A password brute force attack is an attempt to gain unauthorized access to a system or network using a password-cracking technique. Common targets of brute force attacks are hosts running SSH, FTP and Windows.
You can find out if hosts on your network are vulnerable to brute force attacks by performing password brute force tests at scan time. To do so, enable password brute forcing in an option profile and then apply that profile to a scan task.
You have these password brute forcing options:
• Use system-generated password lists based on the level of testing you want to perform. When a system level is selected, the scanning engine attempts to guess the password corresponding to each detected user login name on the scanned host.
• Create and use custom password brute force lists. Each list is associated with a list type (Windows, SSH or FTP) and contains up to 50 user login names and passwords to be tested.
• Use both system-generated and custom password brute force lists. When both System and Custom options are selected, the system-generated password lists are tested first followed by the user-provided password lists.
System password brute forcing levels include: Minimal, Limited, Standard and Exhaustive. The higher the level, the more attempts that will be made to brute force each target host. Select "Minimal" brute forcing to test empty passwords for predefined accounts, including "Guest" (Windows), "Administrator" (Windows) and "SA" (MSSQL). Note that a selection of "Exhaustive" will increase scan time.
The actual number of attempts made at each level is dependent on several factors. Thus, if you have a lockout policy established, preventing users from connecting to systems after a set number of failed login attempts, then we recommend that you do not enable brute forcing. This is the only way to ensure that users will not be locked out.
Create a custom list of user login/password combinations to be tested at scan time. Each list is associated with a brute force type (Windows, SSH, FTP) and may include up to 50 login/password combinations.
Windows. Create a list of Windows login/password combinations for brute forcing Windows hosts. The service attempts to connect to the local user database on each target host and tests the credentials provided in the Windows brute force list.
Note that the credentials are not forwarded to the Windows domain controller to authenticate against the domain user database. You must scan the domain controller to brute force domain accounts.
SSH. Create a list of SSH login/password combinations for brute forcing Unix-based hosts that support the SSH protocol (SSH1 and SSH2). If the scanning engine detects an SSH service running on the host, then it attempts to log into the service using the credentials provided in the SSH brute force list.
FTP. Create a list of FTP login/password combinations for brute forcing an FTP service on a target host. If the scanning engine detects an FTP service running on the host, then it attempts to log into the service using the credentials provided in the FTP brute force list.
The service provides information in scan results, scan reports and host information about whether brute force attempts are successful by returning these QIDs:
QID 5005. NetBIOS Brute Force of Accounts. This QID is returned when brute forcing of a Windows host was successful. See the Result section of the vulnerability for a list of login/password combinations that were successful.
QID 38259. SSH User Login Bruteforced. This QID is returned when brute forcing of a Unix-based host was successful through SSH. See the Result section of the vulnerability for a list of login/password combinations that were successful.
QID 27056. Valid FTP Account Has Been Found. This QID is returned when brute forcing of a host was successful through FTP. See the Result section of the vulnerability for a list of login/password combinations that were successful.
Note that there are additional QIDs returned when an FTP server is accessible using the "anonymous" and "ftp" accounts. QID 27000 is returned when an FTP server is accessible using these accounts with any password. QID 27001 is returned when an FTP server is accessible using these accounts with a blank password.
Your scan results may return additional QIDs related to brute forcing. You can perform a search in the KnowledgeBase (Tools > KnowledgeBase) for all vulnerabilities in the "Brute Force Attack" category.