This post will focus on Performing Rule Based Attack Using Hashcat. It’s a way of using a dictionary or multiple dictionaries of words in order to crack a password in Kali Linux.

Rule-based Attack

Recently I was writing a blog on hashcat to cracking the hashes but the blog was going long so i thought about to write another blog to explain more about hashcat attacks,so that you can easily crack the has.So the rule-based attack is one of the most complicated of all the attack modes.The reason for this is very simple.the rule-based attack is like a programming language designed for password candidate generation. It has functions to modify,cut or extend words and has conditional operators to skip some, etc.That makes it the most flexible,accurate and efficient attack.

Why not stick to regular expressions

Why re-invent the wheel? Simple answer: regular expressions are too slow. Typically we have to generate 1.000.000.000 (or more) fresh password candidates in less than 10 ms before hashing algorithms start to become idle, and then again and again, second after second. Just take a look at your GPU speed display to get an idea of it.

Compatibility to other rule engines

The rule-engine in hashcat was written so that all functions that share the same letter-name are 100% compatible to John the Ripper and Passwordpro rules and vice versa. Later we started to introduce some of our own functions that are not compatible. But these functions got their own letter-names to avoid conflicts.

What Are Rules and When Would I Use Them?

The first thing which comes in our mind is, What are rules  why we should use rule attack to cracking the hash.So First of all, consider the following scenario. You have a basic password wordlist containing the words below:

password
mysecret
qwerty

If you wanted to try the above passwords with the pattern “123” added to the end, your list will become:

password
password123
mysecret
mysecret123
qwerty
qwerty123

If you also want to capitalise the first letter of the original words, it will now become:

password
password123
Password
mysecret
mysecret123
Mysecret
qwerty
qwerty123
Qwerty

Although you can type each new pattern manually for each word in your list,this will quickly get impractical with larger wordlists.

Thankfully,we can express these patterns in programming terms using rules. With rules,we can create new passwords through modification of existing passwords supplied.

Instead of having to write every new pattern for each password like above,we only require our original wordlist:

password
mysecret
qwerty

And a file containing the rules that express our patterns:

$c
$1 $2 $3

Though much smaller, the above would produce the same outcome of words as before. Not only is this quicker than manually creating each password you want to try, your dictionary file also won’t be as large.

In short, a rule-based attack allows you to express patterns which are applied to existing passwords to quickly generate new passwords to use.and crack the hashed fast and easily.

Creating Rules

Now that we can see the benefits of rules,we will now define some rules to use in our own rule-based attack. To define our own custom set of rules to use with hashcat, we need to store them in a file,like best64.rule or something you as want.

In this tutorial,we will cover some of the most commonly used rule functions:

Writing our rule-set:

To start, we will create some rules to do basic manipulation of the characters.

From the above table, we will put in our rules file the lowercase, uppercase and capitalize functions:

:
l
u
c

The colon entry instructs hashcat to try the original word.We’ll be including this so we can compare how many passwords were cracked using unmodified passwords from the wordlist.

We’ll also append to the end of the passwords the characters one to nine individually:

$1
$2
$3
$4
$5
$6
$7
$8
$9

To express multiple functions in a single rule, you can separate them with a space like the following:

$1 $2 $3 $4

In this case we are appending characters one, two and three to the end of our passwords.(i.e. the password is root it will convert to root1234 ), And if you want to append multi combination (i.e. $5 $ 5 it will be root55)

You can substitute one character for another, by doing the following:

sXY

Where X is the character to replace and Y is the new character.

For this demonstration,we will substitute the following letters for their commonly used alternatives:

• “@”  instead of “a”
• “3” instead of “e”
• “1” instead of “l”
• “0” instead of “o”

To express these as rules in a hashcat file, it looks like:

sa@
se3
sl1
sa@ se3 sl1
sa@ se3 ss&

The final rules we’ll add inserts the word “root” before and after the password:

^R ^o ^o ^t
^r ^o ^o ^t
$r $o $o $t

From the above, notice we’ve also included “Root” with a capital “R” before the password.

Now that we have covered the different rules we’re going to use, make sure you have created a file called “rules” that contains the following rules

:
#Lowercase
l
#Uppercase
u
#Capitalise  first character
c
#Add '1' to the end
$1
#Add '2' to the end
$2
#Add '3' to the end
$3
#Add '4' to the end
$4
#Add '5' to the end
$5
#Add '6' to the end
$6
#Add '7' to the end
$7
#Add '8' to the end
$8
#Add '9' to the end
$9
#Add '123' to the end
$1 $2 $3
#Substitute 'a' for '@'
sa@
#Substitute 'e' for '3'
se3
#substitute 'l' for '1'
sl1
#Substitute 'a' for '@', 'e' for '3', 'l' for '1'
sa@ se3 sl1
#Add the word 'root' to the beginning
^R ^o ^o ^t
#Add the word 'root' to the beginning
^r ^o ^o ^t
#Add the word 'root' to the end
$r $o $o $t

The lines beginning with a “#” are used to indicate to hashcat that the line is a comments.

Running the Rule-Based Attack

Now that we have our rules file and providing you have the Root hashes and rockyou password dictionary, we are ready to start cracking the password hashes.

In order to log the effectiveness of our rules, we’ll make use of hashcat’s debug commands. The debug option in hashcat works by logging a rule to a file every time it successfully cracks a password.

To run our rule-based attack, we will use the following command:

hashcat -a 0 -m 0 target_hash/mayhem.hash  /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule --force

After following the steps above, when you run the command the output will look like..

however we do not know how many passwords each rule cracked.To find this information, this is where our debug file comes in. If we look at its contents right now…

cat matched.rule
sort matched.rule | uniq –c

Matched rules in cracking
So i got the output of hashes,hope this will help you to resolve queries of cracking the hash with hashcat.As previously mentioned, only the commonly used rule functions were covered in this tutorial. To view a full list of available rule functions, you can do so on the hashcat website here.Additionally recommend you to..

Using Existing Rule Files

It is worth mentioning that hashcat contains some rule files by default.These are located in the “rules” folder of your hashcat installation:

ls -l /usr/share/hashcat/rules/

Summary

In this guide, we created  and used our own custom rules in hashcat to perform a rule-based attack. We started by covering what rule-based attacks are and why they are used. We then proceeded to create our own rules and use the rockyou dictionary to crack MD5 hashes.

The post Performing Rule Based Attack Using Hashcat appeared first on Armour Infosec.

