Password attacks target authentication systems by guessing or deriving valid credentials. Brute force, password spraying, and hybrid attacks are the most common methods used during network pentesting. These techniques help identify weak password practices, misconfigured authentication systems, and insecure account lockout policies. Understanding how these attacks work allows pentesters to evaluate the effectiveness of password policies and authentication security.

Understanding Password Attacks

Password attacks exploit weak or predictable passwords. They target services such as:

• SSH

• RDP

• FTP

• SMB

• WinRM

• Web logins

• Database logins

Before performing any password attack, pentesters must confirm that such testing is included in the scope and permitted.

Brute-Force Attacks

Brute-force attacks try every possible password until the correct one is found. This method is effective only when:

• Passwords are short

• Password complexity is low

• Lockout policies are weak or disabled

Using Hydra for Brute Force

hydra -l admin -P passwords.txt ssh://10.10.10.5

This tests the “admin” username against all passwords in the list.

Using Medusa

medusa -h 10.10.10.5 -u admin -P passlist.txt -M ssh

Brute-force attacks reveal weak authentication systems and poor rate-limiting.

Password Spraying

Password spraying uses one password against many usernames. This avoids lockouts and is effective when organizations use predictable password formats.

Spraying targets:

• AD domain accounts

• Email accounts

• VPN logins

• Web portals

Using CrackMapExec

cme smb 10.10.10.0/24 -u users.txt -p "Welcome123"

If the password is commonly used across accounts, spraying yields quick results with minimal lockouts.

Using Hydra for Spray

hydra -L users.txt -p Password123 rdp://10.10.10.5

Password spraying often succeeds because many environments use shared patterns such as:

• Welcome123

• Company@2024

• Username@123

Hybrid Attacks

Hybrid attacks combine dictionary and brute-force approaches. They modify base words by adding numbers, symbols, or patterns. This approach is effective against predictable human-created passwords.

Hybrid attacks target passwords like:

• Password2024

• Admin@123

• Summer2023!

Using Hashcat Hybrid Mode

hashcat -a 6 hashes.txt wordlist.txt ?d?d?d

This appends three digits to each word.

Another Example

hashcat -a 7 hashes.txt wordlist.txt ?s?s

This prepends two special characters.

Hybrid attacks work well against passwords that follow predictable organizational rules.

Credential Stuffing

Credential stuffing tests username-password pairs leaked from previous breaches. Many users reuse passwords across multiple systems.

Using Hydra

hydra -C combos.txt ssh://10.10.10.5

Using CrackMapExec

cme smb 10.10.10.5 -C creds.txt

Reused credentials can compromise multiple systems quickly.

Tools for Password Attacks

Common tools include:

• Hydra

• Medusa

• CrackMapExec

• Ncrack

• Metasploit auxiliary modules

• Hashcat (offline cracking)

Different tools support different protocols and attack styles.

Account Lockout and Detection

Password attacks must respect lockout policies. Pentesters observe:

• Allowed attempts before lockout

• Lockout duration

• Reset conditions

• Logging behavior

If lockout policies are weak, attackers can brute force accounts easily.

Password Attack Defense Indicators

During enumeration, pentesters check for weaknesses such as:

• Lack of MFA

• Enabled password login instead of key-based login

• Permissive rate limits

• Reused passwords

• Weak complexity rules

These indicators predict the likelihood of successful password attacks.

Why Password Attacks Matter

Password attacks expose weak authentication systems, poor security practices, and predictable password structures. These attacks often lead to unauthorized access, escalation, and lateral movement. Understanding these methods helps assess real-world risks and harden authentication systems effectively.

Intel Dump

• Brute-force attacks try all passwords for one user

• Password spraying tries one password across many users

• Hybrid attacks combine dictionary words with patterns

• Tools include Hydra, Medusa, CrackMapExec, and Hashcat

• Weak lockout policies, reused passwords, and predictable formats increase vulnerability