Listen to this Post
Introduction:
Nmap is widely known as a network scanning tool, but its embedded Nmap Scripting Engine (NSE) transforms it into a powerful password cracking platform. By leveraging dictionary attacks across multiple protocols simultaneously, attackers can automate credential theft against FTP, SSH, SMB, and databases—often gaining initial access within minutes.
Learning Objectives:
- Execute brute-force attacks against common services using Nmap’s NSE brute scripts
- Identify weak credential configurations across FTP, SSH, Telnet, SMB, MySQL, and MSSQL
- Implement defensive measures including account lockout policies, rate limiting, and intrusion detection
You Should Know:
1. Understanding Nmap NSE Brute Force Scripts
The Nmap Scripting Engine (NSE) includes a dedicated `brute` category designed for automated password guessing. These scripts run in parallel, making them significantly faster than sequential brute-forcers. To list all available brute scripts on a Linux system:
Locate all NSE brute scripts locate .nse | grep brute Alternative if locate is unavailable find /usr/share/nmap/scripts/ -name "brute" View categories of a specific script nmap --script-help ftp-brute.nse
Key scripts include: ftp-brute, ssh-brute, telnet-brute, smb-brute, mysql-brute, mssql-brute, http-brute, and postgres-brute. Each script accepts `userdb` and `passdb` arguments to specify custom wordlists. Default wordlists are often located in `/usr/share/nmap/nselib/data/` or you can supply your own.
Step‑by‑step guide:
- Prepare two text files: `users.txt` (one username per line) and `passwords.txt` (one password per line).
- Execute a brute-force scan against a target IP on a specific port.
- Analyze output for `Valid credentials` or `Success` messages.
Example basic syntax:
nmap -p 21 --script ftp-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.100
2. Cracking FTP and SSH Credentials in Practice
FTP and SSH remain top targets due to widespread misconfiguration. For FTP, attackers exploit anonymous access or default credentials. For SSH, they target weak passwords on exposed port 22.
FTP brute-force command:
nmap -p21 --script ftp-brute --script-args userdb=users.txt,passdb=passwords.txt,ftp-brute.timeout=10s 192.168.1.150
The `timeout` parameter avoids hangs on unresponsive servers.
SSH brute-force command:
nmap -p22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt,ssh-brute.timeout=10s 192.168.1.150
If valid credentials are found, Nmap outputs the username/password combination directly. Attackers often combine this with privilege escalation scripts.
Windows native alternative (PowerShell): While Nmap runs on Windows, a built-in alternative for basic testing is:
Test a single SSH credential using .NET SSH client (requires module) Test-NetConnection -Port 22 192.168.1.150 For actual brute forcing, use third-party tools like Invoke-BruteForce
3. Targeting SMB, MySQL, and MSSQL with Nmap
Network file shares and databases frequently use default or easily guessable credentials. Nmap’s SMB brute script can uncover open shares with weak passwords, while MySQL and MSSQL scripts target database authentication.
SMB brute-force (port 445):
nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.150
Additional SMB scripts like `smb-enum-users` can first enumerate valid usernames, then feed them into smb-brute.
MySQL brute-force (port 3306):
nmap -p3306 --script mysql-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.150
MSSQL brute-force (port 1433):
nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.150
Step‑by‑step for database hardening:
- Run the brute script to identify weak credentials.
- On Linux, review MySQL logs for failed attempts:
sudo grep "Access denied" /var/log/mysql/error.log. - On Windows with MSSQL, enable failed login auditing via SQL Server Management Studio → Security → Audits.
- Implement account lockout after 5 failed attempts using `ALTER LOGIN` policies (MSSQL) or `FAILED_LOGIN_ATTEMPTS` (MySQL).
4. HTTP Basic Authentication Brute-Forcing
Web applications using HTTP Basic Authentication (common on routers, APIs, and internal tools) are vulnerable to Nmap’s `http-brute` script, which supports multiple authentication methods including Digest and NTLM.
Command:
nmap -p80 --script http-brute --script-args userdb=users.txt,passdb=passwords.txt,http-brute.path=/admin 192.168.1.150
The `path` argument specifies the protected URL (default is /). For HTTPS, use `-p443` and the script auto-negotiates SSL.
API security note: Many REST APIs use token-based auth, not Basic. However, legacy APIs or internal microservices may still rely on Basic Auth. Attackers combine `http-brute` with directory enumeration to locate login endpoints.
Mitigation commands (Linux – Nginx):
Rate limit requests to /admin using Nginx
sudo apt install nginx -y
Add to /etc/nginx/sites-available/default:
location /admin {
limit_req zone=one burst=5 nodelay;
proxy_pass http://localhost:8080;
}
sudo nginx -s reload
- Defensive Measures: Detecting and Mitigating Nmap Brute Force Attacks
Defenders can detect Nmap brute-force attempts via network monitoring, failed login logs, and rate-based alerts. Below are actionable steps for both Linux and Windows servers.
