Fcrackzip – BruteForce ZIP protected files

fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords.

Installation

  • sudo apt install fcrackzip

Before using fcrackzip we need a password protected zip file.

  • zip --password <password><filename.zip> <data>
  • zip --password vk9security new_file.zip data.txt

How to use

1. Show help

  • fcrackzip -h

  • -b: for using brute force algorithms.
  • -D: for using a dictionary.
  • -B: execute a small benchmark.
  • -c: use characters from charset.
  • -h: show the help message.
  • --version: show the version of this program.
  • -V: validate or check the algorithm.
  • -v: for verbose mode.
  • -p: for using a string as a password.
  • -l: for providing a specific length to password.
  • -u: for weed out wrong passwords.
  • -m: to specify the method number.

2. Define charsets to brute force

  • fcrackzip -b -c ‘Aa1’ new_file.zip
  • fcrackzip -b -c ‘Aa1’ -u new_file.zip

3. Using numeric password, verbose, and length -l <min><max>

  • fcrackzip -b -c ‘1’ -v-l 1-9 new_file.zip

4. Providing an initial password

  • fcrackzip -b -v -c 'a' -p vk9security new_file.zip

5. always use -u to point out the match

  • fcrackzip -b -v -c 'a' -p vk9security -u new_file.zip

6. Using a dictionary list file

  • fcrackzip -D -p ./pass.txt -u new_file.zip

Ssh2john how to

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR

How to

1. Having an RSA private key already

  • cat id_rsa

2. locate the ssh2john script using find

  • find / -iname *ssh2john* > /dev/null
  • locate *ssh2john*

3. Run the script against the RSA private key ‘id_rsa’, and create a new file with the content of the output

  • /usr/share/john/ssh2john.py
  • /usr/share/john/ssh2john.py id_rsa > id_rsa.john
  • cat id_rsa.john

4. Now that we created the new file named id_rsa.john, we need to run john against it. We will use rockyou.txt as the wordlist. The result is secretz101 as the password.

  • john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

5. Knowing already the username of the owner of this private key. We can try to SSH to our target machine. We will use an uncommon port (4655)

  • ssh -i id_rsa stefano@192.168.0.7 -p 4655
  • Password: secretz101

 

How to use WPScan

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes.

This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions.

How to use

1. Display help

  • wpscan --help
  • wpscan -h

2. Show tool version

  • wpscan --version

3. Don’t display banner

  • wpscan --nobanner --version

4. Update the database

  • wpscan --update

Scanning

1. Basic scan, you need to set the site that runs WordPress, it will run vulnerability scan

  • wpscan --url http://pinkydb

2. You can also run a more stealthy scan

  • wpscan --url http://pinkydb --stealthy

3. Scan for vulnerable plugins using --enumerate

  • wpscan --url http://pinkydb --enumerate vp

4. Check for vulnerable theme

  • wpscan --url http://pinkydb --enumerate vt

5. Enumerate users

  • wpscan --url http://pinkydb --enumerate u
  • wpscan --url http://pinkydb--enumerate u1-1000

6. Use a custom user agent

  • wpscan --url http://pinkydb --user-agent ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15’

7. Use a random user agent

  • wpscan --url http://pinkydb --random-user-agent

8. Set the threats to run the scan faster default 5

  • wpscan --url http://pinkydb -t 10

9. Send through a proxy, in BurpSuite we can also confirm our spoofed user agent.

  • wpscan --url http://pinkydb --user-agent ‘Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15’ --proxy http://127.0.0.1:8080

10. You can also set a cookie, if the page requires any

  • wpscan --url http://pinkydb --cookie-string <cookie>

11. Scan API

  • api-token <token>

12. If WordPress doesn’t locate the page automatically you can set the location, also, plugins have a similar option

  • wpscan --url http://pinkydb --wp-content-dir <DIR>
  • wpscan --url http://pinkydb --wp-plugin-dir <DIR>

13. Run a more aggressive scan (mixed, passive, aggressive)

  • wpscan --url http://pinkydb --detection-mode aggressive

14. Run a more aggressive plugin detection mode (mixed, passive, aggressive)

  • wpscan --url http://pinkydb --plugins-detection aggressive
  • wpscan --url http://pinkydb --plugins-version-detection aggressive

15. Define a URI if the WordPress login page is different than /wp-login.php

  • wpscan --url http://pinkydb --login-uri /wordpress/login.php

16. Supply usernames for enumeration

  • wpscan --url http://pinkydb -U user_list.txt --enumerate u

 

Cracking Password John The Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak passwords.

It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto-detects password hash types, and includes a customizable cracker

It comes preinstalled in most security distributions. you just need to supply it a password file and the desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental". (see later)

Getting started

1. Run john to see some options

  • john --help

2. Listing help

  • john --list=help

3. Check the supported formats

  • john –list=formats

4. List the supported subformats

  • john –list=subformats

5. List rules

  • john --list=rules

6. It is good practice to test hardware and resources before using john

  • john --test

Modes

John the Ripper works in 3 distinct modes to crack the passwords, if none is specified it will go through each one of them

  • Single Crack Mode
  • Wordlist Crack Mode
  • Incremental Mode

Single Crack Mode (GECOS)

When running in "single crack" mode, JtR itself takes the login name, the home directory name, extracts "words" from the GECOS field, and it uses all of these as input to "single crack" mode rules. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode.

This permits for the use of a much larger set of word mangling rules with "single crack", and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password.

GECOS

  • username:password:userid:groupid:gecos:home-dir:shell
  • :FullName,RoomAddress,WorkPhone,HomePhone,Others:

Rules information syntax

https://www.openwall.com/john/doc/RULES.shtml

Rules config

Rule syntax explained

l convert to lowercase
u convert to uppercase
c capitalize
C lowercase the first character, and uppercase the rest
l r lowercase the word and reverse it
r reverse: "Fred" -> "derF"
l Az"2015" lowercase the word and append at end of the word (Az) the number 2015
d duplicate: "Fred" -> "FredFred"
l A0"2015" lowercase the word and prepend at beggining of the word (A0) the number 2015
A0"#"Az"#" Add # to the beginning and end of the word
t toggle case of all characters in the word
TN toggle case of the character in position N
f reflect: "Fred" -> "FredderF"
{ rotate the word left: "jsmith"-> "smithj"
} rotate the word right: "smithj" -> "jsmith
$X append character X to the word
^X prefix the word with character X
[ Remove the first char from the word
] Remove the last char from the word
DN delete the character in position N
xNM extract substring from position N for up to M characters
iNX insert character X in position N and shift the rest right
oNX overstrike character in position N with character X
s shift case: "Crack96" -> "cRACK(^"
V lowercase vowels, uppercase consonants: "Crack96" -> "CRaCK96"
R shift each character right, by keyboard: "Crack96" -> "Vtsvl07"
L shift each character left, by keyboard: "Crack96" -> "Xeaxj85"
<N reject the word unless it is less than N characters long
>N reject the word unless it is greater than N characters long
'N truncate the word at length N

Types for formats

Example Single crack

secret:dd02c7c2232759874e1c205587017bed

The hashed password is also “secret”, in case that the word is case sensitive you need to adjust the rules to fit your needs.

