Password Attacks - Password Mutations | Academy

Hey I have been struggling with this section for hours. I got a mutated password list around 94K words. Separated the list into ten smaller lists.
Then I did: hydra -l sam -P [name of the smaller list] ftp://[target IP] -t 64
wasn’t able to find a valid password for user sam. Any help would be appreciated xD


Maybe you just didn’t try long enough.
The attack takes a very long time. Or you split the list and try it that way. The password is not in the first lines.

solved. not sure why I can find the password with 48 threads but not with 64 threads.

It takes alot of time to crack.but the target active time is 60 use the hydra’s restore feature and change the target ip

1 Like

I seem to be having a very frustrating experience with this one.

  • I already know that the best way to get the creds of sam is to use hydra against ftp instead of ssh.
  • Using the resources for the lab (password.list), I created the mutation file precisely as it said to (~94k lines after sorting)
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
  • In order to save time due to vpn connection timeout, I split this list using awk into many different files
  • I’m running Hydra as below against each file. Most of the files, I have tried multiple runs, just in case there’s any sort of network hiccup, etc. (I haven’t bothered to run a 2-character password multiple times, for example, but 6-char through 10-char, I’ve tried multiple times.)

I’ve been running these at various thread counts… 64, 40, 32…

I also added verbose output, just to make sure no unexpected issues with the passwords (non-standard characters in the password files, etc).

hydra -l sam -P <path>/mut_password_7char.list -t 64 -V
hydra -l sam -P <path>/mut_password_8char.list -t 64 -V
hydra -l sam -P <path>/mut_password_9char.list -t 64 -V


Bsed on the original poster pointing out it working with 48 thread/task count but not 64, I’ve changed to 48 (-t 48) but to no avail. I still can’t get sam’s password.


There is even another thread on the forums where another frustrated user posted the answer… if it was ever that password, it’s not anymore, because using that pw directly with ssh sam@<ip> or ftp doesn’t work either.

Any help (even how many characters the pw should be? what letter it starts with? anything?) would be very much appreciated. This is extremely frustrating.

addendum: (I also know the pw policy is 5-char minimum, but in my frustration was trying even 1 thru 4 chars)

1 Like

If you where I think you are (question of doom in my notes) try things over 10 Chars long for the password.

Ok, will try shifting focus to 10+ characters, will post results of the efforts. Thanks for replying!

Yeah that one killed me. I had a horrible time with it. I was able to use 64 threads in my case. But sorting anything out below 10 chars should get you there.

So I did end up getting it… still took multiple tries with what ended up being the correct “mut_password_(xx)char.list” file (over OpenVPN, not sure it pwnB0x is the issue), but finally got it. Thanks!

Ok some hint… -t 48 with hydra and it works… just have to wait about 50 minutos haha… Try with ftp not ssh… good luck!

1 Like

ftp open… nice catch there! That was really a time saver :slight_smile:

Hello, already solved it… forgot to do -p- scan haha. Thanks for answer

This lab takes too long in my opinion. The same principles can be learned without the need for a 64k wordlist slowly bruteforcing ssh.

Try this:

  1. Take password.list and custom.rule to create a mutation file hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
  2. Remove all passwords shorter than 10 with sed -ri '/^.{,9}$/d' mut_password.list
  3. Take the first 7000 head -7000 mut_password.list
  4. Bruteforce FTP hydra -l sam -P ./7000mut_password.list -t 64

Should speed it up some.


Try B words

1 Like

I tried this but it didn’t work. Do I miss something?

I would say you missed something. If you mutate the provided list, take those longer than 10 characters, and then only take those that start with a B, you should find it quicker

Thanks for this you saved me a lot of time. Not sure why the assessment is designed to have people waiting at terminal for hours. Maybe they didn’t think about it

1 Like

Whoever is the creator of this questions is trolling so hard… I wasted so much time trying to bruteforce ssh just to google that I need to attack ftp… It was complete waste of time, maybe next time just asks us to bruteforce ftp rather than ssh? there is literally nothing different on the method that a person use to achieve the end result. What is contradictory here is also that on other modules they are teaching you that you should ALWAYS communicate the scope of your work then all of a sudden they are asking you a question but expect from you to scan the target, find out that there is another service running and bruteforce it too? :smiley:


I love Batman


i love batman in 2022