SNMP Brute - Fast SNMP brute force, enumeration, CISCO config downloader and password cracking script

SNMP brute force, enumeration, CISCO config downloader and password cracking script. Listens for any responses to the brute force community strings, effectively minimising wait time.

Requirements

• metasploit
• snmpwalk
• snmpstat
• john the ripper

Usage

python snmp-brute.py -t [IP]

Options

--help, -h show this help message and exit

--file=DICTIONARY, -f DICTIONARY Dictionary file

--target=IP, -t IP Host IP

--port=PORT, -p PORT SNMP port

Advanced

--rate=RATE, -r RATE Send rate

--timeout=TIMEOUT Wait time for UDP response (in seconds)

--delay=DELAY Wait time after all packets are send (in seconds)

--iplist=LFILE IP list file

--verbose, -v Verbose output

Automation

--bruteonly, -b Do not try to enumerate - only bruteforce

--auto, -a Non Interactive Mode

--no-colours No colour output

Operating Systems

--windows Enumerate Windows OIDs (snmpenum.pl)

--linux Enumerate Linux OIDs (snmpenum.pl)

--cisco Append extra Cisco OIDs (snmpenum.pl)

Alternative Options

--stdin, -s Read communities from stdin

--community=COMMUNITY, -c COMMUNITY Single Community String to use

--sploitego Sploitego's bruteforce method

Features

• Brute forces both version 1 and version 2c SNMP community strings
• Enumerates information for CISCO devices or if specified for Linux and Windows operating systems.
• Identifies RW community strings
• Tries to download the router config (metasploit module).
• If the CISCO config file is downloaded, shows the plaintext passwords (metasploit module) and tries to crack hashed passords with John the Ripper

Download SNMP Brute

Read More

Dirs3arch v0.3.0 - HTTP(S) Directory/File Brute Forcer

dirs3arch is a simple command line tool designed to brute force hidden directories and files in websites.

It's written in python3 3 and all thirdparty libraries are included.

Operating Systems supported

• Windows XP/7/8
• GNU/Linux
• MacOSX

Features

• Multithreaded
• Keep alive connections
• Support for multiple extensions (-e|--extensions asp,php)
• Reporting (plain text, JSON)
• Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc).
• Recursive brute forcing
• HTTP(S) proxy support
• Batch processing (-L)

Examples

• Scan www.example.com/admin/ to find php files:
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php

• Scan www.example.com to find asp and aspx files with SSL:
  

  python3 dirs3arch.py -u https://www.example.com/ -e asp,aspx

• Scan www.example.com with an alternative dictionary (from DirBuster):
  

  python3 dirs3arch.py -u http://www.example.com/ -e php -w db/dirbuster/directory-list-2.3-small.txt

• Scan with HTTP proxy (localhost port 8080):
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --http-proxy localhost:8080

• Scan with custom User-Agent and custom header (Referer):
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --user-agent "My User-Agent" --header "Referer: www.google.com"

• Scan recursively:
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php -r

• Scan recursively excluding server-status directory and 200 status codes:
  

  python3 dirs3arch.py -u http://www.example.com/ -e php -r --exclude-subdir "server-status" --exclude-status 200

• Scan includes, classes directories in /admin/
  

  python3 dirs3arch.py -u http://www.example.com/admin/ -e php --scan-subdir "includes, classes"

• Scan without following HTTP redirects:
  

  python3 dirs3arch.py -u http://www.example.com/ -e php --no-follow-redirects

• Scan VHOST "backend" at IP 192.168.1.1:
  

  python3 dirs3arch.py -u http://backend/ --ip 192.168.1.1

• Scan www.example.com to find wordpress plugins:
  

  python3 dirs3arch.py -u http://www.example.com/wordpress/wp-content/plugins/ -e php -w db/wordpress/plugins.txt

  
  
• Batch processing:
  

  python3 dirs3arch.py -L urllist.txt -e php

  
  