  • john --single --format=raw-md5 hash.txt

Wordlist Crack Mode (Dictionary)

This is the simplest cracking mode supported by John. All you need to do is specify a wordlist (a text file containing one word per line) and some password files.

You can enable word mangling rules (which are used to modify or "mangle" words producing other likely passwords). If enabled, all of the rules will be applied to every line in the wordlist file producing multiple candidate passwords from each source word.

Consider the following

  • The wordlist should not contain duplicate lines
  • John does not sort entries in the wordlist since that would consume a lot of resources and would prevent you from making John try the candidate passwords in the order that you define
  • John runs a bit faster if each candidate password it tries only differs from the previous one by a few characters
  • if your wordlist is sorted alphabetically, you do not need to bother about some wordlist entries being longer than the maximum supported password length for the hash type you're cracking
  • If no wordlist is set, john will use its default

In this mode John the ripper uses a wordlist that can also be called a Dictionary and it compares the hashes of the words present in the Dictionary with the password hash.

Example

In this case we have a custom wordlist, and a hash that we need to compare

vk9security:a4d80eac9ab26a4a2da04125bc2c096a

  • cat wordlist.txt
  • cat hash.txt
  • john --wordlist=wordlist.txt --format=raw-md5 hash.txt

Incremental mode (Bruteforce)

This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large

  • it will terminate if you set a low password length limit or make it use a small charset
  • To use the mode you need a specific definition for the mode's parameters, including password length limits and the charset to use

Type of incremental modes

  • cat /etc/john/john.conf | grep -i incremental

  • --incremental:Lower (26 char)
  • --incremental:Alpha(52 char)
  • --incremental:Digits(10 char)
  • --incremental:Alnum(62 char)

Cracking Digits only (Default numeric range is from 0 to  99999999999999999999)

Hash value is 123

  • john --incremental=Digits --format=raw-sha1 hash.txt

Cracking ASCII values

Has value is 123abc

  • john --incremental=ASCII --format=raw-sha1 has h.txt

Cracking different services example

Cracking Unix/Linux password

1. Create the file containing GECOS data

Unshadow = combines passwd and shadow files

  • sudo unshadow /etc/passwd /etc/shadow > hash.txt
  • cat hash.txt

2. run John against that, it goes through the list trying to crack each, this time it cracked 2 users

  • john hash.txt

Check results

3. To see the results you can point at the hash file as the name

  • john --show hash.txt

Cracking SSH Password Hash

1. Create a private key

  • ssh-keygen
  • <select the location of the new file>
  • <enter the password>
  • <confirm the password>

Id_rsa (private-key) & id_rsa.pub (public-key) have been created.

  • ls -l

2. I copied the key to /tmp and try to use it wth a different user other than the owner, only being able to read, we are asked for the id_rsa key

  • whoami
  • ls -l id_rsa
  • ssh -i id_rsa vry4n@localhost

3. Now, convert this encrypted file to john format using ssh2john

View before

  • cat id_rsa


Converting to john format

  • /usr/share/john/ssh2john.py id_rsa > new_key
  • cat new_key

View after

Wait until john finishes cracking

  • john new_key

As well as for SSH we have scripts to convert hashes from different tools (keepass2john, pdf2john, pcap2john) to john readable. All of those are located in John binary directory /usr/share/john/

  • ls /usr/share/john/

Examples of HASH formats

Here is the list of encryption technologies found in JtR:

  • UNIX crypt(3)
  • Traditional DES-based
  • “bigcrypt”
  • BSDI extended DES-based
  • FreeBSD MD5-based (linux and Cisco IOS)
  • OpenBSD Blowfish-based
  • Kerberos/AFS
  • Windows LM (DES-based)
  • DES-based tripcodes
  • SHA-crypt hashes (newer versions of Fedora and Ubuntu)
  • SHA-crypt and SUNMD5 hashes (Solaris)

afs – Kerberos AFS DES

Supported Hash Formats

$ cat hashes.txt

$K4$a8dc8aeaa2c48a97,

$ john hashes.txt

$ john --format=afs hashes.txt

$ cat hashes.txt

username:$K4$a8dc8aeaa2c48a97,

$ john hashes.txt

$ john --format=afs hashes.txt

$ cat hashes.txt

username:$K4$a8dc8aeaa2c48a97,:::::::

$ john hashes.txt

$ john --format=afs hashes.txt

bfegg – Eggdrop

Supported Hash Formats

$ cat hashes.txt

+C/.8o.Wuph9.

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

$ cat hashes.txt

username:+C/.8o.Wuph9.

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

$ cat hashes.txt

username:+C/.8o.Wuph9.:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=bfegg hashes.txt

bf – OpenBSD Blowfish

Supported Hash Formats

$ cat hashes.txt

$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy

$ john hashes.txt

$ john --format=bf hashes.txt

$ cat hashes.txt

username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy

$ john hashes.txt

$ john --format=bf hashes.txt

$ cat hashes.txt

username:$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy:::::::

$ john hashes.txt

$ john --format=bf hashes.txt

bsdi – BSDI DES

Supported Hash Formats

$ cat hashes.txt

_J9..SDSD5YGyRCr4W4c

$ john hashes.txt

$ john --format=bsdi hashes.txt

$ cat hashes.txt

username:_J9..SDSD5YGyRCr4W4c

$ john hashes.txt

$ john --format=bsdi hashes.txt

$ cat hashes.txt

username:_J9..SDSD5YGyRCr4W4c:::::::

$ john hashes.txt

$ john --format=bsdi hashes.txt

crypt – generic crypt(3)

Supported Hash Formats

$ cat hashes.txt

SDbsugeBiC58A

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "Traditional DES".

$ john --format=crypt hashes.txt

des – Traditional DES

Supported Hash Formats

$ cat hashes.txt

SDbsugeBiC58A

$ john hashes.txt

$ john --format=des hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A

$ john hashes.txt

$ john --format=des hashes.txt

$ cat hashes.txt

username:SDbsugeBiC58A:::::::

$ john hashes.txt

$ john --format=des hashes.txt

dominosec – More Secure Internet Password

Supported Hash Formats

$ cat hashes.txt

(GVMroLzc50YK/Yd+L8KH)

$ john hashes.txt

$ john --format=dominosec hashes.txt

$ cat hashes.txt

username:(GVMroLzc50YK/Yd+L8KH)

$ john hashes.txt

$ john --format=dominosec hashes.txt

$ cat hashes.txt

username:(GVMroLzc50YK/Yd+L8KH):::::::

$ john hashes.txt

$ john --format=dominosec hashes.txt

EPiServer SID Hashes

Supported Hash Formats

$ cat hashes.txt

0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F

$ john hashes.txt

$ # NB: There is no --format option for this hash type

$ cat hashes.txt

username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F

$ john hashes.txt

$ # NB: There is no --format option for this hash type

$ cat hashes.txt

username:0x5F1D84A6DE97E2BEFB637A3CB5318AFEF0750B856CF1836BD1D4470175BE 0x4D5EFDFA143EDF74193076F174AC47CEBF2F417F:::::::