Linux detection:
Check for repeated failed SSH attempts from same IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr
Block IPs with more than 10 failures using iptables
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 10 -j DROP
Install fail2ban for automated protection
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
Windows detection (PowerShell as Admin):
Query Security Event Log for failed logins (Event ID 4625)
Get-EventLog -LogName Security -InstanceId 4625 -Newest 100 | Select-Object TimeGenerated, @{Name="IP";Expression={$_.ReplacementStrings[-1]}}
Block an IP using Windows Defender Firewall
New-NetFirewallRule -DisplayName "Block Brute IP" -Direction Inbound -RemoteAddress 192.168.1.150 -Action Block
Cloud hardening (AWS example):
Use AWS WAF to rate limit HTTP authentication attempts aws wafv2 create-rule-group --name "RateLimitLogin" --scope REGIONAL --capacity 100 Attach rate-based rule: 20 requests per 5 minutes
6. Advanced Techniques: Customizing NSE Scripts and Parallelization
Nmap’s `–script-args` can fine-tune brute-force behavior. You can set connection timeouts, number of parallel threads, and even supply a single password for all usernames.
Useful arguments:
– `unpwndb` – Use the online haveibeenpwned database of breached passwords (requires internet).
– `brute.firstonly` – Stop after finding the first valid credential.
– `brute.mode` – Set to `user` (try all passwords per user) or `pass` (try all users per password).
Parallel execution across multiple services:
nmap -p21,22,23,445,3306,1433 --script brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.150
This single command attacks FTP, SSH, Telnet, SMB, MySQL, and MSSQL simultaneously. Attackers often combine this with `-T4` (aggressive timing) and `-Pn` (skip host discovery) to maximize speed.
Creating a custom wordlist from the target’s website:
Using CeWL to scrape dictionary from a web app cewl http://192.168.1.150 -m 6 -w custom_words.txt Then use it as passdb nmap -p22 --script ssh-brute --script-args userdb=users.txt,passdb=custom_words.txt 192.168.1.150
7. Ethical Considerations and Legal Boundaries
Password cracking using Nmap is illegal without explicit written permission from the system owner. Always operate within a lab environment, CTF, or your own infrastructure. Unauthorized scanning can trigger IDS/IPS alerts and lead to criminal charges under computer fraud laws (CFAA in the US, Computer Misuse Act in the UK).
Safe practice setup (virtual lab):
- Use VirtualBox/VMware to create isolated target VMs.
- Install Metasploitable 2 or 3 as a vulnerable target.
- Run Nmap from a Kali Linux VM on the same host‑only network.
- Never forward traffic to the internet or include real IP addresses.
Legal authorization template: Always obtain a signed agreement specifying scope, duration, and permitted tools before conducting any brute-force test.
What Undercode Say:
- Nmap is not just a scanner—its NSE engine turns it into a multi‑protocol password brute-forcing Swiss Army knife. Defenders must treat Nmap traffic as a potential precursor to credential theft, not merely reconnaissance.
- Parallel brute-force across services amplifies risk exponentially. A single Nmap command can attempt hundreds of username/password combinations on six different services in under 10 minutes, highlighting why rate limiting, fail2ban, and account lockouts are non‑negotiable.
The content extracted reveals that Nmap’s brute scripts are often overlooked in penetration testing curricula, yet they provide red teams with a low‑noise alternative to dedicated tools like Hydra or Medusa. For blue teams, monitoring failed login bursts across multiple ports (e.g., 21, 22, 445 simultaneously) is a strong indicator of Nmap-based attacks. The PDF source also lists GitHub and Discord resources—attackers share customized wordlists and optimized scripts there, so defenders should subscribe to those threat feeds. Ultimately, password hygiene (length, complexity, and uniqueness) remains the most effective defense, because no brute-force tool can crack a strong 16‑character random password within reasonable time frames.
Prediction:
As automation and AI-driven password generation evolve, Nmap’s NSE will likely incorporate machine‑learning wordlist augmentation, allowing attackers to guess context‑aware passwords (e.g., Company2025!). In response, cloud providers will embed real‑time brute-force detection into their WAF and firewall services, automatically blacklisting source IPs after a handful of failed attempts. However, distributed botnets using thousands of IPs will still bypass simple rate limits, pushing defenders toward behavioral analytics and passwordless authentication (FIDO2, WebAuthn) as the ultimate long‑term solution. For the next two years, expect a surge in Nmap-based credential stuffing attacks against exposed RDP (port 3389) and PostgreSQL (port 5432) as organizations fail to secure these emerging targets.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yashika Dhir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
