Install crunch and then generate a word list with the following command. The 8 8 tells crunch to generate combinations that have a minimum and maximum length of 8. All the numbers from 1-0 tells crunch to use these characters, -o writes to output file.
Change options if desired.
crunch 8 8 1234567890 -o 8numberchars.lst
Further reading. https://tools.kali.org/password-attacks/crunch
Hydra is a network login cracker. You’ll need a password list and username(s) to get started.
Install Hydra
sudo apt-get install -y hydra
Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file
SSH Example
hydra -l ubnt -P password.lst 192.168.1.20 ssh
Run hydra -h to get the full help.
Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
Hashcat on Kali Linux
Here is a quick way to download and install the Hashcat utils.
Download the Hashcat utils
wget https://github.com/hashcat/hashcat-utils/archive/master.zip
Run the following commands to unzip and make the binaries
unzip master.zip cd hashcat-utils-master/src make
You can now convert an aircrack file by invoking the cap2hccapx binary
./cap2hccapx.bin /path/to/aircrack.cap /path/for/output
Check out the following article for more details on converting Aircrack files to Hashcat hccapx
Need to install Hashcat on Fedora?
Using Aircrack
aircrack-ng input.cap -J hashcat_output
Unfortunately the above command doesn’t seem to work anymore.
If you try to run Hashcat with the outputted file you’ll get an error.
hashcat_output.hccap: Old hccap format detected! You need to update: https://hashcat.net/q/hccapx
Using Hashcat utils
Refer to this guide for installing the Hashcat utils.
Basic syntax is
./cap2hccapx.bin input.cap output.hccapx
Example
~/Downloads/hashcat-utils-master/src/cap2hccapx.bin aircrack-01.cap aircrack.hccapx
Install nVidia drivers. Guide here.
Download binary files from the hashcat website
or use wget
wget https://hashcat.net/files/hashcat-4.1.0.7z
Extract with p7zip
7z x hashcat-4.1.0.7z
cd into the hashcat directory
cd hashcat-4.1.0
Run hashcat
./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict
Example script:
sudo dnf install p7zip wget https://hashcat.net/files/hashcat-4.1.0.7z 7z x hashcat-4.1.0.7z cd hashcat-4.1.0 ./hashcat64.bin -t 32 -a 7 example0.hash ?a?a?a?a example.dict
Errors:
If you get the following error, try re-extracting the 7z file with the “x” option, not “e”. “x : eXtract files with full paths” and ” e : Extract files from archive (without using directory names)”
inc_cipher_aes256.cl: No such file or directory