Thirdparty code

• colorama
• oset
• urllib3
• sqlmap

Changelog

• 0.3.0 - 2015.2.5 Fixed issue3, fixed timeout exception, ported to python33, other bugfixes
• 0.2.7 - 2014.11.21 Added Url List feature (-L). Changed output. Minor Fixes
• 0.2.6 - 2014.9.12 Fixed bug when dictionary size is greater than threads count. Fixed URL encoding bug (issue2).
• 0.2.5 - 2014.9.2 Shows Content-Length in output and reports, added default.conf file (for setting defaults) and report auto save feature added.
• 0.2.4 - 2014.7.17 Added Windows support, --scan-subdir|--scan-subdirs argument added, --exclude-subdir|--exclude-subdirs added, --header argument added, dirbuster dictionaries added, fixed some concurrency bugs, MVC refactoring
• 0.2.3 - 2014.7.7 Fixed some bugs, minor refactorings, exclude status switch, "pause/next directory" feature, changed help structure, expaded default dictionary
• 0.2.2 - 2014.7.2 Fixed some bugs, showing percentage of tested paths and added report generation feature
• 0.2.1 - 2014.5.1 Fixed some bugs and added recursive option
• 0.2.0 - 2014.1.31 Initial public release

Download Dirs3arch

Read More

Crowbar - Brute Forcing Tool for Pentests

Crowbar (crowbar) is brute forcing tool that can be used during penetration tests. It is developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key. So SSH keys, that are obtained during penetration tests, can be used to attack other SSH servers.

Currently Crowbar supports

• OpenVPN
• SSH private key authentication
• VNC key authentication
• Remote Desktop Protocol (RDP) with NLA support

Installation

First you shoud install dependencies

 # apt-get install openvpn freerdp-x11 vncviewer

Then get latest version from github

 # git clone https://github.com/galkan/crowbar 

Attention: Rdp depends on your Kali version. It may be xfreerdp for the latest version.

Usage

-h: Shows help menu.

-b: Target service. Crowbar now supports vnckey, openvpn, sshkey, rdp.

-s: Target ip address.

-S: File name which is stores target ip address.

-u: Username.

-U: File name which stores username list.

-n: Thread count.

-l: File name which stores log. Deafault file name is crwobar.log which is located in your current directory

-o: Output file name which stores the successfully attempt.

-c: Password.

-C: File name which stores passwords list.

-t: Timeout value.

-p: Port number

-k: Key file full path.

-m: Openvpn configuration file path

-d: Run nmap in order to discover whether the target port is open or not. So that you can easily brute to target using crowbar.

-v: Verbose mode which is shows all the attempts including fail.

If you want see all usage options, please use crowbar --help

Download Crowbar

Read More

CeWL - Custom WordList Generator Tool for Password Cracking

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Usage

cewl [OPTION] ... URL

--help, -h

Show help

--depth x, -d x

The depth to spider to, default 2

--min_word_length, -m

The minimum word length, this strips out all words under the specified length, default 3

--offsite, -o

By default, the spider will only visit the site specified. With this option it will also visit external sites

--write, -w file

Write the ouput to the file rather than to stdout

--ua, -u user-agent

Change the user agent

-v

Verbose, show debug and extra output

--no-words, -n

Don't output the wordlist

--meta, -a file

Include meta data, optional output file

--email, -e file

Include email addresses, optional output file

--meta_file file

Filename for metadata output

--email_file file

Filename for email output

--meta-temp-dir directory

The directory used used by exiftool when parsing files, the default is /tmp

--count, -c:

Show the count for each of the words found

--auth_type

Digest or basic

--auth_user

Authentication username

--auth_pass

Authentication password

--proxy_host

Proxy host

--proxy_port

Proxy port, default 8080

--proxy_username

Username for proxy, if required

--proxy_password

Password for proxy, if required

--verbose, -v

Verbose

URL

The site to spider.