Hello Friends, Today I’m going to explain the Hashcat password Cracking Tool, As I learn from my cybersecurity classes and reading some blogs doing practices and the help of infosec boy’s able to explain it, so obviously the credits goes to Armour Infosec. Password cracking and user account exploitation is one of the most issues in cybersecurity field. Password Cracking tools, like Hashcat and John the Ripper, Provide the potential attackers to check billions of passwords per second against Victim’s password hashes. these tools have proved to be effective in cracking passwords, recent research shows that combining deep learning techniques with these tools can produce significantly better results. Specifically, using Generative Adversarial Networks (GANs), which comprises of two neural networks, to generate high-quality password guesses can improve the existing tools to match 51%-73% more passwords than just the tools alone. This significant improvement demonstrates that this new approach using deep learning can generate numerous new pass-words that were once beyond the reach of other tools.On one hand, this is an impressive result driven by researchers of deep learning and cybersecurity, and on the other, a strong warning to the community of the increasing dangers of weak password authentication.

This blog is a reference guide for cracking, tool usage and supportive.tools that assist pentesters in password recovery (cracking). this will not be covering the installation of these tools but will include references to their proper installation, and if all else fails, Google. Updates and additions to this blog are planned yearly as advancements in cracking evolve.

“Password recovery is a battle against math, time, cost, and human behavior, and much like any battle, the tactics are constantly  evolving.”

Table of content

1. Required Software
2. Core Hash Cracking Knowledge
3. Cracking Methodology
4. Basic Cracking
5. Dictionary / Wordlist
6. Rules & Masks
7. Common Hash Examples
8. Appendix
   1. Online Resources
   2. Hashcat Menu
   3. Hash Cracking Benchmarks
   4. Hash Cracking Speed

REQUIRED SOFTWARE

In order to follow many of the techniques in this manual, you will need to install the following software on your UNIX host. This book does not cover how to install said software and assumes you were able to follow the included links and extensive support websites.

HASHCAT v5.1.0 (or newer)
https://hashcat.net/hashcat/

JOHN THE RIPPER 1.9.0-jumbo-1 (or newer)
https://www.openwall.com/john/

Hashcat-utils v1.9 (or newer)
https://hashcat.net/wiki/doku.php?id=hashcat_utils

Additionally you will need dictionaries/wordlists and highly recommend the below sources:

WEAKPASS DICTIONARY
https://weakpass.com/wordlist

CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords

Throughout the manual, generic names have been given to the various inputs required in a cracking
commands structure. Legend description is below:

COMMAND STRUCTURE LEGEND
hashcat = Generic representation of the various Hashcat binary names (hashcat tool)
john = Generic representation of the John the Ripper binary names (John tool)
#type = Hash type; which is an abbreviation in John or a number in Hashcat (hash MD5,MD4..)
hash.txt = File containing target hashes to be cracked (Raw hash list )
dict.txt = File containing dictionary/wordlist (password list)
rule.txt = File containing permutation rules to alter dict.txt input
passwords.txt = File containing cracked password results
outfile.txt = File containing results of some functions output

Lastly, as a good reference for testing various hash types to place into your “hash.txt” file, the below
sites contain all the various hashing algorithms and example output tailored for each cracking tool:

HASHCAT HASH FORMAT EXAMPLES
https://hashcat.net/wiki/doku.php?id=example_hashes

JOHN THE RIPPER HASH FORMAT EXAMPLES
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
http://openwall.info/wiki/john/sample-hashes

CORE HASH CRACKING KNOWLEDGE-:

ENCODING vs HASHING vs ENCRYPTING
Encoding = transforms data into a publicly known scheme for usability
Hashing = one-way cryptographic function nearly impossible to reverse
Encrypting = mapping of input data and output data reversible with a key

CPU vs GPU
CPU = 2–72 cores mainly optimized for sequential serial processing
GPU = 1000’s of cores with 1000’s of threads for parallel processing

CRACKING TIME = KEYSPACE / HASHRATE
Keyspace: charset^length (?a?a?a?a = 95⁴ = 81,450,625)
Hashrate: hashing function / hardware power (bcrypt / GTX1080 = 13094 H/s)
Cracking Time: 81,450,625 / 13094 H/s = 6,220 seconds
*Keyspace displayed and Hashrate vary by tool and hardware used.
SALT = random data that’s used as additional input to a one-way function
ITERATIONS = the number of times an algorithm is run over a given hash

HASH IDENTIFICATION

“there isn’t a foolproof method for identifying which hash function was used by simply looking at the hash, but there are reliable clues (i.e. $6$ sha512crypt).The best method is to know from where the hash was extracted and identify the hash function for that software”

DICTIONARY/WORDLIST ATTACK = straight attack uses a precompiled list of words, phrases,
and common/unique strings and Might be genrated according to the Information gathered to attempt to match a password.

BRUTE-FORCE ATTACK = attempts every possible combination of a given character set, usually up
to a certain length.(work like the probability mathod to make combinations)

RULE ATTACK = generates permutations against a given wordlist by modifying, trimming,
extending, expanding, combining, or skipping words.

MASK ATTACK = a form of targeted brute-force attack by using placeholders for characters in certain
positions (i.e. ?a?a?a?l?d?d).

HYBRID ATTACK = combines a Dictionary and Mask Attack by taking input from the dictionary and
adding mask placeholders (i.e. dict.txt ?d?d?d).CRACKING RIG = from a basic laptop to a 64 GPU cluster, this is the hardware/ platform
on which you perform your password hash attacks.

EXPECTED RESULTS
Know your cracking rig’s capabilities by performing benchmark testing and don’t assume you can
achieve the same results posted by forum members without using the exact same dictionary, attack plan,
or hardware setup.Cracking success largely depends on your ability to use resources efficiently and
make calculated trade-offs based on the target hash.

DICTIONARY/WORDLIST vs BRUTE-FORCE vs ANALYSIS
Dictionaries and brute-force are not the end all be all to crack hashes.They are merely the beginning and end of an attack plan.I’ll say True mastery is everything in the middle,where analysis and information gathering of passwords,patterns, behaviors, and policiesaffords the ability to recover that last 20%. Experiment with your attacks and research and compile targeted wordlists with your new knowledge.Do not rely heavily on dictionaries because they can only help you with what is “known” and not the unknown.In realworld Analysis of target and gather information to make your own dictionary/wordlist is best way to attack and get credentials of the target easier and faster.