$ john hashes.txt

$ # NB: There is no --format option for this hash type

hdaa – HTTP Digest access authentication

Supported Hash Formats

$ cat hashes.txt

$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth

$ john hashes.txt

$ john --format=hdaa hashes.txt

$ cat hashes.txt

username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth

$ john hashes.txt

$ john --format=hdaa hashes.txt

$ cat hashes.txt

username:$response$679066476e67b5c7c4e88f04be567f8b$user$myrealm$GET$/$8c12bd8f728afe56d45a0ce846b70e5a$00000001$4b61913cec32e2c9$auth:::::::

$ john hashes.txt

$ john --format=hdaa hashes.txt

hmac-md5 – HMAC MD5

Supported Hash Formats

$ cat hashes.txt

what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

$ cat hashes.txt

username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

$ cat hashes.txt

username:what do ya want for nothing?#750c783e6ab0b503eaa86e310a5db738:::::::

$ john hashes.txt

$ john --format=hmac-md5 hashes.txt

hmailserver – hmailserver

Supported Hash Formats

$ cat hashes.txt

cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd

$ john hashes.txt

$ john --format=hmailserver hashes.txt

$ cat hashes.txt

username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd

$ john hashes.txt

$ john --format=hmailserver hashes.txt

$ cat hashes.txt

username:cc06fa688a64cdeea43d3c0fb761fede7e3ccf00a9daea9c79f7d458e06f88327f16dd:::::::

$ john hashes.txt

$ john --format=hmailserver hashes.txt

ipb2 – IPB2 MD5

Supported Hash Formats

$ cat hashes.txt

$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604

$ john hashes.txt

$ john --format=ipb2 hashes.txt

$ cat hashes.txt

username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604

$ john hashes.txt

$ john --format=ipb2 hashes.txt

$ cat hashes.txt

username:$IPB2$2e75504633$d891f03a7327639bc632d62a7f302604:::::::

$ john hashes.txt

$ john --format=ipb2 hashes.txt

krb4 – Kerberos v4 TGT

Supported Hash Formats

$ cat hashes.txt

$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d

$ john hashes.txt

$ john --format=krb4 hashes.txt

$ cat hashes.txt

username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d

$ john hashes.txt

$ john --format=krb4 hashes.txt

$ cat hashes.txt

username:$af$ENGIN.UMICH.EDU$44feffd06e68e30bc8890e253760858d:::::::

$ john hashes.txt

$ john --format=krb4 hashes.txt

krb5 – Kerberos v5 TGT

Supported Hash Formats

$ cat hashes.txt

$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97

$ john hashes.txt

$ john --format=krb5 hashes.txt

$ cat hashes.txt

username:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97

$ john hashes.txt

$ john --format=krb5 hashes.txt

$ cat hashes.txt

username:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97:::::::

$ john hashes.txt

$ john --format=krb5 hashes.txt

lm – LM DES

Supported Hash Formats

$ cat hashes.txt

$LM$a9c604d244c4e99d

$ john hashes.txt

$ john --format=lm hashes.txt

$ cat hashes.txt

username:$LM$a9c604d244c4e99d

$ john hashes.txt

$ john --format=lm hashes.txt

$ cat hashes.txt

username:$LM$a9c604d244c4e99d:::::::

$ john hashes.txt

$ john --format=lm hashes.txt

lotus5 – Lotus5

Supported Hash Formats

$ cat hashes.txt

355E98E7C7B59BD810ED845AD0FD2FC4

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=lotus5 hashes.txt

$ cat hashes.txt

username:355E98E7C7B59BD810ED845AD0FD2FC4

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=lotus5 hashes.txt

$ cat hashes.txt

username:355E98E7C7B59BD810ED845AD0FD2FC4:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=lotus5 hashes.txt

md4-gen – Generic salted MD4

Supported Hash Formats

$ cat hashes.txt

$MD4p$salt$15ad2b7a23e5088942f9d3772181b384

$ john hashes.txt

$ john --format=md4-gen hashes.txt

$ cat hashes.txt

username:$MD4p$salt$15ad2b7a23e5088942f9d3772181b384

$ john hashes.txt

$ john --format=md4-gen hashes.txt

$ cat hashes.txt

username:$MD4p$salt$15ad2b7a23e5088942f9d3772181b384:::::::

$ john hashes.txt

$ john --format=md4-gen hashes.txt

md5 – FreeBSD MD5

Supported Hash Formats

$ cat hashes.txt

$1$12345678$aIccj83HRDBo6ux1bVx7D1

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$1$12345678$aIccj83HRDBo6ux1bVx7D1

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$1$12345678$aIccj83HRDBo6ux1bVx7D1:::::::

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.

$ john hashes.txt

$ john --format=md5 hashes.txt

$ cat hashes.txt

username:$apr1$Q6ZYh...$RV6ft2bZ8j.NGrxLYaJt9.:::::::

$ john hashes.txt

$ john --format=md5 hashes.txt

mediawiki – MediaWiki MD5s

Supported Hash Formats

$ cat hashes.txt

$B$113$de2874e33da25313d808d2a8cbf31485

$ john hashes.txt

$ john --format=mediawiki hashes.txt

$ cat hashes.txt

username:$B$113$de2874e33da25313d808d2a8cbf31485

$ john hashes.txt

$ john --format=mediawiki hashes.txt

$ cat hashes.txt

username:$B$113$de2874e33da25313d808d2a8cbf31485:::::::

$ john hashes.txt

$ john --format=mediawiki hashes.txt

mscash – M$ Cache Hash

Supported Hash Formats

$ cat hashes.txt

M$test1#64cd29e36a8431a2b111378564a10631

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

$ cat hashes.txt

username:M$test1#64cd29e36a8431a2b111378564a10631

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

$ cat hashes.txt

username:M$test1#64cd29e36a8431a2b111378564a10631:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "HMAC MD5".

$ john --format=mscash hashes.txt

mscash2 – M$ Cache Hash 2 (DCC2)

Supported Hash Formats

$ cat hashes.txt

$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8

$ john hashes.txt # Doesn't work. JTR detects hash as "M$ Cache Hash".

$ john --format=mscash2 hashes.txt

$ cat hashes.txt

username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8

$ john hashes.txt

$ john --format=mscash2 hashes.txt

$ cat hashes.txt

username:$DCC2$10240#test1#607bbe89611e37446e736f7856515bf8:::::::

$ john hashes.txt

$ john --format=mscash2 hashes.txt

mschapv2 – MSCHAPv2 C/R MD4 DES

Supported Hash Formats

$ cat hashes.txt

$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

$ cat hashes.txt

username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

$ cat hashes.txt

username:$MSCHAPv2$d94e7c7972b2376b28c268583e162de7$eba25a3b04d2c7085d01f842e2befc91745c40db0f792356$0677ca7318fd7f65ae1b4f58c9f4f400$lameuser:::::::

$ john hashes.txt

$ john --format=mschapv2 hashes.txt

mskrb5 – MS Kerberos 5 AS-REQ Pre-Auth

Supported Hash Formats

$ cat hashes.txt

$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

$ cat hashes.txt

username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

$ cat hashes.txt

username:$mskrb5$$$98cd00b6f222d1d34e08fe0823196e0b$5937503ec29e3ce4e94a051632d0fff7b6781f93e3decf7dca707340239300d602932154:::::::

