Testing Controls for Bruteforcing

Following NIST’s guidelines for creating a good password policy is separate from having controls that detects activity that tries to defeat it. Specifically, detecting and protecting it from bruteforcing.

But of course, it supports and improves the end goal…security.

As part of the Red Team, one usual task that we do is testing security controls around and in-support of Defense in-Depth Network Security Philosophy and Zero Trust Model.

The purpose if this is to test the following

1. Detecting bruteforcing attempts
2. Testing how good is the password policy
3. Is the password policy being implemented and followed

To test and accomplish the 3 points, my team uses is Hydra, apopular and powerful bruteforcing tool.

Our simple process to accomplish this within our setup is the following:

1. From our Kali Box we launch Hydra with the following switches

- hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.50.163:22 -t 4 -V

-l <one username> or -L <for a list of username in a text file>
-P <wordlist to use location>
ssh<port>://<target>:<port number>
-t speed
-V — verbosity

2. hit control-z
- this will suspend a keyed terminal that is being worked on. It will alert you via the shell that there has been a suspension.

3. type ‘bg’
- this will set the process in background

4. disown -h
- this will keep the program running and continue working on other stuff and even after you log out