CRACKING METHODOLOGY
Following is basic cracking methodology broken into steps,but the process is subject to change based on current/future target information uncovered during the cracking process.

1 – EXTRACT HASHES
Pull hashes from target,Victim Machine,identify hashing function, and properly format output for your tool of choice.

2 – FORMAT HASHES
Format your hashes based on your tool’s preferred method.See tool documentation for this guidance.
Hashcat,for example,on each line takes <user>:<hash> OR just the plain <hash>.

3 – EVALUATE HASH STRENGTH
Using the Appendix table “Hash Cracking Speed (Slow-Fast)” assess your target hash and it’s cracking
speed.If it’s a slow hash,you will need to be more selective at what types of dictionaries and attacks
you perform.If it’s a fast hash,you can be more liberal with your attack strategy.

4 – CALCULATE CRACKING RIG CAPABILITIES
With the information from evaluating the hash strength,baseline your cracking rig’s capabilities.
Perform benchmark testing using John The Ripper and/or Hashcat’s built-in benchmark ability on your
rig,it’s totally depends on your hardware.for example have a look..!

Hash Crackers/Bit Coin Miners

Fast Hash One
• 1.536TH/s – Cost 3-5,000 dollars.

25 GPU Hash Cracker
• An eight character NTLM password
cracked in 5.5 hours. 14 character LM
hash cracked in six minutes.350 billion
hashes per second.

To know about your System capability,use these command to get the result.

hashcat --benchmark --force
hashcat -b -m 0 --force

Based on these results you will be able to better assess your attack options by knowing your rigs capabilities against a specific hash. This will be a more accurate result of a hash’s cracking speed based on your rig.It will be useful to save these results for future reference.

5 – FORMULATE PLAN
Based on known or unknown knowledge begin creating an attack plan.Included on the next page is a
“Basic Cracking” to get you started.

6 – ANALYZE PASSWORDS
After successfully cracking a sufficient amount of hashes analyze the results for any clues or patterns.
This analysis may aid in your success on any remaining hashes.

7 – CUSTOM ATTACKS
Based on your password analysis create custom attacks leveraging those known clues or patterns.
Examples would be custom mask attacks or rules to fit target users’ behavior or preferences.just by doing some social engineering and footprinting or depends on your knowldge.

8 – ADVANCED ATTACKS
Experiment with Princeprocessor, custom Markov-chains, maskprocessor, or custom dictionary attacks
to shake out those remaining stubborn hashes. This is where your expertise and creativity really come
into play.

9 – REPEAT
Go back to STEP 4 and continue the process over again, tweaking dictionaries, mask, parameters, and
methods.gather some more information about,You’re in the grind at this point and need to rely on skill and luck.

Basic-cracking

This is only meant as a basic guide to processing hashes and each scenario will obviously be unique
based on external circumstances.For this attack plan we will assume we know the password hashes are
raw MD5 and assume we have already captured some plain text passwords of users.If we had no
knowledge of plain text passwords we would most likely skip to DICTIONARY/WORDLIST attacks.
Lastly,since MD5 is a “Fast” hash we can be more liberal with our attack plan.

1 – CUSTOM WORDLIST
First compile your known plain text passwords into a custom wordlist file.Pass this to your tool of
choice as a straight dictionary attack.

hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt pass.txt --force

This will work only for MD5 hash where:-

-a 0 designates a dictionary attack
-m 0 designates the type of hash we are cracking (MD5)
-w 4 workload profile
-o cracked.txt is the output file for the cracked passwords.
hash.txt is our input file of hashes.
custom_list.txt is the wordlist file for this dictionary attack.

After cracking the output file will show you the passwords of cracked hashes like down below…

2 – CUSTOM WORDLIST + RULES
Run your custom wordlist with permutation rules to crack slight variations.Rules will help you to get password sooner as you have the information about victim hash.follow this link to know more about rule based attack.after all this is rockyou.txt not custom wordlist you can use according to your victim.

https://www.armourinfosec.com/performing-rule-based-attack-using-hashcat/

hashcat -a 0 -m 0 target_hash/mayhem.hash  /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule --force

3 – DICTIONARY/WORDLIST
Perform a broad dictionary attack, looking for common passwords and leaked passwords in well known
dictionaries/wordlists.I’m using best64.rule of hashcat and rockyou.txt to crack.

hashcat -a 0 -m 0 target_hash/mayhem.hash /usr/share/wordlists/rockyou.txt -r best64.rule --debug-mode=1 --debug-file=matched.rule --force

4 – DICTIONARY/WORDLIST + RULES
Add rule permutations to the broad dictionary attack, looking for subtle changes to common words/phrases and leaked passwords.

hashcat -a 0 -m 0 -w 4 target_hash/mayhem.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --debug-mode=1 --debug-file=matched.rule --force

for the output open matched.rule to which rules are worked.

5 – CUSTOM WORDLIST + RULES
Add any newly discovered passwords to your custom wordlist and run an attack again with permutation
rules, looking any other variations,just by hitting the echo or awk to append the new rule.and then use the above command.
:: awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt

6 – MASK
Now we will use mask attacks included with Hashcat to search the keyspace for common password
lengths and patterns, based on the RockYou dataset.there’s many pattern of passwords inside the rockyou-1-6-.hcmask like our rule based attack.go to the link to find all paths of hashcat https://centos.pkgs.org/6/forensics-i386/hashcat-3.00-1.el6.i686.rpm.html Already stored masks of hashcat.(note: attack mode will be change -a 0 to -a 3)

hashcat -a 3 -m 0 -w 4 target_hash/mayhem.hash  /usr/share/hashcat/masks/rockyou-1-60.hcmask --force

The list of all recovered passwords of given hashes.

