pentest - Kerberoast
This will create a file called crack_file
.
$krb5tgs$18$
$krb5tgs$18$
ASREPRoast
MisconfigurationLast updated