Change Log

Keeping track of history.

• Version 4.3 - Various spider bug fixes and the introduction of the sorting the results by count
• Version 4.2 - Fixed the Spider gem by overriding the function, also handling #name links correctly
• Version 4.1 - Small bug fixes and added new parameter to set filenames for email and metadata output
• Version 4 - Runs with Ruby 1.9.x and grabs text out of alt and title tags
• Version 3 - Now spiders pages referenced in JavaScript location commands
• Version 2.2 - Data from email addresses and meta data can be written to their own files
• Version 2.1 - Fixed a bug some people were having while using the email option
• Version 2 - Added meta data support
• Version 1 - released

Download CeWL 5.1

Read More

John the Ripper 1.8.0-jumbo-1 - Fast Password Cracker

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

John the Ripper 1.8.0-jumbo-1 is based on today’s code from the bleeding-jumbo branch on GitHub, which we’ve tried to make somewhat stable lately in preparation for this release.

You may notice that the source code archive size has increased from under 2 MB to over 20 MB. This is primarily due to the included .chr files, which are both bigger and more numerous than pre-1.8 ones. There are lots of source code additions, too.

In fact:

This is probably the biggest single jumbo update so far. The changes are too numerous to summarize – unfortunately, we haven’t been doing that during development, and it’d be a substantial effort to do it now, delaying the release to next year. So we chose to go ahead and release whatever we’ve got. (Of course, there are the many commit messages -but that’s not a summary.)

A really brief summary, though, is that there are new “formats” (meaning more supported hash and “non-hash” types, both on CPU and on GPU), various enhancements to existing ones, mask mode, better support for non-ASCII character sets, and of course all of 1.8.0’s features (including –fork and –node). And new bugs. Oh, and we’re now using autoconf, meaning that you need to “./configure” and “make”, with all the usual pros and cons of this approach. There’s a Makefile.legacy included, so you may “make -f Makefile.legacy” to try and build JtR the old way if you refuse to use autoconf… for now…and this _might_ even work… but you’d better bite the bullet. (BTW, I have no current plans on autoconf’ing non-jumbo versions of JtR.)

Due to autoconf, things such as OpenMP and OpenCL are now enabled automatically (if system support for them is detected during build). When this is undesirable, you may use e.g. “./configure –disable-openmp” or “./configure –disable-openmp-for-fast-formats” and run with –fork to achieve a higher cumulative c/s rate across the fork’ed processes.

Out of over 4800 commits since 1.7.9-jumbo-7, over 2600 are by magnum, making him the top contributor. Other prolific contributors are JimF, Dhiru Kholia, Claudio Andre, Frank Dittrich, Sayantan Datta.

There are also multiple commits by (or attributed to) Lukas Odzioba, ShaneQful, Alexander Cherepanov, rofl0r, bwall, Narendra Kangralkar, Tavis Ormandy, Spiros Fraganastasis, Harrison Neal, Vlatko Kosturjak, Aleksey Cherepanov, Jeremi Gosney, junmuz, Thiebaud Weksteen, Sanju Kholia, Michael Samuel, Deepika Dutta, Costin Enache, Nicolas Collignon, Michael Ledford. There are single commits by (or attributed to) many other contributors as well (including even one by atom of hashcat).

Download John the Ripper 1.8.0-jumbo-1

Read More

THC-SmartBrute - Finds undocumented and secret commands implemented in a smartcard

This tool finds undocumented and secret commands implemented in a smartcard. An instruction is divided into Class (CLA), Instruction-Number (INS) and the parameters or arguments P1, P2, P3. THC-SMARTBRUTE iterates through all the possible values of CLA and INS to find a valid combination.

Furthermore it tries to find out what parameters are valid for a given class and instruction number.

Requirements

You need a PC/SC compatible smartcard reader that is supported by the PCSC-LITE library.