7 – HYBRID DICTIONARY + MASK
Using a dictionary of your choice, conduct hybrid attacks looking for larger variations of common words or known passwords by appending/prepending masks to those candidates.now i think you’re able to run the commands according to needs.can’t show you all the output screen shots.there’s lots more i have to cover in this blog so lets move on to the next..

hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1–60.hcmask dict.txt
hashcat -a 6 -m 0 -w 4 hash.txt dict.txt rockyou-1-60.hcmask

8 – CUSTOM WORDLIST + RULES
Add any newly discovered passwords back to your custom wordlist and run an attack again with
permutation rules looking any other subtle variations.

awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback

9 – COMBO
Using a dictionary of your choice, perform a combo attack by individually combining the dictionary’s
password candidates together to form new candidates.just mean combinig to dictionary’s to crack the hash.

hashcat -a 1 -m 0 -w 4 hash.txt dict.txt dict.txt

10 – CUSTOM HYBRID ATTACK
Add any newly discovered passwords back to your custom wordlist and perform a hybrid attack against
those new acquired passwords.

awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 6 -m 0 -w 4 hash. txt custom_list.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash. txt rockyou-1-60.hcmask custom_list.txt

11 – CUSTOM MASK ATTACK
By now the easier, weaker passwords may have fallen to cracking, but still some remain.Using PACK
create custom mask attacks based on your currently cracked passwords. Be sure to sort out

masks that match the previous rockyou-1-60.hcmask list.
hashcat -a 3 -m 0 -w 4 hash.txt custom_masks.hcmask

12 – BRUTE-FORCE
When all else fails begin a standard brute-force attack, being selective as to how large a keyspace your
rig can adequately brute-force. Above 8 characters this is typically pointless due to hardware limitations
and password entropy/ complexity.This particular mask will attempt to bruteforce an 8 character password.

Hashcat has the following charsets built-in:

?l = abcdefghijklmnopqrstuvwxyz (lowercase)
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ(uppercase)
?d = 0123456789(digits)  
?h = 0123456789abcdef(digit+lowercase)
?H = 0123456789ABCDEF(d+u)
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~  (special char)
?a = ?l?u?d?s (all alpha + lwrc + digit + special char)

hashcat -a 3 -m 0 -w 4 target_hash/mayhem.hash -i ?a?a?a?a?a?a?a?a --force

ONLINE PASSWORD ANALYSIS RESOURCES

WEAKPASS
Analyzes public password dumps and provides efficient dictionaries for download.
http://weakpass.com/
PASSWORD RESEARCH
Important password security and authentication research papers in one place.
http://www.passwordresearch.com/
THE PASSWORD PROJECT
Compiled analysis of larger password dumps using PIPAL and PASSPAL tools.
http://www.thepasswordproject.com/leaked_password_lists_and_dictionaries

DICTIONARY / WORDLIST

DOWNLOAD RESOURCES

WEAKPASS
http://weakpass.com/wordlist
CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
HAVE I BEEN PWNED
*You’ll have to crack the SHA1’s
https://haveibeenpwned.com/passwords
SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords
CAPSOP
https://wordlists.capsop.com/
UNIX-NINJA DNA DICTIONARY
*Dictionary link at bottom of article*
https://www.unix-ninja.com/p/Password_DNA
PROBABLE-WORDLIST
https://github.com/berzerk0/Probable-Wordlists
EFF-WORDLIST
Long-list (7,776 words) & Short-list (1,296 words)
https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt
https://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt
RAINBOW TABLES
*Rainbow Tables are for the most part obsolete but provided here for reference*
http://project-rainbowcrack.com/table.htm

TARGETED WORDLISTS

CeWL
Custom wordlist generator scrapes & compiles keywords from websites.
https://digi.ninja/projects/cewl.php
Example scan depth of 2 and minimum word length of 5 output to wordlist.txt

cewl -d 2 -m 5 -w wordlist.txt http://<target/ website>

SMEEGESCRAPE
Text file and website scraper which generates custom wordlists from content.
http://www.smeegesec.com/2014/01/smeegescrape-text-scraper-and-custom.html
Compile unique keywords from text file and output into wordlist.

SmeegeScrape.py -f file.txt -o wordlist.txt

Scrape keywords from target website and output into wordlist.

SmeegeScrape.py -u http://<target/ website> -si -o wordlist.txt

GENERATE PASSWORD HASHES

HASHCAT
https://github.com/hashcat/hashcat/tree/master/tools

test.pl passthrough <#type> <#> dict.txt

MDXFIND
https://hashes.org/mdxfind.php

echo | mdxfind -z -h ‘<#type>’ dict.txt

LYRICPASS (Song Lyrics Password Generator)

 python3 lyricpass.py -a "eminem"

ONLINE HASH CRACKING SERVICES

GPUHASH
https://gpuhash.me/
CRACKSTATION
https://crackstation.net/
ONLINE HASH CRACK
https://www.onlinehashcrack.com/
HASH HUNTERS
http://www.hashhunters.net/

COMMON HASH EXAMPLES

MD5, NTLM, NTLMv2, LM, MD5crypt, SHA1, SHA256, bcrypt, PDF 1.4 - 1.6 (Acrobat 5-8),
Microsoft OFFICE 2013, RAR3-HP, Winzip, 7zip, Bitcoin/Litecoin, MAC OSX v10.5-v10.6,
MySQL 4.1-5+, Postgres, MSSQL(2012)-MSSQL(2014), Oracle 11g, Cisco TYPE 4 5 8 9, WPA
PSK / WPA2 PSK

MDS (HASHCAT)

HASH FORMAT
8743b52063cd84097a65dl633f5c74f5

BRUTE FORCE ATTACK

hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

WORDLIST ATTACK

hashcat -m 0 -a 0 hash.txt dict.txt

WORDLIST + RULE ATTACK

hashcat -m 0 -a 0 hash.txt dict.txt -r rule.txt

NTLM (PWDUMP)

HASH FORMAT
b4b9b02e6f09a9bd760f388b67351e2b
BRUTE FORCE ATTACK
hashcat -m 1000 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1000 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 1000 -a 0 hash.txt dict.txt -r rule.txt

LM

HASH FORMAT
$LM$a9c604d244c4e99d
BRUTE FORCE ATTACK
hashcat -m 3000 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 3000 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 3000 -a 0 hash.txt dict.txt -r rule.txt

MD5CRYPT

HASH FORMAT
$1$28772684$iEwNOgGugq09.bIz5sk8k/
BRUTE FORCE ATTACK
hashcat -m 500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 500 -a 0 hash.txt dict.txtWORDLIST + RULE ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt -r rule.txt

SHA1

HASH FORMAT
b89eaac7e61417341b710b727768294d0e6a277b
BRUTE FORCE ATTACK
hashcat -m 100 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 100 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 100 -a 0 hash.txt dict.txt -r rule.txt

SHA256

HASH FORMAT
127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935
BRUTE FORCE ATTACK
hashcat -m 1400 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1400 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 1400 -a 0 hash.txt dict.txt -r rule.txt

BCRYPT

HASH FORMAT
$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6

BRUTE FORCE ATTACK
hashcat -m 3200 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 3200 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 3200 -a 0 hash.txt dict.txt -r rule.txt

