We covered the basics of password attacks including how to create wordlists using several tools such as CUPP, Crunch, Cewl,etc. We also covered and explained password attacks including dictionary attacks, brute-force and rule based attacks. This was part of TryHackMe Red Team Track.

Get OSCP Certificate Notes

Password cracking is a technique used for discovering passwords from encrypted or hashed data to plaintext data. Attackers may obtain the encrypted or hashed passwords from a compromised computer or capture them from transmitting data over the network. Once passwords are obtained, the attacker can utilize password attacking techniques to crack these hashed passwords using various tools.

Password cracking is considered one of the traditional techniques in pen-testing. The primary goal is to let the attacker escalate to higher privileges and access to a computer system or network. Password guessing and password cracking are often commonly used by information security professionals. Both have different meanings and implications. Password guessing is a method of guessing passwords for online protocols and services based on dictionaries.

Default Passwords

Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Manufacturers set default passwords with products and equipment such as switches, firewalls, routers. There are scenarios where customers don’t change the default password, which makes the system vulnerable. Thus, it is a good practice to try out admin:adminadmin:123456, etc. If we know the target device, we can look up the default passwords and try them out. For example, suppose the target server is a Tomcat, a lightweight, open-source Java application server. In that case, there are a couple of possible default passwords we can try: admin:admin or tomcat:admin.

Here are some website lists that provide default passwords for various products.

Weak Passwords
Professionals collect and generate weak password lists over time and often combine them into one large wordlist. Lists are generated based on their experience and what they see in pentesting engagements. These lists may also contain leaked passwords that have been published publically. Here are some of the common weak passwords lists :

Leaked Passwords

Sensitive data such as passwords or hashes may be publicly disclosed or sold as a result of a breach. These public or privately available leaks are often referred to as ‘dumps’. Depending on the contents of the dump, an attacker may need to extract the passwords out of the data. In some cases, the dump may only contain hashes of the passwords and require cracking in order to gain the plain-text passwords. The following are some of the common password lists that have weak and leaked passwords, including webhostelitehacker,hak5HotmailPhpBB companies’ leaks:

Customized Wordlists

Customizing password lists is one of the best ways to increase the chances of finding valid credentials. We can create custom password lists from the target website. Often, a company’s website contains valuable information about the company and its employees, including emails and employee names. In addition, the website may contain keywords specific to what the company offers, including product and service names, which may be used in an employee’s password!

Online Password Attacks

Online password attacks involve guessing passwords for networked services that use a username and password authentication scheme, including services such as HTTP, SSH, VNC, FTP, SNMP, POP3, etc. This section showcases using hydra which is a common tool used in attacking logins for various network services.

Room Answers

Which type of password attack is performed locally?
What are the default login credentials (in the format of username:password) for a Juniper Networks ISG 2000 device?
Run the following crunch command:crunch 2 2 01234abcd -o crunch.txt. How many words did crunch generate?

What is the crunch command to generate a list containing THM@% and output to a file named tryhackme.txt?

Considering the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?

Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.

Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]

What syntax would you use to create a rule to produce the following: “S[Word]NN  where N is Number and S is a symbol of !@?

Can you guess the FTP credentials without brute-forcing? What is the flag?

In this question, you need to generate a rule-based dictionary from the wordlist clinic.lst in the previous task. email: pittman@clinic.thmredteam.com against MACHINE_IP:465 (SMTPS).

What is the password? Note that the password format is as follows: [symbol][dictionary word][0-9][0-9].

Perform a brute-forcing attack against the phillips account for the login page at http://MACHINE_IP/login-get using hydra? What is the flag?

Perform a rule-based password attack to gain access to the burgess account. Find the flag at the following website: http://MACHINE_IP/login-post/. What is the flag?

Note: use the clinic.lst dictionary in generating and expanding the wordlist!

Perform a password spraying attack to get access to the SSH://MACHINE_IP server to read /etc/flagWhat is the flag?

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles