Red Team's Week 6 meeting followed follow TryHackMe's Password Attacks room in the Initial Access section of the Red Teaming path focusing on the tools and their uses in Password Cracking
Wordlists are a fundemental part of password cracking as it gives a list of potential passwords to try when attempting to crack one.
The completeness and quality of a wordlist will affect its success, for example, the famous rockyou.txt for example contains very simple passwords obtained following a data breach at RockYou exposing all plaintext passwords on the service, but RockYou didn't allow for special characters to be used so the wordlist would, as provided, be ineffective against most password policies.
Tools like GitHub user shroudri's username_generator can be used to generate wordlists of potential usernames for a target based on data avalible and common username formats. This can be a good place to start if usernames on the system are not readily available or known.
While many wordlists are readily avalible online with common or potential passwords, an attackspace can be more focused with a custom wordlist suited to a given target.
Tools like Cewl can be used to scrape a webpage for information relevant to a bussiness that may have influenced an insecure password such as a Chipotle employee having a password of burrito1 or sofritasandguac.
GitHub user Mebus's Common User Passwords Profiler can also take known info about a target into account and generate potential simple passwords based on someone's name, pets, partner, children, etc.
A worlist's quality must be taken into account for a given target. As mentioned previously, the passwords in rockyou.txt don't contain any special characters so such a wordlist would be ineffective against a password policy requiring one.
Often, if avalible, a user registration page will provide you with a site's password requirements so you can tailor your wordlist for length constraints and character sets.
crunch is one such tool to generate a wordlist of all possible passwords with a given character set and min/max length.
If a password is known in its hashed format, it may be possible to "reverse" the hash. While a hash is a one-way opperation and cannot be reversed, we can leverage that the same password will be hashed the same way each time to crack them.
With a simple hash on a common password, you can often look them up to find out what encrypts to it, either just on Google, or a dedicated hash lookup table such as Hashes.com or GromWeb.
You can also automatically encrypt several potential passwords such as from a wordlist until you get a match using tools like John the Ripper or Hashcat.
It's also worth considering where plaintext passwords may be found.
All to common you can find passwords simply writen down on a sticky note on someone's desk or laptop. A router may still have its original password still set and printed on the device.
Sometimes a computer may need to store passwords in a decryptable manner. Password managers for instance such as the one in Chrome will display saved passwords when given local user account credentials and the Windows Settings will return its saved SSID Access Key.