Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- Directory/Service Brute Forcing – PART 3

Acronis Cyber Protect

Directory Brute Forcing and Service Brute Forcing

The OSCP exam will almost certainly have a service that you can brute force a local or admin account on, there will also be webservers that will have unlinked content that you can find such as password files, user accounts and developer portals that provide easy access.

You will need to gather wordlist files to perform these activities, links are provided at the bottom of this section for download.


This is a gui based directory brute forcing application that can be very quick if your system can support it.

Image result for dirbuster

A command line version that is very powerful is “dirb”

root@wittyserver:~/oscp/# dirb

DIRB v2.22
By The Dark Raver

WORDLIST_FILES: /root/oscp/dirbuster/common.txt



—- Scanning URL: —-

Brute forcing services:

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at
Don’t use in military or secret service organizations, or for illegal purposes.

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

root@wittyserver:~/oscp/# hydra -L /root/oscp/dirbuster/big.txt -P /root/wordlist/500-worst-passwords.txt ssh://

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://

root@wittyserver:~# medusa -h -U users.txt -P passwords.txt -M ssh

Crack Passwords (hydra/THC bruter)
(need mil-dict.txt from Milw 0rm – cracked hashs)

FTP – hydra -l -P mil-dic.txt -f ftp -V

POP3 – hydra -l -P mil-dict.txt -f pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f -V

MS VPN – dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server


I like to keep 3 size word lists:

1. small and fast: usually based on the output of one of the tools i’m about to tell you about

2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list

3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd:

CeWL –
Wyd –

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

Update on Sunday, February 21, 2010 at 1:57AM by Rob Fuller

I missed one hell of a treasure trove of word lists: (broken link. Does anyone have it hosted elsewhere?)
shhh! –


rockyou:  (Kevin’s Word Lists)

Leave a Comment