RTO
  • Getting Started
    • What is Red Teaming?
    • What is OPSEC?
    • Primum non nocere?
    • Attack Lifecycle
    • Engagement Planning
    • Post-Engagement & Reporting
  • Command & Control
    • Red Team Ops Lab
    • Cobalt Strike
    • Starting the Team Server
    • Listener Management
    • Generating Payloads
    • Interacting with Beacon
    • Pivot Listeners
    • Running as a Service
  • External Reconnaissance
    • External Reconnaissance
    • DNS Records
    • Google Dorks
    • Social Media
  • Initial Compromise
    • Initial Compromise
    • Password Spraying
    • Internal Phishing
    • Initial Access Payloads
    • Visual Basic for Applications (VBA) Macros
    • Remote Template Injection
    • HTML Smuggling
  • Host Reconnaissance
    • Host Reconnaissance
    • Processes
    • Seatbelt
    • Screenshots
    • Keylogger
    • Clipboard
    • User Sessions
  • Host Persistence
    • Host Persistence
    • Task Scheduler
    • Startup Folder
    • Registry AutoRun
    • Hunting for COM Hijacks
    • Headless Cobalt Strike
  • Host Privilege Escalation
    • Host Privilege Escalation
    • Windows Services
    • Unquoted Service Paths
    • Weak Service Permissions
    • Weak Service Binary Permissions
    • UAC Bypasses
  • Elevated Host Persistence
    • Elevated Host Persistence
    • Windows Services
    • WMI Event Subscriptions
  • Credential Theft
    • Obtaining Credential Material
    • Beacon + Mimikatz
    • NTLM Hashes
    • Kerberos Encryption Keys
    • Security Account Manager
    • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
  • Password Cracking Tips & Tricks
    • Password Cracking Tips & Tricks
    • Wordlists
    • Wordlist + Rules
    • Masks
    • Mask Length & Mask Files
    • Combinator
    • Hybrid
    • kwprocessor
  • Domain Reconnaissance
    • Domain Recon
    • PowerView
    • SharpView
    • ADSearch
  • User Impersonation
    • User Impersonation
    • Pass the Hash
    • Pass the Ticket
    • Overpass the Hash
    • Token Impersonation
    • Make Token
    • Process Injection
  • Lateral Movement
    • Lateral Movement
    • Windows Remote Management
    • PsExec
    • Windows Management Instrumentation (WMI)
    • The Curious Case of CoInitializeSecurity
    • DCOM
  • Session Passing
    • Session Passing
    • Beacon Passing
    • Foreign Listener
    • Spawn & Inject
  • Pivoting
    • SOCKS Proxies
    • Linux Tools
    • Windows Tools
    • Browsers
    • Reverse Port Forwards
    • NTLM Relaying
  • Data Protection API
    • Data Protection API
    • Credential Manager
    • Scheduled Task Credentials
  • Kerberos
    • Kerberos
    • Kerberoasting
    • ASREP Roasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Alternate Service Name
    • S4U2Self Abuse
    • Resource-Based Constrained Delegation
    • Shadow Credentials
  • Active Directory Certificate Services
    • Active Directory Certificate Services
    • Finding Certificate Authorities
    • Misconfigured Certificate Templates
    • NTLM Relaying to ADCS HTTP Endpoints
    • User & Computer Persistence
  • Group Policy
    • Abusing Group Policy
    • Modify Existing GPO
    • Create & Link a GPO
  • MS SQL Servers
    • MS SQL Servers
    • MS SQL Impersonation
    • MS SQL Command Execution
    • MS SQL Lateral Movement
    • MS SQL Privilege Escalation
  • Domain Dominance
    • Domain Dominance
    • Silver Tickets
    • Golden Tickets
    • Diamond Tickets
    • Forged Certificates
  • Forest & Domain Trusts
    • Forest & Domain Trusts
    • Parent/Child
    • One-Way Inbound
    • One-Way Outbound
  • Local Administrator Password Solution
    • Local Administrator Password Solution
    • Reading ms-Mcs-AdmPwd
    • Password Expiration Protection
    • LAPS Backdoors
  • Microsoft Defender Antivirus
    • Microsoft Defender Antivirus
    • On-Disk Detections
    • Artifact Kit
    • In-Memory Detections
    • Resource Kit
    • AMSI vs Post-Exploitation
    • Behavioural Detections
  • Application Whitelisting
    • AppLocker
    • Policy Enumeration
    • Writeable Paths
    • Living Off The Land Binaries, Scripts and Libraries
    • PowerShell CLM
    • Beacon DLL
  • Data Hunting & Exfiltration
    • Data Hunting & Exfiltration
    • File Shares
    • Databases
  • Extending Cobalt Strike
    • Extending Cobalt Strike
    • Mimikatz Kit
    • Jump & Remote-Exec
    • Beacon Object Files
    • Malleable Command & Control
Powered by GitBook
On this page
  1. Password Cracking Tips & Tricks

Wordlists

A "wordlist" or "dictionary" attack is the easiest mode of password cracking, in which we simply read in a list of password candidates and try each one line-by-line. There are many popular lists out there, including the venerable rockyou list. The SecLists repo also have an expansive collection for different applications.

hashcat.exe -a 0 -m 1000 ntlm.txt rockyou.txt

58a478135a93ac3bf058a5ea0e8fdb71:Password123

Where:

  • -a 0 specifies the wordlist attack mode.

  • -m 1000 specifies that the hash is NTLM.

  • ntlm.txt is a text file containing the NTLM hash to crack.

  • rockyou.txt is the wordlist.

Use hashcat.exe --help to get a complete list of attack mode and hash types.

This cracks practically instantly because 'Password123' is present in the wordlist:

PS C:\> Select-String -Pattern "^Password123$" -Path rockyou.txt -CaseSensitive

rockyou.txt:33523:Password123

\

Although fast it's not very flexible, since if the password is not in the list, we won't crack it.

PreviousPassword Cracking Tips & TricksNextWordlist + Rules

Last updated 1 year ago