$ john hashes.txt

$ john --format=mskrb5 hashes.txt

mssql05 – MS-SQL05

Supported Hash Formats

$ cat hashes.txt

0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908

$ john hashes.txt

$ john --format=mssql05 hashes.txt

$ cat hashes.txt

username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908

$ john hashes.txt

$ john --format=mssql05 hashes.txt

$ cat hashes.txt

username:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:::::::

$ john hashes.txt

$ john --format=mssql05 hashes.txt

mssql – MS-SQL

Supported Hash Formats

$ cat hashes.txt

0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254

$ john hashes.txt

$ john --format=mssql hashes.txt

$ cat hashes.txt

username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254

$ john hashes.txt

$ john --format=mssql hashes.txt

$ cat hashes.txt

username:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:::::::

$ john hashes.txt

$ john --format=mssql hashes.txt

mysql-fast – MYSQL_fast

Supported Hash Formats

$ cat hashes.txt

60671c896665c3fa

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

$ cat hashes.txt

username:60671c896665c3fa

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

$ cat hashes.txt

username:60671c896665c3fa:::::::

$ john hashes.txt

$ john --format=mysql-fast hashes.txt

mysql – MYSQL

Supported Hash Formats

$ cat hashes.txt

5d2e19393cc5ef67

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

$ cat hashes.txt

username:5d2e19393cc5ef67

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

$ cat hashes.txt

username:5d2e19393cc5ef67:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "MYSQL_fast".

$ john --format=mysql hashes.txt

mysql-sha1 – MySQL 4.1 double-SHA-1

Supported Hash Formats

$ cat hashes.txt

*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

$ cat hashes.txt

username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

$ cat hashes.txt

username:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19:::::::

$ john hashes.txt

$ john --format=mysql-sha1 hashes.txt

netlm – LM C/R DES

Supported Hash Formats

$ cat hashes.txt

$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25

$ john hashes.txt

$ john --format=netlm hashes.txt

$ cat hashes.txt

username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25

$ john hashes.txt

$ john --format=netlm hashes.txt

$ cat hashes.txt

username:$NETLM$1122334455667788$0836F085B124F33895875FB1951905DD2F85252CC731BB25:::::::

$ john hashes.txt

$ john --format=netlm hashes.txt

netlmv2 – LMv2 C/R MD4 HMAC-MD5

Supported Hash Formats

$ cat hashes.txt

$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

$ cat hashes.txt

username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

$ cat hashes.txt

username:$NETLMv2$USER1$1122334455667788$B1D163EA5881504F3963DC50FCDC26C1$EB4D9E8138149E20:::::::

$ john hashes.txt

$ john --format=netlmv2 hashes.txt

netntlm – NTLMv1 C/R MD4 DES [ESS MD5]

Supported Hash Formats

$ cat hashes.txt

$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233

$ john hashes.txt

$ john --format=netntlm hashes.txt

$ cat hashes.txt

username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233

$ john hashes.txt

$ john --format=netntlm hashes.txt

$ cat hashes.txt

username:$NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233:::::::

$ john hashes.txt

$ john --format=netntlm hashes.txt

netntlmv2 – NTLMv2 C/R MD4 HMAC-MD5

Supported Hash Formats

$ cat hashes.txt

$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000

$ john hashes.txt

$ john --format=netntlmv2 hashes.txt

$ cat hashes.txt

username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000

$ john hashes.txt

$ john --format=netntlmv2 hashes.txt

$ cat hashes.txt

username:$NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000:::::::

$ john hashes.txt

$ john --format=netntlmv2 hashes.txt

nethalflm – HalfLM C/R DES

Supported Hash Formats

$ cat hashes.txt

$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD

$ john hashes.txt

$ john --format=nethalflm hashes.txt

$ cat hashes.txt

username:$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD

$ john hashes.txt

$ john --format=nethalflm hashes.txt

$ cat hashes.txt

username:$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD:::::::

$ john hashes.txt

$ john --format=nethalflm hashes.txt

md5ns – Netscreen MD5

Supported Hash Formats

$ cat hashes.txt

admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn

$ john hashes.txt

$ john --format=md5ns hashes.txt

$ cat hashes.txt

username:admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn

$ john hashes.txt

$ john --format=md5ns hashes.txt

$ cat hashes.txt

username:admin$nMjFM0rdC9iOc+xIFsGEm3LtAeGZhn:::::::

$ john hashes.txt

$ john --format=md5ns hashes.txt

nsldap – Netscape LDAP SHA

Supported Hash Formats

$ cat hashes.txt

{SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk=

$ john hashes.txt

$ john --format=nsldap hashes.txt

$ cat hashes.txt

username:{SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk=

$ john hashes.txt

$ john --format=nsldap hashes.txt

$ cat hashes.txt

username:{SHA}cMiB1KJphN3OeV9vcYF8nPRIDnk=:::::::

$ john hashes.txt

$ john --format=nsldap hashes.txt

ssha – Netscape LDAP SSHA

Supported Hash Formats

$ cat hashes.txt

{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==

$ john hashes.txt

$ john --format=ssha hashes.txt

$ cat hashes.txt

username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==

$ john hashes.txt

$ john --format=ssha hashes.txt

$ cat hashes.txt

username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==:::::::

$ john hashes.txt

$ john --format=ssha hashes.txt

nt – NT MD4

Supported Hash Formats

$ cat hashes.txt

$NT$8846f7eaee8fb117ad06bdd830b7586c

$ john hashes.txt

$ john --format=nt hashes.txt

$ cat hashes.txt

username:$NT$8846f7eaee8fb117ad06bdd830b7586c

$ john hashes.txt

$ john --format=nt hashes.txt

$ cat hashes.txt

username:$NT$8846f7eaee8fb117ad06bdd830b7586c:::::::

$ john hashes.txt

$ john --format=nt hashes.txt

openssha – OpenLDAP SSHA

Supported Hash Formats

$ cat hashes.txt

{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X

$ john hashes.txt

$ john --format=openssha hashes.txt

$ cat hashes.txt

username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X

$ john hashes.txt

$ john --format=openssha hashes.txt

$ cat hashes.txt

username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X:::::::

$ john hashes.txt

$ john --format=openssha hashes.txt

oracle11 – Oracle 11g

Supported Hash Formats

$ cat hashes.txt

5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642

$ john hashes.txt

$ john --format=oracle11 hashes.txt

$ cat hashes.txt

username:5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642

$ john hashes.txt

$ john --format=oracle11 hashes.txt

$ cat hashes.txt

username:5FDAB69F543563582BA57894FE1C1361FB8ED57B903603F2C52ED1B4D642:::::::

$ john hashes.txt

$ john --format=oracle11 hashes.txt

oracle – Oracle

Supported Hash Formats

$ cat hashes.txt

O$SIMON#4F8BC1809CB2AF77

$ john hashes.txt

$ john --format=oracle hashes.txt

$ cat hashes.txt

username:O$SIMON#4F8BC1809CB2AF77

$ john hashes.txt

$ john --format=oracle hashes.txt

$ cat hashes.txt

username:O$SIMON#4F8BC1809CB2AF77:::::::

$ john hashes.txt

$ john --format=oracle hashes.txt

pdf – pdf

Supported Hash Formats

$ cat hashes.txt

$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2

$ john hashes.txt

$ john --format=pdf hashes.txt

$ cat hashes.txt

username:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2

$ john hashes.txt

$ john --format=pdf hashes.txt

$ cat hashes.txt

username:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:::::::

