After logging into phpMyAdmin, find the users table.
You should see the admin user in it.
Click edit. Under the user_pass line, change the Function to md5 and the Value to your new password.
Hit Go to run the insert command. Now you should be good to log in.
Open up FileZilla, for to the Site Manager, right click on the entry you want, and export it. This will export all the settings for the site(s).
Once exported, open the XML file. Look for the Pass encoding field. Copy the base64 encoded password. Its the text highlighted in yellow. Yours should be longer.
Decode base64 encoded password. We can do this using the built in linux base64 utility. You can use also use python.
echo -n dWJudA== | base64 -d && echo ""
Result returns the password which is “ubnt”
You will need a hash of the password to put into the database. We don’t cover that in this post. You could copy the password from a different user account or use a different UniFi instance to change the password and then check the DB to find the hash.
ssh unifiadmin@unifiserver
Connect to Mongo by typing in the following.
mongo -port 27117
Then select the ace database by typing
use ace
The admins are in the admin collection/table. Use the following command to list all the users and their name, email, and password hash.
db.admin.find({ }, { name:"" , email : "", "x_shadow" : "" })
The following looks complex. Fortunately though you should be able to copy and paste. You should only need to change the
– ObjectId to your User Id
– Password Hash to your password hash
db.admin.update({"_id" : ObjectId("223abc5489de0a93be758493")}, {$set: { "x_shadow" : "$6$nwpi7.q2$OuD9/UZGZt5cD739Dt7j8Gb1uPtfU99p0DeDSurSNBZVizieUrFVFbRufiZMgOk2IaaDZN9BVmL9yUwQ2mC8f."}});
Note: The hash above is password. Not recommended for use.
You should receive a confirmation that it succeeded. Test the new password by logging into the UniFi Controller.
For more MongoDB commands, check out this post.
The default strength for new passwords created on cPanel and WHM looks to be 65.
Note that increasing the strength should not disable any passwords that are under the threshold.
The regular command to reset the password for a NextCloud user does not work when NextCloud is installed from a snap package.
$ sudo -u www-data php /var/www/nextcloud/occ user:resetpassword admin Could not open input file: /var/www/nextcloud/occ
The reason is that NextCloud is located in “/snap/nextcloud”
Unfortunately the occ file is not located in /snap/nextcloud/current/
However, you can run the nextcloud.occ command directly without specifying the path. Change admin to your user.
sudo nextcloud.occ user:resetpassword admin
Type in the new password twice and login.
Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.
-m Specifies the hash type
hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt
wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file
Example contents of file
bob@localhost:~$ cat wordpress.hash
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$
Attempt every 8 numeric combination for a WPA2 key.
hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d
You can swap out the ?d from the above command with any of the built in character sets below.
? | Charset
===+=========
l | abcdefghijklmnopqrstuvwxyz
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
d | 0123456789
h | 0123456789abcdef
H | 0123456789ABCDEF
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
a | ?l?u?d?s
b | 0x00 - 0xff
More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack
apt install hashcat
bob@localhost:~/$ dmesg ... [ 1057.776074] sd 0:0:0:0: [sda] Write Protect is off [ 1057.776074] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00 [ 1057.776593] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 1057.780234] sda: sda1 [ 1057.783346] sd 0:0:0:0: [sda] Attached SCSI removable disk bob@localhost:~/$
From the above we see that the drive we just pluGged into the system is “sda” so our path and partition is “/dev/sda1”
The following command will run hashcat against “/dev/sda1”, change if the encrypted partition is different. Mode is to brute force every 8 numeric character combination. Refer to the following link to learn more about mask attacks.
https://hashcat.net/wiki/doku.php?id=mask_attack
Note: You should be able to dump the header and work off of that as well.
sudo hashcat -a 3 -m 14600 /dev/sda1 ?d?d?d?d?d?d?d?d
Install crunch and then generate a word list with the following command. The 8 8 tells crunch to generate combinations that have a minimum and maximum length of 8. All the numbers from 1-0 tells crunch to use these characters, -o writes to output file.
Change options if desired.
crunch 8 8 1234567890 -o 8numberchars.lst
Further reading. https://tools.kali.org/password-attacks/crunch
Hydra is a network login cracker. You’ll need a password list and username(s) to get started.
Install Hydra
sudo apt-get install -y hydra
Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file
SSH Example
hydra -l ubnt -P password.lst 192.168.1.20 ssh
Run hydra -h to get the full help.
Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
Open a command prompt and run the following command.
netsh wlan show profiles name=* key=clear > Desktop\Passkeys.txt
You can now open up the Passkeys.txt file and view all your saved networks.
If you just need to view one network, you can refer to this link.