Editing Password Attacks

== Password Attacks ==

Password attacks target authentication systems by attempting to gain access using valid or guessed credentials. These techniques play a central role in assessing the strength of user access controls, exposing weak password hygiene, misconfigurations, or lack of rate-limiting.

Password-based authentication remains the most common form of access control, making it a recurring target for security assessments and enumeration strategies.

=== Goals ===
* Identify valid username and password pairs
* Test authentication mechanisms for resilience
* Bypass login portals or API authentication
* Expose weak, reused, or default credentials

=== Common Techniques ===
* '''Brute-force attacks''' – systematically try all possible combinations.
* '''Dictionary attacks''' – use wordlists of common or leaked passwords.
* '''Credential stuffing''' – use known username/password pairs from breaches.
* '''Password spraying''' – try a small set of passwords across many accounts.
* '''Default credential testing''' – test common vendor defaults on devices and services.

=== Concepts ===
* '''Username enumeration''' – discovering valid usernames before attempting login.
* '''Rate-limiting evasion''' – bypassing protections like CAPTCHAs, lockouts, and timeouts.
* '''Multi-factor resistance''' – identifying systems lacking MFA or with weak fallback paths.
* '''Authentication protocol abuse''' – targeting flaws in NTLM, RDP, SSH, or web auth flows.

=== Tools ===
* [[Hydra]] – high-speed network login cracker supporting many protocols
* [[Medusa]] – fast, parallel, and modular login brute-forcer
* [[Ncrack]] – network authentication cracking tool from the Nmap team
* [[CrackMapExec]] – post-exploitation and credential validation tool for Windows networks
* [[Patator]] – multi-purpose brute-forcing tool with flexible module support
* [[John the Ripper]] – offline password cracker for local hash files
* [[Hashcat]] – GPU-accelerated password cracker for hashes (offline)
* [[Username-Anarchy]] – generates realistic username lists from real-world names
* [[Kerbrute]] – brute-forces and enumerates Kerberos accounts
* [[Crowbar]] – brute-force tool with support for SSH, RDP, and more

=== Wordlists & Resources ===
* [https://github.com/danielmiessler/SecLists SecLists] – extensive collection of wordlists for usernames, passwords, and URLs
* [https://haveibeenpwned.com Have I Been Pwned] – check for breached credentials
* [https://github.com/Flangvik/SharpCollection SharpCollection] – Windows-focused red team tools and password resources
* [https://weakpass.com/ weakpass.com] – community-driven password dumps and dictionaries
* [https://crackstation.net crackstation.net] – precomputed hash lookup tables and cracking tips

=== Common Targets ===
* '''SSH''' – brute-forcing port 22
* '''FTP''' – default credentials and weak password combinations
* '''HTTP(S)''' – login forms, API tokens, and session-based auth
* '''SMB / RDP''' – targeting exposed Windows services
* '''Web CMS''' – WordPress, Joomla, Drupal admin panels
* '''Routers & IoT''' – testing default credentials and vendor-specific backdoors

=== Defensive Indicators ===
* Sudden spike in failed login attempts
* Auth logs showing repeated logins from single IP
* Lockout or throttling mechanisms being triggered
* Auth bypass via known default credentials

=== See Also ===

* [[Credential Dumping]]
* [[Privilege Escalation]] 
* [[Initial Access]]