Academy - Password Attacks - Password Mutations

I got quite frustrated with this exercise. I found the password by creating a “mut_password.list” with the command “hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list” given in the theory.

Note: The command that appears in the cheatsheet is “hashcat --force password.list -r custom.rule --stdout > mut_password.list” yields duplicate and unordered words. I did not use this one.

Then launch hydra with 64 threads against ftp instead of ssh because ssh takes longer. The logic is to think that the user “sam” uses the same password for ssh and ftp. After 30 min I got the password that is at the top of the sorted list “mut_password.list”.

Note: I used pwnbox


The wording of the question in this exercise could be improved. I just assumed that no NMap was needed and followed the question “brute force the SSH”. Maybe rather than:

Use this wordlist to brute force the SSH password for the user "sam"

Something like this would be better:

Enumerate the system and use the brute force techniques described in this module to recover SSH password for the user "sam"


I did the same and worked well.

sudo hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

sudo hydra -l sam -P mut_password.list -T64

Estimated time: 1hr 15mins for Me

1 Like