Configure Password Brute Forcing

A password brute force attack is an attempt to gain unauthorized access to a system or network using a password-cracking technique. Common targets of brute force attacks are hosts running FTP, SSH and Windows.

Are my hosts vulnerable?

You can find out if hosts on your network are vulnerable to brute force attacks by performing password brute force tests at scan time. Just enable password brute forcing in an option profile and then apply that profile to a scan.

What are my options for password lists?

- Use system-generated password lists. We attempt to guess the password corresponding to each detected user login name on the host.

- Create and use custom password brute force lists.

- Use both system-generated and custom password brute force lists (system lists are tested first).

Tell me about brute force password tests

There are 5 levels of password testing available: None, Minimal, Limited, Standard, Exhaustive.

Tell me about the testing levelsTell me about the testing levels

At Minimal, we attempt to access the User Database (through authentication or anonymously), and if we can will check that the usernames do not have a blank password. If the user database is not accessible, then we will only check Administrator and Guest per this method.

With Limited, we perform the same methodology as above, but also test that the username and password are not identical.

With Standard, we attempt to access the user database. If we can, then we will perform testing of the accounts according to a password generation scheme as well as performing the tests above. If we don't have access to the user database (for example for Windows hosts), then this check is similar to Limited for the Administrator and Guest accounts.

With Exhaustive, this is similar to Standard, but we add additional password checking according to our methodology and how fast the target is responding to our requests. Dynamically generated passwords are only used when Exhaustive is selected. Note that selecting Exhaustive will increase scan time.

For Windows hosts, Standard is the same as LimitedFor Windows hosts, Standard is the same as Limited

If the Standard level is set and you're scanning Windows hosts, we'll always perform the Limited level tests.

Is the scan against a Domain Controller?Is the scan against a Domain Controller?

If yes the behavior will be similar to Limited, unless Exhaustive is chosen. This is to prevent locking all accounts on the Domain Controller.

Still have questions?

Actual number of attempts at each levelActual number of attempts at each level

The actual number of attempts made at each level is dependent on several factors. If you have a lockout policy established, preventing users from connecting to systems after a set number of failed login attempts, then we recommend that you do not enable brute forcing. This is the only way to ensure that users will not be locked out.

How to create a custom listHow to create a custom list

Create a custom list of login/password combinations to test.

1) Go to the Password Brute Forcing section in your option profile. Select Custom and click Configure.

2) Click New. Provide a title for your list, select a list type, and enter login/password combinations. Start with a login name (preceded by L:) followed on the next line with the corresponding password (preceded by P:). If the password is blank, you must still enter P: on the password line.

> Click to see a sample list> Click to see a sample list

L:admin

P:admin

L:Guest

P:

L:Administrator

P:

L:Guest

P:qwerty

L:test

P:test

 

> Tell me about the list types> Tell me about the list types

1) FTP login/password combinations for brute forcing an FTP service on a target host. If the scanning engine detects an FTP service running on the host, then it attempts to log into the service using the credentials provided in the FTP brute force list.

2) SSH login/password combinations for brute forcing Unix-based hosts that support the SSH protocol (SSH1 and SSH2). If the scanning engine detects an SSH service running on the host, then it attempts to log into the service using the credentials provided in the SSH brute force list.

3) Windows login/password combinations for brute forcing Windows hosts. The service attempts to connect to the local user database on each target host and tests the credentials provided in the Windows brute force list. Note that the credentials are not forwarded to the Windows domain controller to authenticate against the domain user database. You must scan the domain controller to brute force domain accounts.

> Who has permission to create lists?> Who has permission to create lists?

Managers and Unit Managers can create, edit and delete brute force lists for the subscription.

> Deleting brute force lists> Deleting brute force lists

When deleting a brute force list, if the selected list is assigned to one or more option profiles, then it will be removed from those option profiles automatically.

How to verify brute force testHow to verify brute force test

We provide information in scan results, scan reports and host information about whether brute force attempts are successful by returning these QIDs:

QID 5005. NetBIOS Brute Force of Accounts. This QID is returned when brute forcing of a Windows host was successful. See the Result section of the vulnerability for a list of login/password combinations that were successful.   

QID 38259. SSH User Login Bruteforced. This QID is returned when brute forcing of a Unix-based host was successful through SSH. See the Result section of the vulnerability for a list of login/password combinations that were successful.

QID 27056. Valid FTP Account Has Been Found. This QID is returned when brute forcing of a host was successful through FTP. See the Result section of the vulnerability for a list of login/password combinations that were successful.

Note that there are additional QIDs returned when an FTP server is accessible using the "anonymous" and "ftp" accounts. QID 27000 is returned when an FTP server is accessible using these accounts with any password. QID 27001 is returned when an FTP server is accessible using these accounts with a blank password.

Your scan results may return additional QIDs related to brute forcing. You can perform a search in the KnowledgeBase for all vulnerabilities in the "Brute Force Attack" category.