$ john hashes.txt

$ john --format=pdf hashes.txt

phpass-md5 – PHPass MD5

Supported Hash Formats

$ cat hashes.txt

$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

$ cat hashes.txt

username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

$ cat hashes.txt

username:$H$9aaaaaSXBjgypwqm.JsMssPLiS8YQ00:::::::

$ john hashes.txt

$ john --format=phpass-md5 hashes.txt

phps – PHPS MD5

Supported Hash Formats

$ cat hashes.txt

$PHPS$433925$5d756853cd63acee76e6dcd6d3728447

$ john hashes.txt

$ john --format=phps hashes.txt

$ cat hashes.txt

username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447

$ john hashes.txt

$ john --format=phps hashes.txt

$ cat hashes.txt

username:$PHPS$433925$5d756853cd63acee76e6dcd6d3728447:::::::

$ john hashes.txt

$ john --format=phps hashes.txt

pix-md5 – PIX MD5

Supported Hash Formats

$ cat hashes.txt

NuLKvvWGg.x9HEKO

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

$ cat hashes.txt

username:NuLKvvWGg.x9HEKO

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

$ cat hashes.txt

username:NuLKvvWGg.x9HEKO:::::::

$ john hashes.txt

$ john --format=pix-md5 hashes.txt

po – Post.Office MD5

Supported Hash Formats

$ cat hashes.txt

0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0

$ john hashes.txt

$ john --format=po hashes.txt

$ cat hashes.txt

username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0

$ john hashes.txt

$ john --format=po hashes.txt

$ cat hashes.txt

username:0c78bdef7d5448105cfbbc9aaa490a44550c41c11bab48f9dbd8203ed313eef0:::::::

$ john hashes.txt

$ john --format=po hashes.txt

rar – rar

Supported Hash Formats

$ cat hashes.txt

$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24

$ john hashes.txt

$ john --format=rar hashes.txt

$ cat hashes.txt

username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24

$ john hashes.txt

$ john --format=rar hashes.txt

$ cat hashes.txt

username:$rar3$*0*c9dea41b149b53b4*fcbdb66122d8ebdb32532c22ca7ab9ec*24:::::::

$ john hashes.txt

$ john --format=rar hashes.txt

raw-md4 – Raw MD4

Supported Hash Formats

$ cat hashes.txt

8a9d093f14f8701df17732b2bb182c74

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md4 hashes.txt

$ cat hashes.txt

username:8a9d093f14f8701df17732b2bb182c74

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md4 hashes.txt

$ cat hashes.txt

username:8a9d093f14f8701df17732b2bb182c74:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md4 hashes.txt

raw-md5 – Raw MD5

Supported Hash Formats

$ cat hashes.txt

5a105e8b9d40e1329780d62ea2265d8a

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5 hashes.txt

$ cat hashes.txt

username:5a105e8b9d40e1329780d62ea2265d8a

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5 hashes.txt

$ cat hashes.txt

username:5a105e8b9d40e1329780d62ea2265d8a:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5 hashes.txt

raw-md5-unicode – Raw MD5 of Unicode plaintext

Supported Hash Formats

$ cat hashes.txt

16c47151c18ac087cd12b3a70746c790

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5-unicode hashes.txt

$ cat hashes.txt

username:16c47151c18ac087cd12b3a70746c790

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5-unicode hashes.txt

$ cat hashes.txt

username:16c47151c18ac087cd12b3a70746c790:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "LM DES".

$ john --format=raw-md5-unicode hashes.txt

raw-sha1 – Raw SHA-1

Supported Hash Formats

$ cat hashes.txt

A9993E364706816ABA3E25717850C26C9CD0D89D

$ john hashes.txt

$ john --format=raw-sha1 hashes.txt

$ cat hashes.txt

username:A9993E364706816ABA3E25717850C26C9CD0D89D

$ john hashes.txt

$ john --format=raw-sha1 hashes.txt

$ cat hashes.txt

username:A9993E364706816ABA3E25717850C26C9CD0D89D:::::::

$ john hashes.txt

$ john --format=raw-sha1 hashes.txt

raw-sha224 – Raw SHA-224

Supported Hash Formats

$ cat hashes.txt

d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01

$ john hashes.txt

$ john --format=raw-sha224 hashes.txt

$ cat hashes.txt

username:d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01

$ john hashes.txt

$ john --format=raw-sha224 hashes.txt

$ cat hashes.txt

username:d63dc919e201d7bc4c825630d2cf25fdc93d4b2f0d46706d29038d01:::::::

$ john hashes.txt

$ john --format=raw-sha224 hashes.txt

raw-sha256 – Raw SHA-256

Supported Hash Formats

$ cat hashes.txt

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

$ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5".

$ john --format=raw-sha256 hashes.txt

$ cat hashes.txt

username:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

$ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5".

$ john --format=raw-sha256 hashes.txt

$ cat hashes.txt

username:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "Post.Office MD5".

$ john --format=raw-sha256 hashes.txt

raw-sha384 – Raw SHA-384

Supported Hash Formats

$ cat hashes.txt

a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7

$ john hashes.txt

$ john --format=raw-sha384 hashes.txt

$ cat hashes.txt

username:a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7

$ john hashes.txt

$ john --format=raw-sha384 hashes.txt

$ cat hashes.txt

username:a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7:::::::

$ john hashes.txt

$ john --format=raw-sha384 hashes.txt

raw-sha512 – Raw SHA-512

Supported Hash Formats

$ cat hashes.txt

b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

$ cat hashes.txt

username:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

$ cat hashes.txt

username:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86:::::::

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

$ cat hashes.txt

$SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

$ cat hashes.txt

username:$SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

$ cat hashes.txt

username:$SHA512$fa585d89c851dd338a70dcf535aa2a92fee7836dd6aff1226583e88e0996293f16bc009c652826e0fc5c706695a03cddce372f139eff4d13959da6f1f5d3eabe:::::::

$ john hashes.txt

$ john --format=raw-sha512 hashes.txt

salted-sha – Salted SHA

Supported Hash Formats

$ cat hashes.txt

{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X

$ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA".

$ john --format=salted-sha hashes.txt

$ cat hashes.txt

username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X

$ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA".

$ john --format=salted-sha hashes.txt

$ cat hashes.txt

username:{SSHA}hHSEPW3qeiOo5Pl2MpHQCXh0vgfyVR/X:::::::

$ john hashes.txt # Doesn't work. JTR detects hash as "OpenLDAP SSHA".