PDF 1.4 – 1.6 (ACROBAT 5-8)

HASH FORMAT
$pdf$2*3*128*-1028*l*16*da42eel5d4b3e08fe5b9ecea0e02ad0f*32*c9b59d72c7c670c42eeb
4fcald2cal5000000000000000000000000000000000*32*c4ff3e868dc87604626c2b8c259297al
4d58c6309c70b00afdfblfbbal0ee571
EXTRACT HASH
pdf2hashcat.py example.pdf > hash.txt
BRUTE FORCE ATTACK
hashcat -m 10500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 10500 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 10500 -a 0 hash.txt dict.txt -r rule.txt

MICROSOFT OFFICE 2013

HASH FORMAT
example.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0
b2c2c6c32fl4b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d
04402a94895
EXTRACT HASH
office2hashcat.py example.docx > hash.txt
BRUTE FORCE ATTACK
hashcat -m 9600 -a 3 –username hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 9600 -a 0 –username hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 9600 -a 0 –username hash.txt dict.txt -r rule.txt

RAR3-HP (ENCRYPTED HEADER)

HASH FORMAT
$RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
#!Ensure to remove extraneous rar2john output to match above hash!#
EXTRACT HASH
rar2john.py example.rar > hash.txt
BRUTE FORCE ATTACK
hashcat -m 12500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 12500 -a 0 hash.txt dict.txtWORDLIST + RULE ATTACK
hashcat -m 12500 -a 0 hash.txt dict.txt -r rule.txt

WINZIP

HASH FORMAT
$zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/ zip2$
#!Ensure to remove extraneous zip2john output to match above hash!#
EXTRACT HASH
zip2john.py example.zip > hash.txt
BRUTE FORCE ATTACK
hashcat -m 13600 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 13600 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 13600 -a 0 hash.txt dict.txt -r rule.txt

7-ZIP

HASH FORMAT
$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c
419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c
0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82cf4e6flla5e
Cd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96
#!Ensure to remove extraneous 7zip2john output to match above hash!#
EXTRACT HASH
7z2john.py example.7z > hash.txt
BRUTE FORCE ATTACK
hashcat -m 11600 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 11600 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 11600 -a 0 hash.txt dict.txt -r rule.txt

BITCOIN / LITECOIN

HASH FORMAT
$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb448
99039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334
570448571536352510740823233055715845322741625407685873076027233865346542174$66$6
25882875480513751851333441623702852811440775888122046360561760525
EXTRACT HASH
bitcoin2john.py wallet.dat > hash.txt
BRUTE FORCE ATTACK
hashcat -m 11300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 11300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 11300 -a 0 hash.txt dict.txt -r rule.txt

MAC OS X 10.8-10.12

HASH FORMAT
username:$ml$35714$50973de90d336b5258f01e48ab324aa9ac81ca7959ac470d3d9c4395af624
398$631a0ef84081b37cfe594a5468cf3a63173cd2ec25047b89457ed300f2b41b30a0792a39912f
C5f3f7be8f74b7269ee3713172642de96ee482432a8dl2bf291a
EXTRACT HASH
sudo plist2hashcat.py /var/db/dslocal/nodes/Default/users/<username>.plist
BRUTE FORCE ATTACKhashcat -m 122 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 122 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 122 -a 0 hash.txt dict.txt -r rule.txt

MYSQL4.1 / MYSQL5+ (DOUBLE SHA1)

HASH FORMAT
FCF7C1B8749CF99D88E5F34271D636178FB5D130
EXTRACT HASH
SELECT user,password FROM mysql.user INTO OUTFILE ‘/tmp/hash.txt’;
BRUTE FORCE ATTACK
hashcat -m 300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 300 -a 0 hash.txt dict.txt -r rule.txt

POSTGRESQL

HASH FORMAT
a6343a68d964ca596d9752250d54bb8a:postgres
EXTRACT HASH
SELECT username, passwd FROM pg_shadow;
BRUTE FORCE ATTACK
hashcat -m 12 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 12 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 12 -a 0 hash.txt dict.txt -r rule.txt

MSSQL(2012), MSSQL(2014)

HASH FORMAT
0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b
2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
EXTRACT HASH
SELECT SL.name,SL.password_hash FROM sys.sql_logins AS SL;
BRUTE FORCE ATTACK
hashcat -m 1731 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1731 -a 0 hash.txt dict.txt

WORDLIST + RULE ATTACK
hashcat -m 1731 -a 0 hash.txt dict.txt -r rule.txt

ORACLE 11G

HASH FORMAT
ac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130
EXTRACT HASH
SELECT SL.name,SL.password_hash FROM sys.sql_logins AS SL;
BRUTE FORCE ATTACK
hashcat -m 112 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 112 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 112 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 4 (SHA256)

HASH FORMAT
2btjjy78REtmYkkW0csHUbDZOstRXoWdX1mGrmmfeHI
BRUTE FORCE ATTACK
hashcat -m 5700 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 5700 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 5700 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 5 (MD5)

HASH FORMAT
$l$28772684$iEwN0gGugq09.bIz5sk8k/
BRUTE FORCE ATTACK
hashcat -m 500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 9 (SCRYPT)

HASH FORMAT
$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6
BRUTE FORCE ATTACK
hashcat -m 9300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 9300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 9300 -a 0 hash.txt dict.txt -r rule.txt

WPA PSK / WPA2 PSK

HASH FORMAT
*Capture 4-way authentication handshake > capture.cap
cap2hccapx.bin capture.cap capture_out.hccapx
BRUTE FORCE ATTACK
hashcat -m 2500 -a 3 capture_out.hccapx ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 2500 -a 3 capture_out.hccapx dict.txt
WORDLIST + RULE ATTACK
hashcat -a 0 capture_out.hccapx dict.txt -r rule.txt

ONLINE RESOURCES

HASHCAT
https://hashcat.net/wiki/
https://hashcat.net/wiki/doku.php?id=hashcat_utilshttps://hashcat.net/wiki/doku.php?id=statsprocessor
http://www.netmux.com/blog/ultimate-guide-to-cracking-foreign-character-passwords-using-has
http://www.netmux.com/blog/cracking-12-character-above-passwords

CRACKING RIGS
http://www.netmux.com/blog/how-to-build-a-password-cracking-rig
https://www.unix-ninja.com/p/Building_a_Password_Cracking_Rig_for_Hashcat_-_Part_III

EXAMPLE HASH GENERATION
https://www.onlinehashcrack.com/hash-generator.php
https://www.tobtu.com/tools.php
http://hash.online-convert.com/
https://www.tools4noobs.com/online_tools/hash/
https://quickhash.com/
http://bitcoinvalued.com/tools.php
http://www.sha1-online.com/
http://www.freeformatter.com/hmac-generator.html
http://openwall.info/wiki/john/Generating-test-hashes

OTHER
http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-
passwords/
http://www.utf8-chartable.de/
http://thesprawl.org/projects/pack/
https://blog.gotmilk.com/2011/06/dictionaries-wordlists/
http://wpengine.com/unmasked/

NETMUX
http://www.netmux.com/
http://www.hashcrack.io/
https://github.com/netmux
https://twitter.com/netmux
https://www.instagram.com/netmux/

If you’re reading this last line a huge thank’s and i’m gonna cover John the ripper to the nest blog it will contain all the screen shots of the all cracking methodology with commands and everything which left in hashcat.hope you learn something new,Thank you.

The post Password Cracking with Hashcat appeared first on Armour Infosec.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

• Target Specification
• Host Discovery
• Port Specification
• Service Discovery / Version Detection
• Operating System Version Detection
• Firewall / IDS Evasion and Spoofing
• Time and Performance based Scan
• Output of Scan
• Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Target Specification

Scan a single IP

nmap 192.168.1.1

Scan specific IPs

nmap 192.168.1.1 192.168.1.5

Scan a Range

nmap 192.168.1.1-254

Scan a Domain / Host

nmap nmap scanme.nmap.org

Scan Targets from a File

namp -iL targets.txt

Exclude the Listed Host from the Target Range

nmap --exclude 192.168.1.5 192.168.1.1-10

Host Discovery

To List given targets only, no Scan

nmap -sL 192.168.1.1-3

To Disable Port Scanning, Host Discovery only

nmap -sn 192.168.1.1/24

To Disable Host Discovery. Port scan only

nmap -Pn 192.168.1.1-5

TCP SYN discovery on given port

nmap -PS 80,21 192.168.1.1

TCP ACK discovery on given port

nmap -PA 80,21 192.168.1.1

UDP discovery on given port

nmap -PU 53 192.168.1.1

Port Specification

Scan a given Port (i.e 21 here)

nmap -p 21 192.168.1.1

Scan the given Port Range

nmap -p 21-100 192.168.1.1

Scan the multiple TCP and UDP ports

nmap -p U:53,T:21-25,80 192.168.1.1

Scan all 65535 ports

nmap -p- 192.168.1.1

Scans the given Service Name

nmap -p http,https 192.168.1.1

Scans the Top 100 ports

nmap -F 192.168.1.1

Service Discovery / Version Detection

Detect Version of the Running Services

nmap -sV 192.168.1.1

To set intensity range between 0 to 9. Higher number increases possibility of correctness

nmap -sV --version-intensity 5 192.168.1.1

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

nmap  -sV --version-light 192.168.1.1

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

nmap -sV --version-all 192.168.1.1

Operating System Version Detection

Detect the Operating system

nmap -sV 192.168.1.1

Aggressive mode i.e OS, Service Version, Trace route.

nmap -A 192.168.1.1

Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

nmap -f 192.168.1.1

Used to set our own offset size

nmap --mtu 32 192.168.1.1

Use the Spoofed IP to scan

nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip

Scans target.com from example.com (Domain Name Spoofing)

nmap -S example.com target.com

Uses the given port as a source

nmap -g 53 192.168.1.1

Appends random data to sent packets

nmap --data-length 200 192.168.1.1

Time and Performance based Scan

Slow scan

nmap -T0 192.168.1.1

Sneaky scan

nmap -T1 192.168.1.1

Timely scan

nmap -T2 192.168.1.1

Default scan

nmap -T3 192.168.1.1

Aggressive scan

nmap -T4 192.168.1.1

Very Aggressive scan

nmap -T5 192.168.1.1

Output of Scan

To scan in the Verbose mode (-vv for greater effect)

nmap -v 192.168.1.1

Save the scan results to the scan.file

nmap 192.168.1.1 -oN scan.file

Save the results in xml.file

nmap 192.168.1.1 -oX xml.file

Save the results in grep.file

nmap 192.168.1.1 -oG grep.file

Saves the Output in the three major formats at once

nmap 192.168.1.1 -oA result

To scan in the debug mode (-dd for greater effect)

nmap 192.168.1.1 -d

To see all the packets sent and received

nmap 192.168.1.1 -T4 --packet-trace

Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

nmap 192.168.1.1 -sC

Scan with given NSE Script ( Example: nmap.nse )

nmap 192.168.1.1 --script=nmap.nse

Use script with arguments

nmap 192.168.1.1 –script=nmap.nse --script-args user=admin

The post Nmap Cheat Sheet appeared first on Armour Infosec.

Stop Tracking ( Disconnect )

Stop tracking with “Disconnect”
– open source and
– loads pages 44% faster.
– save upto 39% of bandwidth
– stops tracking more than 2,000+ third-party sites
– keeps your searches private
– was named the best privacy tool by the New York Times (2016),

https://addons.mozilla.org/en-US/firefox/addon/disconnect/

Cookie Quick Manager

This add-on helps you perform various operations on cookies like viewing, searching, creating, and even editing them.
https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/

HackBar Quantum

Unlike the previous version of Hackbar, this one is compatible with firefox quantum also. This tool helps in testing sql injections, XSS holes and site security.

https://addons.mozilla.org/en-US/firefox/addon/hackbar-quantum/?src=recommended

HTTPS Everywhere

Encrypt the web! With this tool as your add-on, you can apply HTTPS ecryption automatically on all the sites even on those where https: prefix is omitted.

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

Greasemonkey

Allows you to customize the way a web page displays or behaves, by using small bits of JavaScript.

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/

Injector

Its a lightweight web app bug finder. With the provision of custom injection lists, one can intercept and replay web requests.

https://addons.mozilla.org/en-US/firefox/addon/injector/

User-Agent Switcher and Manager

This is among the coolest ones. You can spoof your user-agent so that it becomes impossible for websites to know specific details about our browser , thus protecting your identity and it also unlocks other utilities like some websites can be made to load much faster if you spoof your user-agent with a mobile device.

https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

Easy XSS

Its a simple to use plugin. It provides you with a menu of various xss payloads. With just one click it gets copied to clipboard and now all we have to do is to paste it in the desired input tag.

https://addons.mozilla.org/en-US/firefox/addon/easy-xss/

Wappalyzer

While doing web app pentesting, its necessary to know the technologies and the software used in building the app and of course the version also. With wappalyzer, it can all be done with single click.

