Password guessing

Theory

There are scenarios where testers need to operate credential guessing for lateral movement, privilege escalation, or for obtaining a foothold on a system. Depending on the target user (or target system), guessing can be achieved differently.

There are three major types of credential guessing.

• Common passwords: a list of common passwords (admin, backup, qwerty, ...) are tested against one or more users. This technique is to be used with care since it can cause lockouts and a lot of noise, depending on the target organization's policies.
• Default passwords: certain technologies come with default passwords that are often left unchanged. This technique is similar to the "common passwords" technique, but generates less noise and has fewer chances of locking out an account.
• Situational guessing: there are many cases where user passwords are not common and yet easily guessable when knowing the organization's vocabulary and context.

Practice

Common passwords

Depending on the target service, different lists of common passwords (e.g. the SecLists ones) and different tools can be used.

• Hydra (C) can be used against a lot (50+) of services like FTP, HTTP, IMAP, LDAP, MS-SQL, MYSQL, RDP, SMB, SSH and many many more.
• NetExec (Python) can be used against LDAP, WinRM, SMB, SSH and MS-SQL.
• Kerbrute (Go) and smartbrute (Python) can be used against Kerberos pre-authentication.

netexec has useful options for password guessing

• --no-bruteforce: tries user1 -> password1, user2 -> password2 instead of trying every password for every user
• --continue-on-success: continues authentication attempts even after successes

Smartbrute has equivalent features

• --line-per-line: equivalent of netexec's --no-bruteforce option
• --stop-on-success: reversed equivalent of netexec's --continue-on-success option

Default passwords

This technique can be used with the same tools as the "common passwords" technique but with short and specific password lists. Depending on the number of passwords to try, the bruteforce can be done manually too.

Below are good examples of where to find default passwords

• SecLists's Default Credentials Sheet (for password)
• ihebski's DefaultCreds cheatsheet (for passwords and SSH keys)

Situational guessing

Users are known to be a weak (if not the weakest) link of security. Unaware users are known to choose passwords that are easy to remember, hence easy to guess. Below are a few examples that are found to be often used.

• the username
• the name of the company
• the city, or state
• the examples above with transformations (i.e. numbers and special characters before or after, capital letters, l33tspeak, and so on)
• a combination of some of the examples above

Testers can try the combinations of user/passwords with the tools mentioned in the "common passwords" technique.

username-anarchy is a tool that can produce a list of usernames based on a firstname and lastname.

Bruteforcing with lockout policies

Smartbrute (Python) and sprayhound (Python) can dynamically fetch the organization's users and lockout policy to only bruteforce accounts that have a few attempts left in order to avoid locking them out. This can only be done when supplying a valid Active Directory account's credentials. These tools have the ability to check if accounts have their username set as password. Finally, a great additional feature is that neo4j is supported and compromised accounts can be set as owned (useful when working with BloodHound).

Locking out accounts

As always when bruteforcing passwords in production environments, it is advised to be extra careful. Specific rule and custom tools can be put in place to lock accounts on too many failed attempts. Few offensive tools analyse granular policies. Fewer tools (none to my knowledge) enumerate custom defensive tools configurations.