Table of Contents
- Default Passwords
- Hash Types
- Hash Generator
- Extracting Hash
- Wordlists
- Generate wordlists
- Cracking Passwords
- Password Spray Attack / Reverse Brute Force Attack
- Reference
See also Pass-the-Hash.
Default Passwords
Look into the product’s documentation.
- RoutersPasswords – Routers
- Cirt – All
Hash Types
- hash-identifier
- Name-that-hash
- Hash Analyzer (online)
hashid – Already in Kali Linux
hashid 'd8e8fca2dc0f896fd7cb4cb0031ba249'Hash Generator
Extracting Hash
- Mimikatz – hashes in memory on Windows machine
- Dump memory on Linux machine
Wordlists
Usernames
| Wordlist | Source | Description |
|---|---|---|
| names.txt | SecLists | |
| top-usernames-shortlist.txt | SecLists | |
| cirt-default-usernames.txt | SecLists | |
| xato-net-10-million-usernames.txt | SecLists | LOWERCASE, APPLY RULES The Xato database is a collection of compromised passwords obtain through various data breaches and leaks. |
| xato-net-10-million-usernames-10000.txt | GitHub | Top 10000 of the xato-net-10-million-usernames.txt file. GitHub from Lisandre.com. |
| unix_users.txt | Metasploit | Kali Linux: /usr/share/metasploit-framework/data/wordlists/unix_users.txt |
Passwords
- In Kali: /usr/share/wordlists
- In Kali: /usr/share/seclists – SecLists on Github
| Wordlist | Source | Description |
|---|---|---|
| rockyou.txt.tar.gz | SecLists | Passwords from leaked database, 2010. Also included in Kali Linux: /usr/share/wordlists/rockyou.txt.gz |
| best1050.txt | SecLists | |
| xato-net-10-million-passwords-10000.txt | SecLists | LOWERCASE, APPLY RULES The Xato database is a collection of compromised passwords obtain through various data breaches and leaks. Top 10,000 most common passwords, represents 99.8% of all user passwords when ignoring case (Wired). |
| Top304Thousand-probable-v2.txt * | GitHub | |
| richelieu-french-top20000.txt * | SecLists | Most common French passwords. It’s based on well known and public dataleaks in France (“.fr” email addresses). |
| quebec.txt | GitHub | Breaches of Quebec companies/institutions |
| lang-french-full.txt lang-french-small.txt | SecLists | French dictionary |
| lang-english.txt | SecLists | English dictionary |
| nerdlist.txt | GitHub | Common passwords for geeks or admin |
| Security-Question-Answers | SecLists | Many files like cities, dates, streets, zip codes, etc. |
| RockYou2021.txt * | GitHub | HUGE: 82 billion unique entries combination of all passwords (6-20 chars) |
| Crackstation | Crackstation | |
| Weakpass * | Weakpass | Repository of wordlists |
| Wordlists | GitHub | Repository of wordlists (Lisandre.com) |
| Passwords * | SkullSecurity | Repository of wordlists |
rockyou.txt
Passwords from leaked database, 2010.
wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gzgunzip -dk rockyou.txt.tar.gz
tar xvf rockyou.txt.tarKali Linux
This wordlist comes with Kali Linux. Uncompress it.
cd /usr/share/wordlists/
sudo gunzip -dk rockyou.txt.gzSome tools require an UTF-8 version of rockyou. Convert to UTF-8.
iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txtFuzzing
- big-list-of-naughty-strings.txt (SecLists on GitHub)
- 0xquad (GitHub)
- special-chars.txt (SecLists on GitHub)
- alphanum-case-extra.txt (SecLists on GitHub)
Generate wordlists
- Hashcat
- CeWL – Generate wordlist from a website
- Cupp – Common User Password Profile
- Crunch
- John the Ripper (JtR)
- Twofi – Generate wordlist from a Twitter account
- wlgen
- psudohash – Generate wordlist based on a word and common patterns
Generate dates
Adjust the start date and number of days as needed.
for i in $(seq 0 364); do date -d "2026-01-01 +$i day" +%Y%m%d; doneGenerate a list based on a regular expression
sudo pip3 install exrexexrex "(/v[12])?(/(api|swagger|openapi))?/(api-docs(\.json)?|swagger(-ui(-openapi)?)?\.html|openapi\.html)"exrex "(A|a)lice(\d)?@(B|b)ob(\d)?"Cracking Passwords
Online Attack
Offline Attack
- Crackstation – many hash types
- Hashes.com – MD5, SHA-1, Vbulletin, Invision Power Board, MyBB, Bcrypt, WordPress, SHA-256, SHA-512, MYSQL5 and more
- Reverse Hash Calculator – MD5, SHA1 (max 20/hour)
- Online Domain Tools – MD5, SHA1, SHA-256, LM, NTLM
- Crackpot from Offensive Security – NOW DOWN 🙁
- Hashcat
- John the Ripper (JtR)
- FCrackzip – Crack password of PKZIP files
- PDFCrack
Password Spray Attack / Reverse Brute Force Attack
Try same common password against many accounts, bypass locking