Wednesday, October 26, 2016

password cracking post john


 post dsusers.py and john...   
 
 let's say you've cracked away and can't crack the hash.
 someone may already have for you.

 findmyhash is an automated way to search online databases:  
   
 # findmyhash TYPE -h "hash" -g (searches the Google)
   
 Do a batch job because you don't want to copy and paste
 your life away (no Google, sorry):  
   
 # findmyhash TYPE -f FILE   

...

 that's useful, but doing things with a file is the way to go.

 here's how to create a file with post-cracked john LANMAN  
 passes... the below shows what's left, does some formatting, 
 removes the first couple of fields, and dumps the type of password.  
   
 # john --show=LEFT --format=lm lmhash.out | grep -v "password hashes" | \  
 cut -d":" -f3 | sort -u > lmhash.only && sed -i 's/\$LM\$//g' lmhash.only  
   
 however, the findmyhash man pages state that for LANMAN/NT hashes  
 having both hashes is best. dsusers.py ohpc format does this for us... 
   
 ophcrack files are formatted thus:
  
 uid::lmhash:nthash:sid::  
 1  23      4      5   67  
   
 we want columns 3 and 4.  
 note: not all active directory accounts have a stored LANMAN password. crud. 
 that's why we're using sed to remove the leading : . joy.  
   
 # cat nthash.oph | cut -d":" -f3,4 | sort -u > nthash.only && sed -i 's/^://' nthash.only 
   
 now plug it in:  
   
 # findmyhash LM -f nthash.only  
 
 yay! our passwords are all over the internets. who knew?
  
 ..

 a cracking interlude...

 passwords found in LDAP databases can be challenging.  
 Type can be any number of type: MD5, CRYPT, DES, NT, LANMAN  
 gross. just gross. but... if the passwords you're accessing are 
 from an LDAP-Samba database, get at one of those passwords and 
 you're golden. figuring out the hash type can be challenging.
 
 hash-identifier may be of use.
   
 # hash-identifier  
   
 place hash on HASH: line  

 and then you can use the same format as above with findmyhash.
 only, specify MD5, CRYPT...

Post a Comment