Password Attacks Lab - Hard

Im stuck on the final assessment of the password attacks module,

So far ive been brute forcing rdp with hydra using Johanna username using the mutated password list.

Ive bruteforced Johanna few times and each time so far its given me a different password for Johanna. Guess its giving false positives. If anyone has completed this module appreciate some help or hints.

Use crackmapexec instead of hydra.

OK ill try that

Hello, everyone. I have been stuck at the hard lab for more than a day. The description of the task says that Johanna is present on very many hosts, but the network hosts are quite different every time when resetting the target. In that case, I guess passing her password to other hosts may not be the solution here. I was able to find the password of Johanna and RDP to the given host, but I am stuck accessing the content of the L****.k*** file. I was trying to crack it using different passwords lists including the mutated one and rockyou but no results. Could someone, please, provide a hint of what wordlist to use?

You need to use hashcat to crack the hash using mode 13400. Also you need to use the full blown mutated password and you should be able to crack the password really quick. Let me know if that works for you.

crowbar is much faster for me bruteforcing RDP. crowbar -b rdp -s -u johanna -C <full-mutated-password-list

1 Like

I used hashcat with the mode and the mutated password list (that was generated using the provided password list and custom rule), but no results. I used keepass2john to extract the hash of the master password of the file.

I honestly don’t know why its not working for you. But try and edit the hash file before cracking it. When you convert the Logins.kdx using ssh2john, you get something like this : xxxxxx:$keepass$26000222a279e37c38b0124559a83fa452a0269d56dc4119a5866d18e76f.

Try and remove the xxxxxx. in that example and let your file hash value start with $keepass$2…, Save it and then bruteforce it with the largest mutated password you generated using the custom rule.

Just crack it with john
John - - wordlist=mutated.List hash.file

I tried everything you say, I just wanted to know whether I am using the right wordlist, it seems yes. I used keepass2john as this is a KeePass file (I cannot use ssh2john for this). I guess the hash has changed on the target, will try to figure it out. Thanks anyway.

Previously, I was using RDP and FTP to get the file to my machine, and the hash was ending with be2f2f1018523c06573b5. I got a different hash when I downloaded the file via WinRM. I don’t understand why, but I was able to crack this hash.

Are you trying to crack it with John or hashcat. Sometimes when things like this happen, you need to start with a clean slate. I mean delete the mutated password, delete all records in john and hashcat .pot file. Now let’s go back and generate a new mutated passwords, use keepass2john Logins.kdbx > tocrack.txt, From there you will then crack the hash. The main reason I like hashcat is that it cracks my hashes faster than john. Make sure you using the right mode if you using Hashcat. I will also check if the password found is in rockyou.txt, that way you can use it, just in case something is not right with your mutated password.

I was using the right mode and configurations for the tools. This was not caused because of the list or the tools. As I mentioned, the hash values were different. That was all. Thanks.

Hey dude, I am having the same issue as you. The hash on the windows file is different from the transferred file on my attacking machine. I transferred file via ftp and via smb impacket smbserver i opened up to the target.

The smb upload does not work need permissions :sweat_smile:

Were you able to finish the hard lab?

Hey guys! Found the B*****.v** file and ran it through John to get a password (1******!)
but now I’m stuck. Been trying to mount it it just won’t work. Any hints?

1 Like

For anyone struggling with this:

1 Like

I used WinRM to download the file, this method worked.

1 Like

Dude, how did you get WinRM to work if the port is not opened nor you do not have admin access to turn it on? I’ll have to look at this to transfer the file. The mounting bit locker might be the way for me.

Thanks for the help. I’ll take a look. :smiley:

I used WinRM to download the KeePass file. For the VHD I used smbclient.

1 Like

Thank you, I did this. Not i am just having issues with that vhd file. Not sure what do to with from here. :thinking: :sweat:


I mounted the VHD and got the information. I am done with this mod lolz. Lets goooooo. Thanks for the help y’all :star_struck: