Password Attacks & Privilege Escalation
60 min
Password Attack Techniques
PASSWORD ATTACK TYPES
──────────────────────────────────────────────────────
Brute Force → Try ALL combinations; slow but exhaustive
Dictionary → Try words from wordlist (rockyou.txt)
Rainbow Tables → Pre-computed hash tables; fast lookup
Credential → Use leaked credentials from other breaches
Stuffing (automated at scale)
Pass-the-Hash → Use NTLM hash directly without cracking
Kerberoasting → Request AD service tickets, crack offline
──────────────────────────────────────────────────────
Password Cracking Tools
- Hashcat — GPU-accelerated; fastest cracker. 100+ hash modes.
- John the Ripper — CPU-based; good for quick cracks
- Hydra/Medusa — Online brute force (SSH, FTP, HTTP login)
- CrackStation/HashKiller — Online lookup databases
HASHCAT EXAMPLES
──────────────────────────────────────────
hashcat -m 0 hashes.txt rockyou.txt # MD5 dictionary attack
hashcat -m 1800 hashes.txt rockyou.txt # sha512crypt attack
hashcat -m 1000 hashes.txt -a 3 ?a?a?a?a?a # NTLM brute force 5 chars
──────────────────────────────────────────
Linux Privilege Escalation
After gaining initial access as a low-privileged user, escalate to root:
- SUID/SGID binaries — Find binaries with setuid bit:
find / -perm -4000 2>/dev/null - Sudo misconfigurations —
sudo -lto see allowed commands; GTFOBins for exploitation - Kernel exploits — Old kernels (DirtyCow, etc.)
- Cron jobs — Writable scripts run as root
- PATH hijacking — Writable path directories before system directories
Windows Privilege Escalation
- Unquoted service paths — Services with spaces in path without quotes
- Weak service permissions — Modify service binaries
- AlwaysInstallElevated — MSI files run as SYSTEM
- Token impersonation — JuicyPotato, PrintSpoofer, RoguePotato