Directory Brute Forcing and Service Brute Forcing

The OSCP exam will almost certainly have a service that you can Brute force a local or admin account on, there will also be webservers that will have unlinked content that you can find such as password files, user accounts and developer portals that provide easy access.

You will need to gather wordlist files to perform these activities, links are provided at the bottom of this section for download.

DirBuster

This is a gui based directory Brute Forcing application that can be very quick if your system can support it.

A command line version that is very powerful is “dirb”

root@wittyserver:~/oscp/# dirb http://192.168.1.101/root/oscp/dirbuster/common.txt

—————–
DIRB v2.22
By The Dark Raver
—————–

URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /root/oscp/dirbuster/common.txt

—————–

GENERATED WORDS: 1942

—- Scanning URL: http://192.168.1.101/ —-
==> DIRECTORY: http://192.168.1.101/assets/
==> DIRECTORY: http://192.168.1.101/passwords/

Brute forcing services:

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don’t use in military or secret service organizations, or for illegal purposes.

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

root@wittyserver:~/oscp/# hydra -L /root/oscp/dirbuster/big.txt -P /root/wordlist/500-worst-passwords.txt ssh://192.168.1.101

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://10.0.0.1

root@wittyserver:~# medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

Crack Passwords (hydra/THC bruter)
(need mil-dict.txt from Milw 0rm – cracked hashs)

FTP – hydra -l -P mil-dic.txt -f ftp -V

POP3 – hydra -l -P mil-dict.txt -f pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f -V

MS VPN – dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server

Wordlist

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:

1. small and fast: usually based on the output of one of the tools i’m about to tell you about

2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list

3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd:

CeWL – http://www.digininja.org/projects/cewl.php
Wyd – http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Update on Sunday, February 21, 2010 at 1:57AM by Rob Fuller

I missed one hell of a treasure trove of word lists:

http://trac.kismac-ng.org/wiki/wordlists
http://www.openwall.com/mirrors/
http://passwordz.info/
ftp://ftp.ox.ac.uk/pub/wordlists/
http://gdataonline.com/downloads/GDict/
http://theargon.com/achilles/wordlists/
http://theargon.com/achilles/wordlists/theargonlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://www.outpost9.com/files/WordLists.html
http://www.securinfos.info/wordlists_dictionnaires.php
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.insidepro.com/eng/download.shtml
http://www.word-list.com/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.phreak.org/index/archive01/hacking/wordlsts/wordlsts.shtml
http://www.indianz.ch/tools/doc/wordlists.zip
http://wordlist.sourceforge.net/
http://prdownloads.sourceforge.net/wepattack/wordlist.tar.gz?download
http://hacor.org/docs/hugelist.txt (broken link. Does anyone have it hosted elsewhere?)
shhh! – http://www.room362.com/storage/saved/hugelist.txt
http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/
ftp://ftp.openwall.com/pub/wordlists/

http://www.skullsecurity.org/wiki/index.php/Passwords

hotmail: http://current.com/technology/91108676_email-password-leak-update-gmail-yahoo-aol-and-hotmail-hit-too.htm

rockyou: http://securitystream.info/data-breaches/easy-passwords-found-in-rockyou-data-leak/

http://wordlist.sourceforge.net/  (Kevin’s Word Lists)

http://www.phenoelit-us.org/dpl/dpl.html

http://www.offensive-security.com/wpa-tables/wpalist.txt.tar.bz2

http://www.renderlab.net/projects/WPA-tables/

https://github.com/jeanphorn/wordlist