When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for leveraging Hashcat rules to help you build effective custom wordlists.
To start, let’s begin with setting the scenario up. In our fictional scenario, we’ll be targeting an Active Directory domain named NBA.local. Let’s begin by creating a handful of words that would be likely for this domain. We’re only going to start with a few words, as our list is going to grow exponentially when we start applying rules to them. In a real engagement, you may want to gather 10-20 words to use.
Here’s the list I started with.
Now we’ll take this list, and feed it through Hashcat’s Best64 rule.
You can see from the screenshot that we turned our list that previously contained 4 words into a list that now contains 308 words! But if you look through the list, you’ll see it doesn’t contain any symbols. To fix this, we can create our own custom rule called append_exclamation.rule that contains the following:
Now we can run hashcat again, but this time we’ll specify both rules instead of just the one. Just keep in mind that you may get duplicates, so you may want to also add the sort -u command.
This time when we check the number of words in the list, we see exactly double what we had before! This is because the list has the same 308 words as last time, but now also has them all with an exclamation added.
This post is a continuation from my last regarding cracking encrypted .zip archives. But what happens if you come across an encrypted 7zip archive? The 7-Zip encryption is actually quite good and can require a lot of time to bruteforce, but this guide will show you how weak passwords can still break good encryption.
I’ll use LightWeight from HackTheBox as an example for this guide. Please note that this post does not intend to serve as a walkthrough for the box.
To begin, we already have the archive we wish to crack on our filesystem. Our goal is to crack the file named backup.7z.
We try to open the archive using 7z, but we’re prompted for a password that we do not know. When prompted, I entered password in the example below, but that did not work.
7z x backup.7z
We can start by using zip2john, but we find that the tool is unable to obtain the hash.
To proceed, we’ll need a tool called 7z2john. If you get an error when trying to run this tool, you may need to install the following package.
sudo apt install libcompress-raw-lzma-perl -y
With that package installed, let’s locate 7z2john and copy the full path.
Now let’s run this tool against backup.7z.
Nice! We’ve extracted the hash. I’m just going to rerun the command again and output the results into a file named lightweight7z.hash
Now let’s vi the file so we can remove the first bit. With the cursor at the top, I’m going to enter 10x while still in command mode so that I delete the first 10 characters. We should be left with only the hash now. To write my changes and quit, I’ll enter :wq
With the hash in hand, we’re ready to pass the hard work over to hashcat. First, we need to identify what numeric value hashcat assigns to 7-zip archives. Let’s run hashcat --example-hashes and search the results for 7-Zip. We find that we’ll need mode 11600
As long as you have a wordlist ready, let’s throw this at hashcat!
After some time, we see that our password is cracked. The credential appears to be delete.
Let’s test this by running 7z x backup.7z again, but entering delete when prompted for the credential.
Now we see the archived .php files available to us in our present working directory!
That’s it! Super quick and easy to crack this if you have a weak password. While the 7-zip encryption is actually quite good and can make a password very difficult to crack, weak passwords will end up harming you in the end.
In my first guide in this series, I showed you how to capture NTLMv2 hashes by utilizing a tool called Responder.py. You can find that here.
In this guide, I will show you how to crack those hashes using a tool called Hashcat. Hashcat works best when you run it locally on your host machine, meaning not within a Virtual Machine. For that reason, I will show you how to set things up in Windows.
Navigate to your downloads and Extract the contents of the file. Note: You will need 7-Zip installed.
I like to Cut and Paste this extracted folder to my C:\ drive & then Rename it to make it easier to access.
I also like to rename the hashcat64.exe file to just hashcat.exe so I don’t have to remember to specify 64, but this is totally up to you.
You’ll want to make sure you have a Wordlist available on your filesystem. You don’t have to store it within the Hashcat folder, but doing so will make your command a bit easier when we’re ready to run the tool.
I transferred rockyou.txt from my Kali box and pasted that into the c:\hashcat\ folder
Let’s also make sure our captured hashes.txt are in this location.
If you’ve never used Hashcat before, I’d highly recommend checking out their website or reading up on the help output.
For our use case, this is the command that we’re going to run.
hashcat.exe -a 0 -m 5600 hashes.txt rockyou.txt -o cracked.txt -O
So what does this do? Let’s break it down.
-a is for the attack type. 0 is used to specify we’re performing a dictionary attack.
-m is used to specify what type of hashes we’re looking to crack. Hashcat supports cracking dozens of different hash-types, so you’ll typically want to refer to their help documentation to know exactly which number to use. In our case, NTLMv2 hashes are represented by 5600
hashes.txt is a positional parameter. Hashcat expects you to place the name of the file containing your hashes first, which is what we’re doing here.
rockyou.txt is another positional parameter. Hashcat expects the name of the file that you wish to use for your dictionary attack.
-o is used to specify an output file. This is where we’d like the cracked passwords to be stored. If you don’t specify this flag, cracked passwords will be stored in a file called hashcat.potfile, which can be found in the hashcat directory.
-O is used to optimize the attack for the hardware running in our system. You may not need to use this.
Now that we understand the command, let’s change into our hashcat directory and see if we can crack our hashes! Open up a Command Prompt window and enter the following commands:
cd c:\hashcat hashcat.exe -a 0 -m 5600 hashes.txt rockyou.txt -o cracked.txt -O
Depending on your system, it may take a few minutes for the wordlist to be exhausted. Eventually, you should be able to view the results and see how many (if any) hashes were “Recovered”. In my case, we were able to recover two out of the three passwords.
Let’s view the contents of our output file.
The results show us two users part of the NBA domain, along with their associated credentials.
So what about that third password? Well we could continue to try a dictionary attack w/ other wordlists, but if the password is short, we should be able to brute-force it fairly quick. Let’s give this a shot by revisiting the command we used before, but make a couple slight changes.
Did you notice what’s different? We changed -a to 3 instead of 0. This specifies that we’re looking to brute-force the password instead of perform a dictionary attack.
We also dropped the rockyou.txt wordlist since we no longer need it and replaced it with -1 ?l?d?u ?1?1?1?1?1?1?1. Why did we do this? I’d highly recommend reviewing Hashcat’s documentation on mask attacks, but let’s try to understand this by breaking it into two parts.
Explaining -1 ?l?d?u -1 is used to define a custom character-set with a value of ?1. Within ?1, we’re storing the following:
?l is used to specify all lowercase letters in the alphabet.
?d is used to specify all number digits.
?u is used to specify all uppercase letters in the alphabet.
Explaining ?1?1?1?1?1?1?1 Now that ?1 is defined, we’re going to specify it seven times to indicate that we’re looking to crack a seven character password that could contain a lowercase/uppercase/number in any/all positions.
Okay, let’s run the command now and see what happens.
Eventually we’ll crack this password and be able to view it within our cracked.txt file as well.
Restoring a Hashcat Session
Since brute-force jobs can take a long time to process, it’s important to know about the --restore option. By default, Hashcat will store your job in a session that you can call on later. You can resume your interrupted session by running the following command:
There’s a ton more information about Hashcat checkpoints in a blog post found over at https://miloserdov.org/?p=2089, but the above command may be the most useful if you’re just looking to recover from an unexpected closed session.
That’s it for this one! By now, you should know how to capture and crack weak credentials by simply having access to an Active Directory environment. But what happens when we’re unable to crack these passwords? Stay tuned for Part 3 to discuss NLTMv2-Relay attacks!