$ john --format=salted-sha hashes.txt

sapb – SAP BCODE

Supported Hash Formats

$ cat hashes.txt

ROOT

$8366A4E9E6B72CB0

$ john hashes.txt

$ john --format=sapb hashes.txt

$ cat hashes.txt

username:ROOT

$8366A4E9E6B72CB0

$ john hashes.txt

$ john --format=sapb hashes.txt

$ cat hashes.txt

username:ROOT

$8366A4E9E6B72CB0:::::::

$ john hashes.txt

$ john --format=sapb hashes.txt

sapg – SAP CODVN G (PASSCODE)

Supported Hash Formats

$ cat hashes.txt

ROOT

$1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239

$ john hashes.txt

$ john --format=sapg hashes.txt

$ cat hashes.txt

username:ROOT

$1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239

$ john hashes.txt

$ john --format=sapg hashes.txt

$ cat hashes.txt

username:ROOT

$1194E38F14B9F3F8DA1B181F14DEB70E7BDCC239:::::::

$ john hashes.txt

$ john --format=sapg hashes.txt

sha1-gen – Generic salted SHA-1

Supported Hash Formats

$ cat hashes.txt

$SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789

$ john hashes.txt

$ john --format=sha1-gen hashes.txt

$ cat hashes.txt

username:$SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789

$ john hashes.txt

$ john --format=sha1-gen hashes.txt

$ cat hashes.txt

username:$SHA1p$salt$59b3e8d637cf97edbe2384cf59cb7453dfe30789:::::::

$ john hashes.txt

$ john --format=sha1-gen hashes.txt

ssh – ssh

Supported Hash Formats

$ cat hashes.txt

$ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771

$ john hashes.txt

$ john --format=ssh hashes.txt

$ cat hashes.txt

username:$ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771

$ john hashes.txt

$ john --format=ssh hashes.txt

$ cat hashes.txt

username:$ssh2$2d2d2d2d2d424547494e204453412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c35413830363832373943304634364539383230373135304133433245433631340a0a2f756954696e4a3452556a6f5a76302b705931694d763163695661724369347a2f62365a694c4161565970794a31685854327463692b593266334c61614578630a6f357772316141464d3437786d526d476f3832492f76434847413952786735776147433970574f475a5675555172447355367463556b434d422b325a344753390a354f44474364444b32674e6574446e62324a764873714154736d3443633633476468695a30734346594c71796d2b576531774359616c78734f3231572b4f676f0a42336f6746464977327232462b714a7a714d37415543794c466869357a476d7536534e6558765534477a784750464a4e47306d414f55497761614e3161446a630a4e326b3462437266796271337a366e436533444273384b3232694e2b3875526e534162434f717a5a5845645971555959354b6b6a326e654354525458494e64670a512b61535359673379355937626f4b6b6a494f727650555748654f796475512b74657273414577376e43564a7a72394e387452673271563450557631434b66700a4f49467742372f39736f6d6a59496a71576f61537a6a784b30633852777a305331706d722b7571726277792b50656f75354d3373656d486c426b4769553237660a776f684b792b4d554e4862734e6a7973535a53456c4e4b734d4950715449567a5a45316d5646412f30754d477164705133627a424f6a58325a6f36656446434f0a6d4a34775961765735774d2b6a6d75564b5056564e7939395a78796570304645644c50354b623263345a6c3053396631342f62366836415069785665377a75760a5662536b4279664a6e797a68494f5942497954374d64773134723441584a56362b5a6f457730397769774d3d0a2d2d2d2d2d454e44204453412050524956415445204b45592d2d2d2d2d0a*771:::::::

$ john hashes.txt

$ john --format=ssh hashes.txt

sybasease – sybasease

Supported Hash Formats

$ cat hashes.txt

0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3

$ john hashes.txt

$ john --format=sybasease hashes.txt

$ cat hashes.txt

username:0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3

$ john hashes.txt

$ john --format=sybasease hashes.txt

$ cat hashes.txt

username:0xc0074BE393C06BE420AD541671aa5e6f1a19a4a73bb51c59f45790f0887cfb70e0599747c6844d4556b3:::::::

$ john hashes.txt

$ john --format=sybasease hashes.txt

xsha – Mac OS X 10.4+ salted SHA-1

Supported Hash Formats

$ cat hashes.txt

12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B

$ john hashes.txt

$ john --format=xsha hashes.txt

$ cat hashes.txt

username:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B

$ john hashes.txt

$ john --format=xsha hashes.txt

$ cat hashes.txt

username:12345678F9083C7F66F46A0A102E4CC17EC08C8AF120571B:::::::

$ john hashes.txt

$ john --format=xsha hashes.txt

zip – zip

Supported Hash Formats

$ cat hashes.txt

$zip$*0*1*8005b1b7d077708d*dee4

$ john hashes.txt

$ john --format=zip hashes.txt

$ cat hashes.txt

username:$zip$*0*1*8005b1b7d077708d*dee4

$ john hashes.txt

$ john --format=zip hashes.txt

$ cat hashes.txt

username:$zip$*0*1*8005b1b7d077708d*dee4:::::::

$ john hashes.txt

$ john --format=zip hashes.txt

 

Introduction – Hacking with BeEF

BeEF utilizes YAML files in order to configure the core functionality, as well as the extensions. Most of the core BeEF configurations are in the main configuration file: config.yaml, found in the BeEF directory.

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

BeEF hooks one or more web browsers to the application for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.

https://github.com/beefproject/beef

https://beefproject.com/

https://github.com/beefproject/beef/wiki

Installation

1. Download the package

  • git clone https://github.com/beefproject/beef

2. access the new directory created when the download completes

  • cd beef
  • ls

3. Run the installer with elevated privileges

  • sudo ./install

Getting started

1. run the beef program, the executable is within the same location as the script ran previously ./install. Since we are running this the first time, we need to configure the credentials in config.yaml

  • ls
  • ./beef

2. Create Username & Password in config.yaml, change the current values

  • vi config.yaml

3. Try to run again the application

  • ./beef

4. When it finishes loading, we can find network access details

5. In order to access, open a web browser and type http://127.0.0.1:3000/ui/panel, enter the credentials we just modified in config.yaml

  • beef
  • admin

6. You then get the main page

Configuring access control

The web interface for hooking or for managing BeEF can be limited by subnet. Modify config.yaml

1. Permit who can get hooked

  • permitted_hooking_subnet: ["10.1.0.0/16"]

2. Permit who can access the management interface, in this case loopback only

  • permitted_ui_subnet: ["127.0.0.1/32"]

0.0.0.0/0, ::/0 mean any

  • vi config.yaml

Web server configuration

The web server can be fully configured, this is done in the HTTP subsection of the config.yaml file

  • vi config.yaml

The root page and HTTP 404 error pages can be changed to reflect one of several popular web servers (Apache, IIS, NGINX) using the beef.http.web_server_imitation directive.

Admin UI, enable extensions

1. The panel path should also be changed using the beef.extension.admin_ui.base_path configuration option, this is used to enable extensions, change false to true

  • vi config.yaml

2. The extensions are located in ./beef/extensions, each one has its own config.yaml

  • cd extensions
  • ls -l

Integrating BeEF with Metasploit

1. Enable Metasploit extension ./beef/config.yaml

  • enable: true

2. Now access the extension configuration file

  • cd extensions/Metasploit
  • ls -l

3. modify the contents of config.yaml, the following are important fields. Most of the configuration can be left with default value, except the host and callback_host parameters which should have the IP address of the host on which Metasploit is accessible.

