Brute Force Scripts (`brute`) with Nmap

This article discusses how Nmap’s brute scripts work and provides practical examples of running brute force attacks with Nmap.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction to Brute Force Attacks

Brute force attacks are a method of gaining unauthorized access to systems by systematically attempting various username-password combinations until the correct credentials are found. While these attacks are often associated with malicious activity, ethical hackers, penetration testers, and security analysts use brute force techniques to assess the strength of authentication mechanisms and identify potential vulnerabilities in a controlled environment.

One of the most powerful tools for conducting brute force attacks in an ethical hacking context is Nmap, a widely used network scanning tool. Nmap’s scripting engine (NSE) includes a category of scripts known as brute scripts that automate brute force attacks against various services, helping security professionals identify weak credentials.

This article will cover:

  • How Nmap’s brute scripts work
  • Commonly used brute scripts in Nmap
  • Practical examples of running brute force attacks with Nmap
  • Best practices for using Nmap brute force scripts ethically

Understanding Nmap’s Brute Force Scripts

Nmap’s scripting engine (NSE) provides a set of scripts under the brute category that perform brute force attacks against login services such as FTP, SSH, RDP, MySQL, and more. These scripts use predefined or custom wordlists of usernames and passwords to attempt authentication.

Brute force scripts work by:

  1. Identifying an open service on a target system.
  2. Attempting authentication using different username-password combinations.
  3. Reporting successful credentials or failed attempts.

To see a list of available brute scripts, you can run:

ls /usr/share/nmap/scripts | grep brute

Or use Nmap’s script listing feature:

nmap --script-help "brute"

This will display descriptions of various brute force scripts available within Nmap.

Commonly Used Nmap Brute Force Scripts

Here are some commonly used Nmap brute force scripts for different protocols:

1. ssh-brute.nse (SSH Brute Force)

This script attempts to brute force SSH logins.

Example Command:

nmap --script ssh-brute -p 22 <target>

2. ftp-brute.nse (FTP Brute Force)

Tests FTP login credentials.

Example Command:

nmap --script ftp-brute -p 21 <target>

3. http-brute.nse (HTTP Basic Authentication Brute Force)

Attempts to find valid credentials for web servers using Basic and Digest authentication.

Example Command:

nmap --script http-brute -p 80 <target>

4. rdp-brute.nse (Remote Desktop Protocol Brute Force)

Tests weak RDP credentials.

Example Command:

nmap --script rdp-brute -p 3389 <target>

5. mysql-brute.nse (MySQL Database Brute Force)

Attempts to guess MySQL login credentials.

Example Command:

nmap --script mysql-brute -p 3306 <target>

Practical Examples of Running Brute Force Scripts

Let’s dive into a step-by-step example of using Nmap brute force scripts effectively.

Step 1: Scanning for Open Ports

Before running brute force scripts, we need to identify open ports on the target.

Command:

nmap -p 21,22,80,3389,3306 <target>

If an open service is detected, we can proceed with brute force attempts.

Step 2: Running a Brute Force Attack on SSH

To attempt brute force authentication on SSH, we use:

nmap --script ssh-brute -p 22 --script-args userdb=users.txt,passdb=pass.txt <target>
  • userdb=users.txt - Specifies a file containing a list of usernames.
  • passdb=pass.txt - Specifies a file containing potential passwords.

Step 3: Automating with Multiple Scripts

We can run multiple brute force scripts together to test various services:

nmap --script ssh-brute,ftp-brute,http-brute -p 21,22,80 <target>

Best Practices and Ethical Considerations

While Nmap brute force scripts are useful for security testing, improper usage can have legal and ethical consequences. Here are some best practices:

1. Obtain Proper Authorization

Always get explicit permission before testing a system. Running brute force attacks on unauthorized systems is illegal and unethical.

2. Limit Login Attempts

Use rate-limiting to prevent excessive login attempts that may cause service disruptions.

Example: Adding brute.firstonly=true to stop once a valid credential is found:

nmap --script ssh-brute --script-args brute.firstonly=true -p 22 <target>

3. Use Strong Wordlists

Leverage well-structured username and password lists to improve efficiency. Some good sources include:

  • rockyou.txt (Common passwords)
  • SecLists (Comprehensive wordlists)

4. Be Aware of Account Lockouts

Some systems lock accounts after repeated failed login attempts. Test in a controlled manner to avoid disruption.

5. Log and Analyze Results Responsibly

Document findings and share insights with authorized personnel to enhance security.

Conclusion

Brute force scripts in Nmap are valuable tools for penetration testers and security professionals to identify weak credentials in various authentication systems. However, responsible and ethical use is critical to avoid legal and ethical issues. By obtaining proper authorization, using controlled testing methods, and analyzing results effectively, security practitioners can help organizations strengthen their defenses against brute force attacks.

Whether you are a beginner learning about Nmap scripting or an experienced tester looking to automate login security assessments, Nmap’s brute scripts provide a powerful way to test authentication mechanisms. Always use these scripts with caution and adhere to ethical hacking guidelines.


< Nmap Local LabExploitation Scripts with Nmap >