Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- Directory/Service Brute Forcing – PART 3

Directory Brute Forcing and Service Brute Forcing

The OSCP exam will almost certainly have a service that you can Brute force a local or admin account on, there will also be webservers that will have unlinked content that you can find such as password files, user accounts and developer portals that provide easy access.

You will need to gather wordlist files to perform these activities, links are provided at the bottom of this section for download.

DirBuster

This is a gui based directory Brute Forcing application that can be very quick if your system can support it.

Image result for dirbuster

A command line version that is very powerful is “dirb”

[email protected]:~/oscp/# dirb http://192.168.1.101/root/oscp/dirbuster/common.txt

—————–
DIRB v2.22
By The Dark Raver
—————–

URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /root/oscp/dirbuster/common.txt

—————–

GENERATED WORDS: 1942

—- Scanning URL: http://192.168.1.101/ —-
==> DIRECTORY: http://192.168.1.101/assets/
==> DIRECTORY: http://192.168.1.101/passwords/

Brute forcing services:

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don’t use in military or secret service organizations, or for illegal purposes.

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

[email protected]:~/oscp/# hydra -L /root/oscp/dirbuster/big.txt -P /root/wordlist/500-worst-passwords.txt ssh://192.168.1.101

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://10.0.0.1

[email protected]:~# medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

Crack Passwords (hydra/THC bruter)
(need mil-dict.txt from Milw 0rm – cracked hashs)

FTP – hydra -l -P mil-dic.txt -f ftp -V

POP3 – hydra -l -P mil-dict.txt -f pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f -V

MS VPN – dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server

Wordlist

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:

1. small and fast: usually based on the output of one of the tools i’m about to tell you about

2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list

3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd:

CeWL – http://www.digininja.org/projects/cewl.php
Wyd – http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Update on Sunday, February 21, 2010 at 1:57AM by Rob Fuller

I missed one hell of a treasure trove of word lists:

http://trac.kismac-ng.org/wiki/wordlists
http://www.openwall.com/mirrors/
http://passwordz.info/
ftp://ftp.ox.ac.uk/pub/wordlists/
http://gdataonline.com/downloads/GDict/
http://theargon.com/achilles/wordlists/
http://theargon.com/achilles/wordlists/theargonlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://www.outpost9.com/files/WordLists.html
http://www.securinfos.info/wordlists_dictionnaires.php
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.insidepro.com/eng/download.shtml
http://www.word-list.com/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.phreak.org/index/archive01/hacking/wordlsts/wordlsts.shtml
http://www.indianz.ch/tools/doc/wordlists.zip
http://wordlist.sourceforge.net/
http://prdownloads.sourceforge.net/wepattack/wordlist.tar.gz?download
http://hacor.org/docs/hugelist.txt (broken link. Does anyone have it hosted elsewhere?)
shhh! – http://www.room362.com/storage/saved/hugelist.txt
http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/
ftp://ftp.openwall.com/pub/wordlists/

http://www.skullsecurity.org/wiki/index.php/Passwords

hotmail: http://current.com/technology/91108676_email-password-leak-update-gmail-yahoo-aol-and-hotmail-hit-too.htm

rockyou: http://securitystream.info/data-breaches/easy-passwords-found-in-rockyou-data-leak/

http://wordlist.sourceforge.net/  (Kevin’s Word Lists)

http://www.phenoelit-us.org/dpl/dpl.html

http://www.offensive-security.com/wpa-tables/wpalist.txt.tar.bz2

http://www.renderlab.net/projects/WPA-tables/

https://github.com/jeanphorn/wordlist



This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here

Share the post

Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- Directory/Service Brute Forcing – PART 3

×

Subscribe to Computer Security.org - Cybersecurity News, Inform

Get updates delivered right to your inbox!

Thank you for your subscription

×