Login Brute Forcing Cheat Sheet

What is Brute Forcing?

A trial-and-error method used to crack passwords, login credentials, or encryption keys by systematically trying every possible combination of characters.

Factors Influencing Brute Force Attacks

  • Complexity of the password or key
  • Computational power available to the attacker
  • Security measures in place

How Brute Forcing Works

  1. Start: The attacker initiates the brute force process.
  1. Generate Possible Combination: The software generates a potential password or key combination.
  1. Apply Combination: The generated combination is attempted against the target system.
  1. Check if Successful: The system evaluates the attempted combination.
  1. Access Granted (if successful): The attacker gains unauthorized access.
  1. End (if unsuccessful): The process repeats until the correct combination is found or the attacker gives up.

Types of Brute Forcing

Default Credentials

  • Default Usernames: Pre-set usernames that are widely known
  • Default Passwords: Pre-set, easily guessable passwords that come with devices and software

Brute-Forcing Tools

Hydra

  • Fast network login cracker
  • Supports numerous protocols
  • Uses parallel connections for speed
  • Flexible and adaptable
  • Relatively easy to use

Code: bash

hydra [-l LOGIN|-L FILE] [-p PASS|-P FILE] [-C FILE] -m MODULE [service://server[:PORT][/OPT]]

Medusa

  • Fast, massively parallel, modular login brute-forcer
  • Supports a wide array of services

Code: bash

medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

Custom Wordlists

Username Anarchy generates potential usernames based on a target's name.

CUPP (Common User Passwords Profiler) creates personalized password wordlists based on gathered intelligence.

Password Policy Filtering

Password policies often dictate specific requirements for password strength, such as minimum length, inclusion of certain character types, or exclusion of common patterns. grep combined with regular expressions can be a powerful tool for filtering wordlists to identify passwords that adhere to a given policy. Below is a table summarizing common password policy requirements and the corresponding grep regex patterns to apply: