1 - Overview - JA Smith

# Introduction - Trial-and-error method to crack passwords, creds, keys, hashes, etc. involving systematically trying a predefined combination of characters - Usually leverages a wordlist from `/usr/share/seclists` or a custom wordlist for the specific target - Factors for success: - Complexity - Computational power - Security measures: account lockouts, CAPTCHA, etc. - Brute forcing should not be used in all cases and only strategically employed when: - Other avenues are exhausted - Password policies are known and weak Specific accounts are targeted # Types of Brute Forcing |Method|Description|Example|Best Used When...| |---|---|---|---| |`Simple Brute Force`|Systematically tries all possible combinations of characters within a defined character set and length range.|Trying all combinations of lowercase letters from 'a' to 'z' for passwords of length 4 to 6.|No prior information about the password is available, and computational resources are abundant.| |`Dictionary Attack`|Uses a pre-compiled list of common words, phrases, and passwords.|Trying passwords from a list like 'rockyou.txt' against a login form.|The target will likely use a weak or easily guessable password based on common patterns.| |`Hybrid Attack`|Combines elements of simple brute force and dictionary attacks, often appending or prepending characters to dictionary words.|Adding numbers or special characters to the end of words from a dictionary list.|The target might use a slightly modified version of a common password.| |`Credential Stuffing`|Leverages leaked credentials from one service to attempt access to other services, assuming users reuse passwords.|Using a list of usernames and passwords leaked from a data breach to try logging into various online accounts.|A large set of leaked credentials is available, and the target is suspected of reusing passwords across multiple services.| |`Password Spraying`|Attempts a small set of commonly used passwords against a large number of usernames.|Trying passwords like 'password123' or 'qwerty' against all usernames in an organization.|Account lockout policies are in place, and the attacker aims to avoid detection by spreading attempts across multiple accounts.| |`Rainbow Table Attack`|Uses pre-computed tables of password hashes to reverse hashes and recover plaintext passwords quickly.|Pre-computing hashes for all possible passwords of a certain length and character set, then comparing captured hashes against the table to find matches.|A large number of password hashes need to be cracked, and storage space for the rainbow tables is available.| |`Reverse Brute Force`|Targets a single password against multiple usernames, often used in conjunction with credential stuffing attacks.|Using a leaked password from one service to try logging into multiple accounts with different usernames.|A strong suspicion exists that a particular password is being reused across multiple accounts.| |`Distributed Brute Force`|Distributes the brute forcing workload across multiple computers or devices to accelerate the process.|Using a cluster of computers to perform a brute-force attack significantly increases the number of combin| # Password Security Fundamentals - NIST SP 800-63B provides guidelines for passwords ![[images/Pasted image 20251117190405.png]] - Length: 8-64 characters - Complexity: important consideration but now diminished in favor of length, MFA, and passphrases - Uniqueness/Password Resets: only change if compromised - Randomness: maintain a blocklist with common dictionary words, phrases, etc. - Common password weaknesses: - Short passwords - Common words and phrases - Personal info - Password reuse - Predictable patterns: l33t speak, qwerty, 123456, etc. - Password policies: - Minimum length - Complexity: combination of uppercase, lowercase, numbers, special characters - Password expiration - Password history # Common Default Creds - Common usernames: admin, root, user, guest, null - also see `/usr/share/seclists/Usernames/usernames-shortlist.txt` | Device/Manufacturer | Default Username | Default Password | Device Type | | -------------------- | ---------------- | ---------------- | --------------------- | | Linksys Router | admin | admin | Wireless Router | | D-Link Router | admin | admin | Wireless Router | | Netgear Router | admin | password | Wireless Router | | TP-Link Router | admin | admin | Wireless Router | | Cisco Router | cisco | cisco | Network Router | | Asus Router | admin | admin | Wireless Router | | Belkin Router | admin | password | Wireless Router | | Zyxel Router | admin | 1234 | Wireless Router | | Samsung SmartCam | admin | 4321 | IP Camera | | Hikvision DVR | admin | 12345 | DVR | | Axis IP Camera | root | pass | IP Camera | | Ubiquiti UniFi AP | ubnt | ubnt | Wireless Access Point | | Canon Printer | admin | admin | Network Printer | | Honeywell Thermostat | admin | 1234 | Smart Thermostat | | Panasonic DVR | admin | 12345 | DVR |