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

BuiltWith

Its used in finding the technologies used behind a Web application. If Wappalyzer, misses something out, it can be verified with Buildwith.

https://addons.mozilla.org/en-US/firefox/addon/builtwith/

Web developer

It provides an interface to inspect the HTML, CSS , script code for the web page. You can also edit the code and it will display the current output.

https://addons.mozilla.org/en-US/firefox/addon/web-developer/?src=search

Tor browser

Thats the first thing which pops up in mind when we are talking about online privacy,anonymity and encryption. It’s a modified version of Firefox and it comes with pre-installed privacy add-ons, encryption and an advanced proxy.

https://www.torproject.org/

Tamper Data for FF Quantum

– Monitor live requests
– Edit headers on live requests
– Cancel live requests
– Redirect live requests

Usage: Click the blue cloud in the toolbar to start tampering. When you’re done, click it again to stop.

https://addons.mozilla.org/en-US/firefox/addon/tamper-data-for-ff-quantum/

uBlock Origin

An efficient blocker which at the same time is soft on CPU and memory. It can load and enforce thousands more filters than other popular blockers out there.
Usage: The big power button in the popup is to permanently disable/enable uBlock for the current web site. It applies to the current web site only, it is not a global power button.

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

NoScript Security Suite

This tool allows potentially malicious web content to run only from sites trusted by you. This tool also protects you from attacks like XSS and other web exploits. Its more of defensive rather than offensive tool, still worth trying.

https://addons.mozilla.org/en-US/firefox/addon/noscript/

anonymoX

AnonymoX is an initiative for anonymization on the internet. The aim is to restore the users right of anonymity in the web. Most websites monitor the behaviour of their users, giving the websites hosts the ability to analyze the general users behaviour and create detailed user profiles, which are frequently sold to third parties.

A threat for freedom of speech on the internet manifests in the repression through federal or private organizations. More and more governments censor websites with the excuse of child safety, copyright infringement or the fight against terrorism and thereby limit the freedom of speech.

Easy anonymous web browsing.

– Change your IP-Address and country

– Visit blocked or censored websites.

– Delete cookies, show your public ip, and more

https://addons.mozilla.org/En-us/firefox/addon/anonymox/?src=collection&collection_id=0ec8ac59-73ee-422b-9828-1002ac75369f

The post Best Firefox Addons for Hacking appeared first on Armour Infosec.

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. John the Ripper homepage.

THC Hydra

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more.

 Hping

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

 Nmap

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project and is the culmination of the currently splintered family of Netcat incarnations. It is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Wireshark

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.

ettercap

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Nikto2

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT.

w3af

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

WebScarab

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

Metasploit

Metasploit simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners. This helps prioritize remediation and eliminate false positives, providing true security risk intelligence.

The post Best free hacking tools appeared first on Armour Infosec.

http://www.yougetsignal.com/tools/web-sites-on-web-server

The port forwarding tester is a utility used to identify your external IP address and detect open ports on your connection. This tool is useful for finding out if your port forwarding is setup correctly or if your server applications are being blocked by a firewall

http://www.yougetsignal.com/tools/open-ports

The reverse e-mail lookup allows you to quickly find where an e-mail originated from.

http://www.yougetsignal.com/tools/reverse-email-lookup

This tool performs a WHOIS lookup on a remote address. A WHOIS lookup can help determine the owner of a domain name or an IP address on the Internet.

http://www.yougetsignal.com/tools/whois-lookup

The complete free set of network troubleshooting domain testing tools that just work.

DNS Tools:- DNS Lookup, DNS Traversal, DNS Tracer (DNS Traceroute), DNS Blacklist Check (arbl), DNS Recon, Reverse DNS Lookup / Scan, DNS Server Fingerprint.

Network / Internet Tools:- Port Scan (nmap), Trace Route, Tracepath, NetBIOS Scan/Check, Wake On Lan, CIDR/Netmask Calculator, NTP Server Test, MX Records Retriever

Web / HTTP Tools:- SSL Certificate Info, HTTP Header Retrieval, Plain Text WEB/URL Browser, HTTPRecon (HTTP Fingerprinting), Meta Tags Retriever, URL Encode / Decode, RAW URL Encode / Decode, Base64 Encode / Decode

Database Lookups:- RFC Lookup, MAC Address Lookup, Default Password Lookup, Abuse Contact Lookup, IP/Host Locater, WhoIS Lookup

Ping Tools:- Ping, PathPing, TCPing, Ping-Row

https://w3dt.net/

intoDNS checks the health and configuration of DNS and mail servers.

http://www.intodns.com/

Web technology information profiler tool. Find out what a website is built with.

http://builtwith.com/

Domain information, whois & dns report

http://www.domaincrawler.com/

Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.

http://www.domaintools.com/

Find information on any domain name or website. Large database of whois information, DNS, domain names, name servers, IPs, and tools for searching and monitoring domain names

http://www.who.is/

Secure Domain Name Searches, Registration & Availability. Use Our Free Whois Lookup Database to Search for & Reserve

https://www.whois.net/

online tools for the daily administration of networks.

http://en.dnstools.ch/

Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6. Some source code included.

http://centralops.net/co

DNS tools, Network tools, Email tools, DNS reporting and IP information gathering. Explore monitoring products and free DNS tools at DNSstuff.

http://www.dnsstuff.com/

Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.

http://whois.domaintools.com/

View IP information

https://geoiptool.com/

Internet Archive is a non-profit digital library offering free universal access to books, movies & music, as well as 436 billion archived web pages.

https://archive.org/index.php

The most comprehensive people search on the web. Pipl finds high-quality results in pages that cannot be found on regular search engines. Free People Search.

https://pipl.com/

Find people free with Zabasearch directory engine that includes free people search, reverse phone number lookup, address lookup, and more.

http://www.zabasearch.com/

TinEye is a reverse image search engine. Search by image: Give it an image and it will tell you where the image appears on the web.

https://www.tineye.com/

Find search engines from the UK, USA, and many other countries.

http://www.searchenginecolossus.com/

Zuula is an innovative Internet search service that gives its users quick access to web, image, news blog and job search results from all the major search engines.With Zuula, users have the ability to get search results from their favorite search engine, such as Google or Yahoo!, but they also have one-click access to search results from a number of other search engines.

http://zuula.com/

Reverse IP Lookup & Domain Check DNS Tool by myIPneighbors to find all domains hosted on an IP address by domain or IP address.

http://www.myipneighbors.com/

The post Online Information Gathering Tools appeared first on Armour Infosec.

