Password Enumeration

ENUMERATION

Once you have a list of valid usernames, knowing what password to use to access locked accounts is important to gain access to a system. While there are some brute force and password cracking methods that gain access to the system and would be considered exploits, this section will focus on methods for retrieving passwords that do not include actually gaining access.

Because the system is not being accessed with the enumerated credentials, this remains a form of enumeration, not exploitation.

PASSWORD BRUTEFORCING WITH FFUF

Fuff is a pretty versatile tool since a lot of the power of fuzzing comes from the word lists used. For this reason, FFUF can be effective at enumerating passwords when using a wordlist designed for this purpose.

Check out this article for different methods of brute forcing passwords along with username wordslists.