Mastering Password Cracking With Hydra (The Right Way)

Yep! There are multiple versions out there so I usually recommend getting the docker version since it’s kept up-to-date with *all* the challenges. Thanks for the comment and for watching!

Excellent request, and the short answer is "yes" I can do a follow up.... BUT...
The long answer is that this takes us into the realm of Red Team, which uses a different type of scope, so probably "no." For what was presented in this video, this is very representative of a professional penetration test. When we encounter any implemented security, such as rate limiting or firewalls, within a professional pentest we ask the client to whitelist our attack platform so we don't have to fight those security measures for the sake of time (we pentesters are very expensive and the faster we can go through a network, the better for everyone).
There is one security measure we don't mess with (and neither do Red Teams), and that is lockout rules. If there are lockout restrictions (like 3 times and you have to get an admin to reset it kind-of-thing), the best practice is to not perform a remote password brute force attack against the system because it will cripple the organization, which isn't ever an objective within an pentest scope. Best thing to do when encountering a lockout is to simply attack a different protocol, like SSH or FTP or whatever else you find. lockouts are usually restricted to protocols like HTTPS or RDP. Again, when we hit lockouts, we take the Loss and move onto the next protocol or attack vector.
For Red Teams, as I mentioned, there are ways to circumvent security implementations; time being the largest component, which makes RT engagements more expensive. Since RT engagements are intended to be performed in a way to avoid detection, they have to go slow anyway, and may skip the brute force attack performed during the exploitation phase altogether since the traffic it generates is easy to identify within a SOC / NOC.
I will produce some evasion techniques since I discussed them in my latest book (to be released in January 2025... more info to follow), to include things like fragrouter, so keep an eye out for them. Thanks for the comment... sorry for the long explanation, and if you have any additional questions, please don't hesitate to ask!

Thanks for the compliment! Glad you enjoyed it and there’s more tutorials coming. 👍

Thanks for watching!

Check out my Author Page link - I’ve written multiple books on the subject of professional penetration testing which takes learners from the beginning. Good luck! 👍

It’s usually not possible within the time confines of a professional penetration test. Red team, probably not either. Microsoft recommends locking an account after 10 attempts, and for no longer than 15 minutes (to prevent denial of service), but an organization can modify those parameters. It’s recommended during a pentest that if you encounter lockouts you do not perform a password brute force attack. It’s simply not worth it.

Oh, also you can simply shift to a different protocol, like ftp, that typically never does lockouts.

@@pentest_TV thanks

I don’t. The tutorials I provide here are within the framework of a professional penetration test and performing these tasks on anything other than a standard pc or pc image would negatively impact performance and speed. That said, I did do a talk at DefCon 17 on performing pentests using an iPod Touch… so definitely R&D that. 😎

@@pentest_TV oh i will check that

Make sure to check out pentest.tv for free and paid training! Also, join our discord server. Thanks for watching!

I have xss on my list of tutorials to do, and I can definitely discuss BeEF. Thanks for the question!

@@pentest_TV where exactly ?

It’s not done yet but it is on my to-do list.

@@pentest_TValright We are impatiently waiting for it 👍

😁