Contact us:

Custom Rules for John the Ripper

Published: 06 August 2021    Last Updated: 03 November 2022

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much more secure [/sarcasm]: Password1.

Continue Reading

Extracting Domain Hashes: VSSAdmin

Published: 19 October 2020    Last Updated: 03 November 2022

We covered extracting domain hashes with Mimikatz previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool. VSSAdmin is the Volume Shadow Copy Administrative command-line tool and it can be used to take a copy of the NTDS.dit file - the file that contains the active directory domain hashes.

Continue Reading

Hashcracking with AWS

Published: 19 October 2020    Last Updated: 03 November 2022

Password cracking is a common step during compromising networks, from cracking wireless networks to compromising user passwords captured when LLMNR spoofing. In a previous post, I showed the steps to capture a WPA handshake and crack it using Hashcat. On my tiny travel laptop I achieved 416 hashes per second, which is…slow. AWS offers “GPU Optimized” EC2 instances which can offer a significant speed increase. 

In this post we'll run through setting up Hashcat on an AWS instance to allow for rapid password cracking. These instances are pricey, but you often only need to run them for short bursts.

Continue Reading

Extracting Domain Hashes: Mimikatz

Published: 14 October 2020    Last Updated: 03 November 2022

We previously covered how to perform incredibly fast hashcracking with AWS. In this post we’ll take a step back, and look at one simple method to extract the hashes from a domain controller. To be clear, this is a post exploitation step and to perform these steps a domain administrator account will be needed.

There are several tools which can be used to extract hashes directly on a domain controller, such as fgdump or Meteterpreter’s hashdump too. However, Mimikatz can perform this step from any domain joined machine, which is a little easier and often a benefit when it comes to antivirus evasion steps.

Continue Reading