A list of supported devices can be found here

THC-SMARTBRUTE was developped with the XXX smartcard reader.

Command line arguments

--verbose
        prints a lot of debugging messages to stderr *FIXME*
--undoconly
        only prints found instruction if its not element of the standard
        instruction list
--fastresults
        before iterating through all possible combinates of class and
        instruction-number typical class/instruction-values are verified for
        availability.
        After that the classes 0x00, 0x80 and 0xA0 (GSM) are tried first.
--help
        prints out the usage
--chv1 pin1
        a VERIFY CHV1 instruction with pin1 as argument is executed
--chv2 pin2
        a VERIFY CHV2 instruction with pin2 as argument is executed

--brutep1p2
        finds valid parameter p1 and p2 combinations for the instruction
        the user defined with --cla and --ins .
        For parameter p1 the value 0x00 is assumed.

--brutep3
        find valid p3 values for given --cla, --ins, --p1 and --p2

--cla CLASS
        sets the instruction class to CLASS
--ins INS
        sets the instruction-number to INS
--p1 P1
        sets parameter p1 to P1
--p2 P2
        sets parameter p2 to P2
--p3 P3
        sets parameter p3 to P3

Examples

1. ~$ ./thc-smartbrute
        run thcsmartbrute without any arguments to brute force for valid instructions
2. ~$ ./thc-smartbrute --undoconly
        find valid instructions but only print out non-standard instructions

3. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --brutep1p2
        find the first two arguments for the GSM instruction SELECT FILE

4. ~$ ./thc-smartbrute --cla 0xA0 --ins 0xA4 --p1 0x00 --p2 0x00 --brutep3
        find the 3rd argument for the already found first two arguments 
        for the GSM instruction SELECT FILE

Download THC-SmartBrute

Read More

THC-Hydra 8.1 - Network Logon Cracker

 A very fast network logon cracker which support many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently this tool supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.1

        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
        
        * David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best!
        * Added patch from Ander Juaristi which adds h/H header options for http-form-*, great work, thanks!
        * Found login:password combinations are now printed with the name specified (hostname or IP), not always IP
        * Fixed the -M option, works now with many many targets :-)
        * -M option now supports ports, add a colon in between: "host:port", or, if IPv6, "[ipv6ipaddress]:port"
        * Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting)
        * Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks!
        * Added xhydra gtk patches by Petar Kaleychev to support -h, -U, -f, -F, -q and -e r options, thanks!
        * Added patch for teamspeak to better identify server errors and auth failures (thanks to Petar Kaleychev)
        * Fixed a crash in the cisco module (thanks to Anatoly Mamaev for reporting)
        * Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting)
        * Updated configure to detect subversion packages on current Cygwin
        * Fixed RDP module to support the port option (thanks to and.enshin(at)gmail.com)

Download THC-Hydra 8.1

Read More

[THC-Hydra v7.6] Fast Parallel Network Logon Cracker

 Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

Features

• IPv6 Support
• Graphic User Interface
• Internationalized support (RFC 4013)
• HTTP proxy support
• SOCKS proxy support

The tool supports the following protocols:

Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more.

Release 7.6
* Added a wizard script for hydra based on a script by Shivang Desai <shivang.ice.2010@gmail.com>
* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!)
* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon)
* SMTP Enum: HELO is now always sent, better 500 error detection
* hydra main:
   - fixed a bug in the IPv6 address parsing when a port was supplied
   - added info message for pop3, imap and smtp protocol usage
* hydra GTK: missed some services, added
* dpl4hydra.sh:
   - added Siemens S7-300 common passwords to default password list
   - more broad searching in the list
* Performed code indention on all C files :-)
* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly)

Download THC-Hydra v7.6

Read More

[Router Password Kracker] Router Password Recovery Software

Router Password Kracker is a free software to recover the lost password of your Router. It can also be used to recover password from your internet Modem or Web sites which are protected by HTTP BASIC Authentication.

