Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Wordlists
  • Cewl
  • Lockout
  • Invalid Username - Hint
  • Guessing
  • Crackingstation
  • Trimming
  • Cleanup
  • pw-inspector (hydra)
  • Hashcat Mangling

Was this helpful?

  1. 05 Passwords & Ciphers

Dict Guess List Mangle

PreviousCrackingNextGet Hashes

Last updated 2 years ago

Was this helpful?

Wordlists

  • Ron Bowes:

  • wordlists

  • crackstation.net

  • Rockyou

Cewl

  • Crawl a website to create your own dictionary: Cewl.rb

Lockout

  • Check your lockout settings before you start making password guesses!

> net accounts /domain

Invalid Username - Hint

  • Try to login

  • Notice if Username gives different error "Invalid Username"

  • We can brute-force this based on error.

  • Go directly to

Guessing

Servername
Summer20
Autumn20
Orgname1-99
Welcome1-99
Password1-99
Pass11
P@$$w0rd
Company Name
Football local teams
Keyboard walks
Add number increments

Crackingstation

  • Crackingstation

  • Cloud: Cpu intense EC2 offer 1 compute unit .10/hr linux

  • GPU w/33 compute units = 2 nvidia gpu 2.00/hr

Trimming

wc -l dict
sort dict | uniq | wc -l
cat dict | sort -u | uniq > wordlist2.txt

grep -i nibble /opt/.../rockyou.txt > mydict.txt

grep -i 'user\|pass\|host\|name' mess.txt
grep -i -E 'user|pass|host|name' mess.txt

Cleanup

Feed Line-Returns instead of #
#hello#thisisbad#hardtoread

tr '#' '\n' < input.txt > output.txt

pw-inspector (hydra)

pw-inspector  ..help

-m 6   ..Min 6 digits
-M 12  ..Max 12 digits
-n     ..numbers
-u     ..upper
-l     ..lower
-p     ..non-alphnum
-c 2   ..Combination of 2

cat dict | pw-inspector -n
cat dict | pw-inspector -n > /tmp/newdict
cat dict | pw-inspector -m 6 -M 12 -n -u -l -c 2

Hashcat Mangling

hashcat -a 6 -m 0 example0.hash example.dict ?a?a?a
hashcat -a 6 -m 0 example0.hash ?a?a?a example.dict 

6: hybrid/brute
0: method
hash file
dictionary + 3 chars at the end/beginning

npk -

https://wiki.skullsecurity.org/Passwords
Hydra
https://github.com/Coalfire-Research/npk