Operating System Security

Operating System is the important program that runs in the computer. It performs basic tasks like recognizing the input from the keyboard, controlling various files and directories in the hard disk and also various peripheral devices like printers, scanners etc…It will control the program in such a way that they do not mix & merge with one another. It is responsible for securing the system by not allowing the unauthorized users to access the system.

Need for securing the Operating System

The security of the operating system running on various PC’s, plays an important role in securing the network as a whole. Updating each computer system is mandatory for the efficient and effective working and for the security of systems in the network. Today we have a highly sophisticated operating system with lots of features, but it may be vulnerable if they are not administered, configured and monitored properly. Sometimes updating the operating system with latest patches may lead to interoperability issues with other operating systems. Hence proper care should be taken while updating the operating system.

Securing the Operating System

1. Update OS: It is important to install latest patches that are available for operating system. You need to update them regularly to prevent malware coming into your computer. Enable automatic updates for your OS or you can also update manually going to website like Microsoft and check for your OS updates which are available.

2. Install an antivirus product and keep up to date: Viruses, worms and other malware are some of the most prolific problems on the internet today. But the same time, there are some good antivirus applications that provide a great deals and more protection than just searching for viruses. However, any antivirus product is only good if you keep it up-to-date and scan your system regularly.

3. Enable Computer Firewall: Like antivirus products, Firewall products are designed to protect your system from Internet threats like hackers, viruses, and worms by filtering out any suspicious communications sent to your computer.

4. Use Strong Passwords: Passwords control access to files, programs, computers, hard drives and networks. They also deny access to unauthorized users. Poorly chosen passwords make it easier to break into your computer systems and expose to malicious attacks. In general, set up passwords and keep them secret never share it with others.

Physical Security of PC

The first step in security is considering the physical security of the PC. Maintenance of physical security depends on the location and the budget. The second step is the factors related to physical stability that include the power supply, physical location of the computer, room temperature, etc. Failure of anyone of the above said factors leads the computer into risks. There is a good chance that your home PC is one of the most expensive things in your home, or if you have got a laptop, it is likely to be the most expensive thing you carry in a bag. Although your insurance policy may cover the costs of replacing hardware if it’s stolen, there is nothing that money can do to retrieve precious or personal data. So physical security is as important as software security.

Computer locks

Nowadays PCs are available with a locking feature, which contains a socket in front of the case to unlock and lock the case. This helps us to prevent unauthorized users from gaining access to the hardware of the PC, and also it prevents them from booting the system with their own floppy or hardware.

BIOS Security

BIOS (Basic Input Output System) are built in software, which describes what a computer can do without accessing the programs on the disk. It contains a code which can control the keyboards, monitor, serial and parallel communications and some other functions. BIOS comes with a ROM chip in the computer which ensures that it will not be affected in case of disk failures. Setting BIOS password prevents the unauthorized users from rebooting and manipulating the system. This provides a low level of security as someone can disconnect the batteries and access the BIOS with manufacturer default passwords. However it takes some time for unauthorized users to open case and accessing BIOS, which leaves some traces of tampering.

The post How to Secure Your PC appeared first on Armour Infosec.

Shoulder Surfing

One way of stealing the password is standing behind an individual and over look their password while they are typing it (Shoulder Surfing). Shoulder Surfing is a direct observation technique, such as looking over someone’s shoulder, to get passwords, PINs, other sensitive personal information and even listening while conversation if you give your credit-card number over the phone. Shoulder surfing is easily done in crowded places. It’s comparatively easy to stand next to someone and watch as they fill up a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. It can also be done during long distance with the help of binoculars or other vision-enhancing devices. Your confidential information will be at risk if your passwords are observed by Shoulder Surfers. They can use your password information for logging into your account and they may do harm to your information.

 How to prevent it?

 Be aware of Shoulder Surfers at public places or schools while you are entering your passwords into the login accounts.

• Do not reveal your passwords in front of others or type your usernames and passwords before any unauthorized persons.
• Cover the keyboard with paper or hand or something else so that it cannot b seen by any unauthorized person.

Brute force attacks

Another way of stealing the password is through guess. Hackers try all the possible combinations with the help of personal information of an individual. They will try with the person’s name, pet name (nick name), numbers (date of birth, phone numbers), school name…etc. When there are large number of combinations of passwords the hackers uses fast processors and some software tools to crack the password. This method of cracking password is known as “Brute force attack”.

Dictionary attacks

Hackers also try with all possible dictionary words to crack your password with the help of some software tools. This is called a “Dictionary attack”.

Sharing your passwords with strangers

Sharing the passwords with the unknown persons (strangers) may also lead to loss of your personal information. They can use your login information and can get the access to your information. The operating system does not know who is logging into the system, it will just allow any person who enters the credential information into the login page. The personslike strangers after getting access to your information they can do anything with it. They can copy, modify or delete it.

Sharing your passwords with strangers

Sharing the passwords with the unknown persons (strangers) may also lead to loss of your personal information. They can use your login information and can get the access to your information. The operating system does not know who is logging into the system, it will just allow any person who enters the credential information into the login page. The personslike strangers after getting access to your information they can do anything with it. They can copy, modify or delete it.

Possible Vulnerabilities are

• The passwords could be shared with other person and might get misused.
• The passwords can be forgotten.
• The Stolen passwords can be used by unauthorized user and may steel your personal information.

Good Password

• Use at least 8 characters or more to create a password. The more number of characters we use, the more secure is our password.
• Use various combinations of characters while creating a password. For example, create a password consisting of a combination of lowercase, uppercase, numbers and special characters etc..
• Avoid using the words from dictionary. They can be cracked easily.
• Create a password such that it can be remembered. This avoids the need to write passwords somewhere, which is not advisable.
• A password must be difficult to guess.
• Change the password once in every 2 weeks or when you suspect someone knows the password.
• Do not use a password that was used earlier.
• Be careful while entering a password when someone is sitting beside you.
• Do not use the name of things located around you as passwords for your account.

Check your  strength of password online

The post Secure Your Passwords appeared first on Armour Infosec.