Generally Routers or Modems control their access by using HTTP BASIC authentication mechanism. In simple words, when you connect to your Modem/Router from the browser (typically http://192.168.1.1) you will be asked to enter username & password. If you ever forget this password then you will not be able to access your Router/Modem configuration. Even some websites use this BASIC Authentication to allow only certain users to access their site. 

In these cases 'Router Password Kracker' can help you in quickly recovering your lost password. Also Penetration Testers and Forensic Investigators can find this tool very useful in cracking the Router/Modem/Website password.

Download Router Password Kracker

Read More

[DirBuster] Brute Force Directories and Files Names on Web/Application Servers

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)

Download DirBuster

Read More

[Hashcat v0.47] The world’s fastest CPU-based password recovery tool

Hashcat is the world’s fastest CPU-based password recovery tool.

While it’s not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.

Changelog v0.47

• added -m 123 = EPi
• added -m 1430 = sha256(unicode($pass).$salt)
• added -m 1440 = sha256($salt.unicode($pass))
• added -m 1441 = EPiServer 6.x >= v4
• added -m 1711 = SSHA-512(Base64), LDAP {SSHA512}
• added -m 1730 = sha512(unicode($pass).$salt)
• added -m 1740 = sha512($salt.unicode($pass))
• added -m 7400 = SHA-256(Unix)
• added -m 7600 = Redmine SHA1
• debug mode can now be used also together with -g, generate rule
• support added for using external salts together with mode 160 = HMAC-SHA1 (key = $salt)
• allow empty salt/key for HMAC algos
• allow variable rounds for hash modes 500, 1600, 1800, 3300, 7400 using rounds= specifier
• added –generate-rules-seed, sets seed used for randomization so rulesets can be reproduced
• added output-format type 8 (position:hash:plain)
• updated/added some hcchr charset files in /charsets, some new files: Bulgarian, Polish, Hungarian
• format output when using –show according to the –outfile-format option
• show mask length in status screen
• –disable-potfile in combination with –show or –left resulted in a crash, combination was disallowed

Features

• Multi-Threaded
• Free
• Multi-Hash (up to 24 million hashes)
• Multi-OS (Linux, Windows and OSX native binaries)
• Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …)
• SSE2, AVX and XOP accelerated
• All Attack-Modes except Brute-Force and Permutation can be extended by rules
• Very fast Rule-engine
• Rules compatible with JTR and PasswordsPro
• Possible to resume or limit session
• Automatically recognizes recovered hashes from outfile at startup
• Can automatically generate random rules
• Load saltlist from external file and then use them in a Brute-Force Attack variant
• Able to work in an distributed environment
• Specify multiple wordlists or multiple directories of wordlists
• Number of threads can be configured
• Threads run on lowest priority
• Supports hex-charset
• Supports hex-salt
• 90+ Algorithms implemented with performance in mind
• …and much more

Download hashcat v0.47

Read More

[BTCrack v1.1] The worlds first Bluetooth Pass phrase (PIN) Bruteforce Tool

BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool, BTCrack will bruteforce the Passkey and the Link key from captured pairing* exchanges.

BTcrack was demoed and realeased at Hack.lu 2007 and 23C3 in Berlin, the video of the presentation is available on Google Video .

To capture the pairing data it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR flash a CSR based consumer USB dongle with special firmware.

Speed Comparison :

· P4 2Ghz - Dual Core 200.000 keys/sec

· FPGA E12 @ 50Mhz 7.600.000 keys/sec

· FPGA E12 @ 75Mhz 10.000.000 keys/sec

· FPGA E14 30.000.000 keys/sec

Changes :· 1.0 First release · 1.1 Intermediate Release    E12 + E14 FPGA Support ( http://www.picocomputing.com)   Splash Screen    Process Priority    Speed increase (+15%)

Download BTCrack v1.1

Read More

[THC-Hydra 7.5] Fast Parallel Network Logon Cracker

Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.