  • name: Name of module
  • enable: status (true or false)
  • # Metasploit msgrpc connection options
  • host: host to connect
  • port: port to connect
  • user: log in name
  • pass: password to log in
  • uri: API dir
  • ssl: status (true or false)
  • ssl_version: 'TLS1'
  • ssl_verify: status (true or false)
  • # Public connect back host IP address for victim connections to Metasploit
  • callback_host: local IP for reverse connections
  • # URIPATH from Metasploit Browser AutoPwn server module
  • autopwn_url: "autopwn"
  • # Start msfrpcd automatically with BeEF
  • auto_msfrpcd: false
  • auto_msfrpcd_timeout: 120
  • msf_path: make sure the path to Metasploit is correct

4. Now that the configuration is completed. Run Metasploit and link the module to beef

  • sudo msfdb init
  • msfconsole
  • load msgrpc ServerHost=127.0.0.1 User=beef Pass=admin SSL=y

5. Reload the beef application

  • ./beef

6. Additional beef options

Usage: beef [options]

  • -x, --reset Reset the database
  • -v, --verbose Display debug information
  • -a, --ascii_art Prints BeEF ascii art
  • -c, --config FILE load a different configuration file: if it's called custom-config.yaml, git automatically ignores it.
  • -p, --port PORT Change the default BeEF listening port
  • -w, --wsport WS_PORT Change the default BeEF WebSocket listening port

7. Now log in again to beef and you will see that the “Commands” tab appears, and it includes the Metasploit Module, it loaded 304 exploits

The set up has been completed successfully. Now it is time to hook a browser. In order to do that just have someone access BeEF hook site.

http://127.0.0.1:3000/demos/butcher/index.html

http://127.0.0.1:3000/demos/basic.html

Basic interface layout

1. Main page

Online Browsers = Active connection

Offline Browsers = Closed connections

2. Clicking on active browsers, opens automatically, “Current Browser”

There we have

  • Details = Info of the Browser

  • Logs = Activity records

  • Proxy = Proxy utility

  • Commands = Main interface to run Modules

https://github.com/beefproject/beef/wiki/BeEF-modules

You will see bullets with different colors before each module. Internally, BeEF detects which browser you hooked and knows which modules are working on each browser :

  • Green: The command module works against the target and should be invisible to the user
  • Orange: The command module works against the target, but may be visible to the user
  • Grey: The command module is yet to be verified against this target
  • Red: The command module does not work against this target

XSSRays

  • XSSRays = Cross site domain records

  • Network = Network info that can be captured

DEMO

Information Gathering

Your first step will often be to perform reconnaissance on the remote host. Which browser and plugins do they have running? Which website have you hooked?

When a browser is hooked, BeEF will automatically gather several pieces of information, including:

  • Browser Name and Version
  • Browser User Agent
  • Plugins (including Java, ActiveX, VBS, Flash etc)
  • If Adobe Flash Player is installed

You can then use different plugins to gather more specific information on the browsers

Under Browser module you can find most Information Gathering about the browser

Information Gathering about the operating system

BeEF enables you to gather information on the system of the hooked browser:

  • Get Internal IP module allows BeEF to detect the IP address of the system (don't worry, more fun network tricks will be described later). If the browser authorizes Java
  • Get System Info module can gather additional information on the system from a Java Applet including: Operating System details, Java JVM info, IP addresses, Processor/Memory specs, and more.

A hooked browser allows BeEF to discover information on the behavior of the user:

  • Detect Social Networks module can identify if the user of the hooked browser has a current session on Facebook, Twitter, or Gmail.
  • Detect TOR module can identify if the user of the hooked browser is currently using TOR.

You can search for module names in the search bar at the top of the list.

Social Engineering

BeEF includes a suite of modules to try to gather passwords and usernames

Simple attacks are often the most efficient ones. BeEF comes with several command modules that present the target with familiar interfaces requesting credentials:

  • Pretty Theft module prints a simple message to the user requiring login and password, explaining that the session has timed out. It has a number of presets that imitate popular social network/marketplace themes.
  • Simple Hijacker module allows you to load a number of common pop-ups when a user clicks any link on their current page. Pop-up templates include certificate warnings, standard alert style prompts, and credit card payment forms.
  • Clippy is a module that create a small browser assistant which propose browser updates.

In the Browser

Type something in and then return to BeEF to see if it captured the user input

Redirect to Another Page

A number BeEF modules exist that allow you to redirect to external pages:

  • Redirect Browser module can redirect the hooked page to any other page.
  • Redirect Browser (iFrame) sub-module will create a full viewport iFrame which redirects to the specified URL.
  • TabNabbing module will detect when the user loses focus on the current tab and modify it in the background. When the user comes back to the tab, they will be viewing a full viewport iFrame containing the contents of the specified URL.

Redirect Browser

The window got redirected to google.com

Chrome/Firefox Extensions

Using BeEF it is possible to get a user to install a malicious browser extension:

Fake Flash Update module prompts the hooked browser's user to install a flash update. Instead of installing a Flash update, a browser extension will be installed that can communicate with BeEF and provide access to far more information than is available by default. If the extension were installed in Chrome, for example, BeEF could run the following modules:

  • Get All Cookies
  • List Chrome Extensions
  • Grab Google Contacts from Logged in User
  • Inject BeEF in All Tabs
  • Execute Arbitrary Javascript Code
  • Taking Screenshots
  • Send Gvoice SMS

Fake Flash Update

If the user click on it. The payload URI is downloaded

The result is shown in the logs

Fake notification Bar

Results

Clickjacking

BeEF contains a module that enables clickjacking attacks in a hooked browser:

  • Clickjacking module will create an iFrame which follows the users cursor around the page, displaying the content at the specified URL.

Clickjacking

List of Modules

https://github.com/beefproject/beef/wiki/BeEF-modules

Browser

  • Browser Fingerprinting
  • Detect Firebug
  • Detect Popup block
  • Detect Unsafe ActiveX
  • Get Visited Domains
  • Detect Visited URL
  • Play Sound
  • Unhook
  • Webcam
  • Get Firefox/Chrome Extensions
  • Detect MS Office Version

Hooked Domain

  • AJAX Fingerprint
  • Alert Dialog
  • Deface Web Page
  • Get Cookie
  • Get Local Storage
  • Get Page HTML
  • Get Page Links
  • Get Session Storage
  • Get Stored Credentials
  • Link Rewrite
  • Link Rewrite (HTTPS)
  • Link Rewrite (TEL)
  • Link Rewrite (Clicked Event)
  • Create Alert Dialog
  • Create Prompt Dialog
  • Redirect Browser
  • Redirect Browser (Rickroll)
  • Redirect Browser (iFrame)
  • Replace Component (Deface)
  • Replace Videos
  • iOS Address Bar Spoofing

Chrome Extensions

  • Execute On Tab
  • Get All Cookies
  • Grab Google Contacts
  • Inject BeEF
  • Screenshot
  • Send Gvoice SMS

Debug

  • Return Ascii Chars
  • Test Network Request
  • Test Returning Results

Exploits

  • ColdFusion Directory Traversal Exploit
  • GlassFish WAR Upload XSRF
  • Jboss 6.0.0M1 JMX Deploy Exploit
  • Spring Framework Malicious Jar Exploit
  • VTiger CRM Upload Exploit
  • Zenoss 3.2.1 Add User CSRF
  • Zenoss 3.2.1 Daemon CSRF
  • boastMachine 3.1 Add User CSRF

Camera

  • Dlink DCS series CSRF
  • Linksys WVC series CSRF

Local Host

  • Windows Mail Client DoS
  • ActiveX Command Execution
  • Java Payload
  • Safari Launch App

