Online

Brute force on online services.

Unlike offline cracking, the online attack must take into consideration:

Lockout threshold	Possible attempts before being blocked
Lockout duration	Duration of the block
Lockout observation window	After how long does the reset of attempts occur

Hydra

hydra -L <USERS.list> -P <PASS.list> [-s <PORT>] <IP> <SERVICE>
hydra -L <USERS.list> -P <PASS.list> <SERVICE>://<IP>:<PORT>

-C <USER:PASS.list>
-l <SINGLE_USER>
-p <SINGLE_PASS>
-U <SERVICE> # Service info
-f # Ends on the first success
-u # Try all users on passwords instead of trying all passwords on users

Website

http-post-form "/index.php:usr=^USER^&pas=^PASS^:Login failed. Invalid"

Get the data (index.php, usr, pas, and “Login failed. Invalid”) by analyzing the http request.

To find usernames take into consideration:

• Login form

• Registration form (to use the same email: dot s.t.u.d.e.n.t@gmail.com, tag student+htb@gmail.com)

• Password reset form

• Check cookie (ex. cookie named “failed_login” only when the user name is valid.)

• Response time (use long password)

• Status codes

• Error messages

• Blocking of attempts only if made on an existing username

Netexec

nxc [smb/winrm/mssql/ssh/ftp/rdp/wmi] <IP> -u <USERS.list> -p <PASS.list>

--continue-on-success
--no-bruteforce # Try all users on passwords instead of trying all passwords on users

Bypass Account Locking

• Search for headers that bypass IP blocking (ex. X-Forwarded-For)

• Try a correct login on your account to reset attempts (with macro in Burp set max 1 concurrent requests)