Features

• IPv6 Support
• Graphic User Interface
• Internationalized support (RFC 4013)
• HTTP proxy support
• SOCKS proxy support

The tool supports the following protocols

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Changelog for 7.5

• Added module for Asterisk Call Manager
• Added support for Android where some functions are not available
• hydra main:
• – reduced the screen output if run without -h, full screen with -h
• – fix for ipv6 and port parsing with service://[ipv6address]:port/OPTIONS
• – fixed -o output (thanks to www417)
• – warning if HYDRA_PROXY is defined but the module does not use it
• – fixed an issue with large input files and long entries
• hydra library:
• – SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems
• – removed support for old OPENSSL libraries
• HTTP Form module:
• – login and password values are now encoded if special characters are present
• – ^USER^ and ^PASS^ are now also supported in H= header values
• – if you the colon as a value in your option string, you can now escape it with \: – but do not encode a \ with \\
• Mysql module: protocol 10 is now supported
• SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be defined as an option “TLS” if required. This increases performance.
• Cisco module: fixed a small bug (thanks to Vitaly McLain)
• Postgres module: libraries on Cygwin are buggy at the moment, module is therefore disabled on Cygwin

Download THC-Hydra 7.5

Read More

[MKBRUTUS] Password bruteforcer for MikroTik devices or boxes running RouterOS

Mikrotik brand devices (www.mikrotik.com), which runs the RouterOS operative system, are worldwide known and popular with a high networking market penetration. Many companies choose them as they are a great combination of low-cost and good performance. RouterOS can be also installed on other devices such as PC.

This system can be managed by the following ways:

• Telnet
• SSH
• Winbox (proprietary GUI of Mikrotik)
• HTTP
• API

Many network sysadmins choose to close Telnet, SSH and HTTP ports, leaving the Winbox port open for graphical management or to another client (developed by third parties) which uses the RouterOS API port, such as applications for Android (managing routers and Hotspots) or web front-ends. At this point, MKBRUTUS comes into play ;)

Both, Winbox and API ports uses a RouterOS proprietary protocol to "talk" with management clients.

It is possible that in the midst of a pentesting project, you can find the ports 8291/TCP (Winbox) and 8728/TCP (API) open and here we have a new attack vector.

Because the port 8291/TCP is only possible to authenticate using the Winbox tool (at least by now ;), we realized the need of develop a tool to perform dictionary-based attacks over the API port (8728/TCP), in order to allow the pentester to have another option to try to gain access.

DICTIONARY-BASED ATTACK

MKBRUTUS is a tool developed in Python 3 that performs bruteforce attacks (dictionary-based) systems against RouterOS (ver. 3.x or newer) which have the 8728/TCP port open. Currently has all the basic features of a tool to make dictionary-based attacks, but in the future we plan to incorporate other options. There are many sites from where you can download wordlists, here are some:

http://wiki.skullsecurity.org/Passwords

http://wordlist.sourceforge.net/

Download MKBRUTUS

Read More

[WFacebook] Facebook Password Cracker

Facebook Password Cracker.

Video:

Download WFacebook

Read More

[Patator v0.5] Multi-purpose brute-forcer, with a modular design and a flexible usage

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Currently it supports the following modules:

* ftp_login : Brute-force FTP

* ssh_login : Brute-force SSH

* telnet_login : Brute-force Telnet

* smtp_login : Brute-force SMTP

* smtp_vrfy : Enumerate valid users using the SMTP VRFY command

* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command

* finger_lookup : Enumerate valid users using Finger

* http_fuzz : Brute-force HTTP/HTTPS

* pop_login : Brute-force POP

* pop_passd : Brute-force poppassd (not POP3)