Router

  • 3COM OfficeConnect Command Execution
  • Asmax AR-804gu Command Execution
  • BT Home Hub CSRF
  • Cisco E2400 CSRF
  • Comtrend CT-5367 CSRF
  • Comtrend CT 5624 CSRF
  • D-Link DIR-615 Password Wipe
  • D-Link DSL500T CSRF
  • Huawei SmartAX MT880 CSRF
  • Linksys BEFSR41 CSRF
  • Linksys WRT54G CSRF
  • Linksys WRT54G2 CSRF
  • Virgin Superhub CSRF

Switch

  • Netgear GS108T CSRF

XSS

  • AlienVault OSSIM 3.1 XSS
  • Cisco Collaboration Server 5 XSS
  • Serendipity <= 1.1.1 Add User CSRF

Host

  • Detect Google Desktop
  • Detect Softwares
  • Get Clipboard
  • Get Internal IP Java
  • Get Internal IP WebRTC
  • Get Physical Location
  • Get Protocol Handlers
  • Get System Info Java
  • Hook Default Browser
  • Get Geolocation
  • Get Registry Keys
  • Get Wireless Keys
  • Detect CUPS
  • Make Telephone Call
  • Detect Bit Defender 2012

IPEC

  • Bindshell (POSIX)
  • Bindshell (Windows)
  • Cross Site Printing (XSP)
  • DNS Tunnel
  • IMAP
  • IRC

Miscellaneous

  • Create Invisible Iframe
  • Google Search
  • iFrame Event Key Logger
  • iFrame Sniffer
  • Local File Theft
  • Raw Javascript

Network

  • Detect Social Networks
  • Detect TOR
  • Ping Sweep
  • IRC NAT Pinning
  • Fingerprint Network
  • DNS Enumeration
  • Ping Sweep (Java)
  • Port Scanner

Persistence

  • Man-In-The-Browser
  • Confirm Close Tab
  • Create Foreground iFrame
  • Create Pop Under

Phonegap

  • Beep
  • Check connection
  • Detect PhoneGap
  • Geolocation
  • List Files
  • Persist resume
  • Persistence
  • Start Recording Audio
  • Stop Recording Audio
  • Upload File

Social Engineering

  • Autocomplete Theft
  • Clickjacking
  • Clippy
  • Fake Evernote Web Clipper Login
  • Fake Flash Update
  • Fake LastPass
  • Google Phishing
  • Lcamtuf Download
  • Fake Notification Bar
  • Fake Notification Bar (Chrome)
  • Fake Notification Bar (FF)
  • Fake Notification Bar (IE)
  • Pretty Theft
  • Simple Hijacker
  • TabNabbing

Nikto – How to

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. This tool is written in Perl language.

Open-source web server scanner that examines a website and reports back vulnerabilities. you can use with any web servers (Apache, Nginx, IHS, OHS, Litespeed, etc.)

https://github.com/sullo/nikto/tree/master/program

OSVDB prefix are vulnerabilities reported in the Open Source Vulnerability Database (a site that shut down in 2016). It's similar to other vulnerability databases such as SecurityFocus, Microsoft's Technet, and Common Vulnerabilities and Exposures, National Vulnerability Database.

You can recursively scan each page and virtual host as you discover them

https://hackertarget.com/wp-content/uploads/2018/06/nikto-web-scan-target.png

How to use

1. Display basic menu

-H, -Help = help menu

  • nikto -H

  • nikto

  • nikto -Version

-Version Print plugin and database versions

2. Basic Scan

-h = host

  • nikto -h http://192.168.0.7

3. Scanning sites protected with SSL

-ssl

  • nikto -h https://vk9-sec.com -ssl

4. Scan a list of IP addresses

  • cat targets.txt
  • nikto -h targets.txt

5. Output to integrate with Metasploit Framework.

-Format nbe = Format output for Nessus format

-o nessus.txt, - output = saves the output to a file named nessus.txt

csv Comma-separated-value

json JSON Format

htm HTML Format

nbe Nessus NBE format

sql Generic SQL (see docs for schema)

txt Plain text

xml XML Format

  • nikto -h http://192.168.0.7 -Format nbe -o nessus.txt

  • cat nessus.txt

6. Scan for any cgi directories

-Cgidirs all = Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"

  • nikto -h http://192.168.0.7 -Cgidirs all

This time we got no results.

7. Display verbose, and, some results like 200 or 404 messages

-Display v = Turn on/off display outputs:

1 Show redirects

2 Show cookies received

3 Show all 200/OK responses

4 Show URLs which require authentication

D Debug output

E Display all HTTP errors

P Print progress to STDOUT

S Scrub output of IPs and hostnames

V Verbose output

  • nikto -h http://192.168.0.7 -Display v

8. Check for database status and entries

-dbcheck = Check database and other key files for syntax errors

  • nikto -dbcheck

9. Ignore 404 code

-404code = Ignore these HTTP codes as negative responses (always). Format is "302,301"

  • nikto -h http://192.168.0.7 -404code 404

10. Ignore string in the response body

-404string = Ignore this string in response body content as negative response (always). Can be a regular expression.

  • nikto -h http://192.168.0.7 -404string "Not Found"

11. List of plug-ins and their status

-list-plugins = List all available plugins, perform no testing

  • nikto -list-plugins

12. Specify how much time the scan should give per host

-maxtime+ = Maximum testing time per host (e.g., 1h, 60m, 3600s)

  • nikto -h http://192.168.0.7 -maxtime 2s

13. Set a pause between tests

-Pause+ = Pause between tests (seconds, integer or float)

  • nikto -h http://192.168.0.7 -Pause 2

14. use a different port other than 80

-port+ = Port to use (default 80)

  • nikto -h 192.168.0.7 -port 9999

15. Disable SSL & DNS

-nolookup = Disables DNS lookups

-nossl = Disables the use of SSL

  • nikto -h http://192.168.0.7 -nolookup -nossl

16. Test different types of attacks with Tuning option

-Tuning+

1 Interesting File / Seen in logs

2 Misconfiguration / Default File

3 Information Disclosure

4 Injection (XSS/Script/HTML)

5 Remote File Retrieval - Inside Web Root

6 Denial of Service

7 Remote File Retrieval - Server Wide

8 Command Execution / Remote Shell

9 SQL Injection

0 File Upload

a Authentication Bypass

b Software Identification

c Remote Source Inclusion

d WebService

e Administrative Console

x Reverse Tuning Options (i.e., include all except specified)

  • nikto -h http://192.168.0.7 -Tuning 2

17. Set a timeout in case the request fails

-timeout+ Timeout for requests (default 10 seconds)

  • nikto -h http://192.168.0.7 -timeout 1

18.Update the databases and plugins. (out of date already)

-update = Update databases and plugins from CIRT.net

  • nikto -update

19. Send traffic through a Proxy

-useproxy = Use the proxy defined in nikto.conf, or argument http://server:port

  • nikto -h http://192.168.0.7 -useproxy http://127.0.0.1:8080

In the proxy we can see

20. Spoof the User-Agent

-useragent = Over-rides the default useragent

  • nikto -h http://192.168.0.7 -useragent "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1" -useproxy http://127.0.0.1:8080

In the proxy we see