Cracking

Don't go home with closed door.

Hash Reference

Shadow Hash

sample: root:$6$....:<some_number>:0:<some_number>::::

john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt root.hash

PGP / GPG

If you discover any file with this extension, file:

.keys

.asc

creds file:

.pgp

Follow the steps below,

  1. Convert to john

gpg2john hack.asc > crackthis.txt

  1. Crack with John

gpg --import hack.asc
<input password>

  1. Open gpg file

gpg --decrypt creds.gpg

Wordpress Database Hash

The database maybe like this:

john crack --wordlist=/usr/share/wordlists/rockyou.txt

PFX (SSL Private and Public Key)

Simple way:

# https://github.com/crackpkcs12/crackpkcs12

./crackpkcs12 -d /usr/share/wordlist/rockyou.txt <file.pfx>

Backup plan:

pfx2john.py <file.pfx> > hashpfx.out
john -format=pfx hashpfx.out -w=/usr/share/wordlist/rockyou.txt

NTLM2 Hash

Sometimes you got it from responder or rubeus.exe

john user_ntlmv2.hash --wordlist=/usr/share/wordlists/rockyou.txt
john user_ntlmv2.hash --show

NTLM Hash

hashcat -m 1000 --f user_ntlm.hash /usr/share/wordlists/rockyou.txt

SSH Key

Sometimes you got it from /.ssh/id_rsa

ssh2john id_rsa > crackme
john --wordlists=/usr/share/wordlists/rockyou.txt crackme

Don't forget to change permission id_rsa to 600if you wanna use it for login.

chmod 600 id_rsa

JWT Signature

  1. save jwt to a file called "jwt"

  2. run john

john jwt

GPO Passwd

source file: \hostname.domain\Policies{00000000–0000-0000–0000-00000000000}\MACHINE\Preferences\Groups\Groups.xml

gpp-decrypt <hash>

Kerberost Hash

If you get from GetUserSPNs

john --format:krb5asrep /tmp/Kerberos --wordlist=/usr/share/wordlists/rockyou.txt
PreviousFile UploadNextShell & Stabilization

Last updated