* imap_login : Brute-force IMAP

* ldap_login : Brute-force LDAP

* smb_login : Brute-force SMB

* smb_lookupsid : Brute-force SMB SID-lookup

* vmauthd_login : Brute-force VMware Authentication Daemon

* mssql_login : Brute-force MSSQL

* oracle_login : Brute-force Oracle

* mysql_login : Brute-force MySQL

* mysql_query : Brute-force MySQL queries

* pgsql_login : Brute-force PostgreSQL

* vnc_login : Brute-force VNC

* dns_forward : Brute-force DNS

* dns_reverse : Brute-force DNS (reverse lookup subnets)

* snmp_login : Brute-force SNMPv1/2 and SNMPv3

* unzip_pass : Brute-force the password of encrypted ZIP files

* keystore_pass : Brute-force the password of Java keystore files

Download Patator v0.5

Read More

[Hash Kracker Console] Tool to find out the password from the Hash

Hash Kracker Console is the all-in-one command-line tool to find out the password from the Hash.

Currently it supports password recovery from following popular Hash types

• MD5
• SHA1
• SHA256
• SHA384
• SHA512

Also it offers 4 types of Password Recovery methods based on the complexity of password

• Dictionary Crack
• Hybrid Crack
• Brute-force Crack
• Pattern based Brute-force Crack

Being a command-line makes it faster and easy for automation. It is fully portable tool and includes installer also.

It works on wide range of platforms starting from Windows XP to Windows 8.

Download Hash Kracker Console v1.0
More

Read More

[oclHashcat-lite v0.15] Worlds fastest NTLM, MD5, SHA1, SHA256 and Descrypt Cracker

Features

• Worlds fastest NTLM, MD5, SHA1, SHA256 and descrypt cracker
• Free
• Multi-GPU (up to 128 gpus)
• Multi-OS (Linux & Windows native binaries)
• Multi-Platform (OpenCL & CUDA support)
• Multi-Algo (see below)
• Low resource utilization, you can still watch movies or play games while cracking
• Focuses one-shot, lightweight hashes
• Supports mixed GPU types
• Supports markov attack
• Supports mask attack
• Supports distributed cracking
• Supports pause / resume while cracking
• Supports sessions
• Supports restore
• Supports hex-salt
• Supports hex-charset
• Integrated thermal watchdog
• ... and much more

Algorithms

• MD5
• md5($pass.$salt)
• Joomla
• SHA1
• nsldap, SHA-1(Base64), Netscape LDAP SHA
• sha1($pass.$salt)
• nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
• Oracle 11g
• MSSQL(2000)
• MSSQL(2005)
• MySQL
• MD4
• md4($pass.$salt)
• NTLM
• Domain Cached Credentials, mscash
• SHA256
• sha256($pass.$salt)
• descrypt, DES(Unix), Traditional DES
• SHA512
• sha512($pass.$salt)
• Cisco-PIX MD5
• Double MD5
• vBulletin < v3.8.5
• vBulletin > v3.8.5
• IPB2+, MyBB1.2+
• LM
• Oracle 7-10g, DES(Oracle)
• SHA-3(Keccak)
• Half MD5
• NetNTLMv1-VANILLA / NetNTLMv1+ESS
• NetNTLMv2
• Cisco-IOS SHA256

Download here: http://adf.ly/145xZ2

type: driver

file: host programs
desc: added support for AMD ADL v5.0 library

type: feature
file: hashcat-cli
desc: added mode -m 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS
trac: #51
trac: #96

type: feature
file: hashcat-cli
desc: added mode -m 5600 = NetNTLMv2
trac: #56

type: feature
file: kernels
desc: added -m 5700 = Cisco-IOS SHA256
cred: philsmd

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so that it accepts only 16 byte input, see next change why
trac: #89

