mirror of
https://github.com/mubix/kaliwiki.git
synced 2025-10-29 16:59:26 +00:00
Merge pull request #98 from pwnwiki/Menu-Password-Attacks
Menu password attacks
This commit is contained in:
WebBreacher
commit
44c0e88bbb
@ -16,9 +16,9 @@ Offline Attacks
|
||||
* [dictstat](../tools/dictstat.md)
|
||||
* [fcrackzip](../tools/fcrackzip.md)
|
||||
* [hashcat](../tools/hashcat.md)
|
||||
* [hash-identifier](../tools/_template.md)
|
||||
* [hash-identifier](../tools/hash-identifier.md)
|
||||
* [john](../tools/john.md)
|
||||
* [lsadump](../tools/_template.md)
|
||||
* [lsadump](../tools/lsadump.md)
|
||||
* [maskgen](../tools/_template.md)
|
||||
* [oclhashcat](../tools/oclhashcat.md)
|
||||
* [ophcrack](../tools/_template.md)
|
||||
|
||||
100
tools/hash-identifier.md
Normal file
100
tools/hash-identifier.md
Normal file
@ -0,0 +1,100 @@
|
||||
# hash-identifier
|
||||
|
||||
Notes
|
||||
-------
|
||||
Software to identify the different types of hashes used to encrypt data and especially passwords.
|
||||
|
||||
Encryption formats supported:
|
||||
|
||||
* ADLER-32
|
||||
* CRC-32
|
||||
* CRC-32B
|
||||
* CRC-16
|
||||
* CRC-16-CCITT
|
||||
* DES(Unix)
|
||||
* FCS-16
|
||||
* GHash-32-3
|
||||
* GHash-32-5
|
||||
* GOST R 34.11-94
|
||||
* Haval-160
|
||||
* Haval-192 110080 ,Haval-224 114080 ,Haval-256
|
||||
* Lineage II C4
|
||||
* Domain Cached Credentials
|
||||
* XOR-32
|
||||
* MD5(Half)
|
||||
* MD5(Middle)
|
||||
* MySQL
|
||||
* MD5(phpBB3)
|
||||
* MD5(Unix)
|
||||
* MD5(Wordpress)
|
||||
* MD5(APR)
|
||||
* Haval-128
|
||||
* MD2
|
||||
* MD4
|
||||
* MD5
|
||||
* MD5(HMAC(Wordpress))
|
||||
* NTLM
|
||||
* RAdmin v2.x
|
||||
* RipeMD-128
|
||||
* SNEFRU-128
|
||||
* Tiger-128
|
||||
* MySQL5 - SHA-1(SHA-1($pass))
|
||||
* MySQL 160bit - SHA-1(SHA-1($pass))
|
||||
* RipeMD-160
|
||||
* SHA-1
|
||||
* SHA-1(MaNGOS)
|
||||
* Tiger-160
|
||||
* Tiger-192
|
||||
* md5($pass.$salt) - Joomla
|
||||
* SHA-1(Django)
|
||||
* SHA-224
|
||||
* RipeMD-256
|
||||
* SNEFRU-256
|
||||
* md5($pass.$salt) - Joomla
|
||||
* SAM - (LM_hash:NT_hash)
|
||||
* SHA-256(Django)
|
||||
* RipeMD-320
|
||||
* SHA-384
|
||||
* SHA-256
|
||||
* SHA-384(Django)
|
||||
* SHA-512
|
||||
* Whirlpool
|
||||
* And more…
|
||||
|
||||
Help Text
|
||||
-------
|
||||
```
|
||||
no help text
|
||||
```
|
||||
|
||||
Example Usage
|
||||
-------
|
||||
Example using "password" run through sha-1
|
||||
|
||||
```
|
||||
root@kali:~# hash-identifier
|
||||
#########################################################################
|
||||
# __ __ __ ______ _____ #
|
||||
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
|
||||
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
|
||||
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
|
||||
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
|
||||
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
|
||||
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.1 #
|
||||
# By Zion3R #
|
||||
# www.Blackploit.com #
|
||||
# Root@Blackploit.com #
|
||||
#########################################################################
|
||||
|
||||
-------------------------------------------------------------------------
|
||||
HASH: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
|
||||
|
||||
Possible Hashs:
|
||||
[+] SHA-1
|
||||
[+] MySQL5 - SHA-1(SHA-1($pass))
|
||||
```
|
||||
|
||||
Links
|
||||
-------
|
||||
[Google Code](https://code.google.com/p/hash-identifier/)
|
||||
[Youtube Video](https://www.youtube.com/watch?v=EaoiZ2CnOLo)
|
||||
30
tools/lsadump.md
Normal file
30
tools/lsadump.md
Normal file
@ -0,0 +1,30 @@
|
||||
# lsadump
|
||||
|
||||
Notes
|
||||
-------
|
||||
This is an application to dump the contents of the LSA secrets on a machine, provided you are an Administrator. It uses the same technique as pwdump2 to bypass restrictions that Microsoft added to LsaRetrievePrivateData(), which cause the original lsadump to fail.
|
||||
|
||||
|
||||
Help Text
|
||||
-------
|
||||
```
|
||||
usage: /usr/bin/lsadump <system hive> <security hive>
|
||||
```
|
||||
|
||||
Example Usage
|
||||
-------
|
||||
Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)
|
||||
|
||||
Quick: Dump LSA Secrets (lsadump)
|
||||
If any Windows services are running under a domain account, then the passwords for those accounts must be stored locally in a reversible format. LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel can recover these.
|
||||
You might have to stare at the output of lsadump and the list of services in
|
||||
After you’ve correlated plain text passwords from the “_SC_<service name>” sections of LSAdump with the domain usernames from services.msc using the short “service name”, you should a list of domain accounts and cleartext passwords.
|
||||
Investigate your new found accounts and see if you’re domain admin yet.
|
||||
(stolen from pentest monkey)
|
||||
|
||||
|
||||
Links
|
||||
-------
|
||||
[Volatility](https://code.google.com/p/volatility/source/browse/branches/Volatility-2.0.1/volatility/plugins/registry/lsadump.py)
|
||||
[Pentest Monkey](http://pentestmonkey.net/uncategorized/from-local-admin-to-domain-admin)
|
||||
[Video](https://www.youtube.com/watch?v=7qQwVrCFE60) showing use with volatility
|
||||
Loading…
x
Reference in New Issue
Block a user