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so it can crack middle and right portions, too (not just left)
trac: #89

type: bug
file: kernels
desc: fixed bug in NVidia version had to switch back to bitness-depending kernels

type: bug
file: kernels
desc: fixed bug in NVidia version writing to constant memory from kernel isnt allowed

type: bug
file: hashcat-cli
desc: fixed bug in benchmark-mode, do not run MD5 again at end

type: bug
file: hashcat-cli
desc: fixed bug in benchmark-mode, Memory stepping when doing a benchmark
trac: #57

Read More

[oclHashcat-plus v0.14] Worlds fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker

Features

• Worlds fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker
• Worlds first and only GPGPU based rule engine
• Free
• Multi-GPU (up to 128 gpus)
• Multi-Hash (up to 15 million hashes)
• Multi-OS (Linux & Windows native binaries)
• Multi-Platform (OpenCL & CUDA support)
• Multi-Algo (see below)
• Low resource utilization, you can still watch movies or play games while cracking
• Focuses highly iterated modern hashes
• Focuses single dictionary based attacks
• Supports mask attack
• Supports distributed cracking
• Supports pause / resume while cracking
• Supports sessions
• Supports restore
• Supports reading words from file
• Supports reading words from stdin
• Supports hex-salt
• Supports hex-charset
• Integrated thermal watchdog
• 30+ Algorithms implemented with performance in mind
• ... and much more

Attack-Modes

• Straight ^*
• Combination
• Brute-force
• Hybrid dict + mask
• Hybrid mask + dict

Download here: http://adf.ly/145xV8

type: driver
file: host programs
desc: added support for AMD ADL v5.0 library

type: feature
file: hashcat-cli
desc: added mode -m 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS
trac: #51
trac: #96

type: feature
file: hashcat-cli
desc: added mode -m 5600 = NetNTLMv2
trac: #56

type: feature
file: kernels
desc: added -m 5700 = Cisco-IOS SHA256
cred: philsmd

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so that it accepts only 16 byte input, see next change why
trac: #89

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so it can crack middle and right portions, too (not just left)
trac: #89

type: bug
file: kernels
desc: fixed bug in NVidia version had to switch back to bitness-depending kernels

type: bug
file: kernels
desc: fixed bug in NVidia version writing to constant memory from kernel isnt allowed

Read More

[Hashcat v0.44] Advanced Password Recovery

Features

• Multi-Threaded
• Free
• Multi-Hash (up to 24 million hashes)
• Multi-OS (Linux, Windows and OSX native binaries)
• Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, ...)
• SSE2 accelerated
• All Attack-Modes except Brute-Force and Permutation can be extended by rules
• Very fast Rule-engine
• Rules compatible with JTR and PasswordsPro
• Possible to resume or limit session
• Automatically recognizes recovered hashes from outfile at startup
• Can automatically generate random rules
• Load saltlist from external file and then use them in a Brute-Force Attack variant
• Able to work in an distributed environment
• Specify multiple wordlists or multiple directories of wordlists
• Number of threads can be configured
• Threads run on lowest priority
• Supports hex-charset
• Supports hex-salt
• 30+ Algorithms implemented with performance in mind
• ... and much more

Attack-Modes

• Straight ^*
• Combination ^*
• Toggle-Case
• Brute-Force
• Permutation
• Table-Lookup

Download here: http://adf.ly/143xLq

type: feature

file: hashcat-cli
desc: added mode -m 9999 = Plaintext
trac: #45

type: feature
file: hashcat-cli
desc: added mode -m 5500 = NetNTLMv1 + ESS
trac: #96

type: feature
file: kernels
desc: added -m 5700 = Cisco-IOS SHA256
cred: philsmd

type: change
file: hashcat-cli
desc: changed the hash-format for NetNTLMv1 and NetNTLMv2 to .lc format
cred: #98

type: bug
file: hashcat-cli
desc: fixed bug in 32 bit version, did not crack -m 1800 sha512crypt
trac: #92

type: bug
file: hashcat-cli
desc: fixed bug in NetNTLMv2 parser
trac: #95

Read More