Nmap’s default credential brute-forcing scripts are a blunt instrument, and their primary utility isn’t to find real vulnerabilities, but to discover which services are running with default credentials.
Let’s see what happens when you try to brute-force the SSH service on a target IP, 192.168.1.100, using the ssh-brute script and a common username/password list.
nmap -p 22 --script ssh-brute --script-args ssh-brute.threads=10,userdb=./users.txt,passdb=./pass.txt 192.168.1.100
Here, -p 22 targets the SSH port. --script ssh-brute tells Nmap to run the SSH brute-force script. --script-args passes parameters to the script: ssh-brute.threads=10 sets the concurrency to 10 attempts at a time, userdb=./users.txt points to a file containing usernames, and passdb=./pass.txt points to a file with passwords.
The output will show you which username/password combinations are successful. For example, if root with password password works, you’ll see something like:
PORT STATE SERVICE
22/tcp open ssh
| ssh-brute:
| Host key: ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
| Discovered credentials for root:password
|_ SSH session accepted.
This tells you that the root user can log in with the password password to the SSH server on 192.168.1.100.
The core idea behind these scripts is simple: try a known list of username and password combinations against a service until one works. Nmap automates this process, allowing you to test many combinations rapidly. It’s less about sophisticated cracking and more about quick checks for common oversights.
The real power comes from understanding the scope and limitations. These scripts are most effective against services that are commonly deployed with weak or default credentials, such as SSH, FTP, Telnet, SMB, and RDP. They rely on having good wordlists for both usernames and passwords.
Internally, the ssh-brute script (and others like it) works by establishing a connection to the target service on the specified port. It then iterates through the provided username and password combinations. For each combination, it attempts to authenticate. If authentication is successful, the script reports the found credentials and typically stops for that service, or continues if configured to find all possible combinations.
The ssh-brute script, for instance, will attempt to perform an SSH login. If successful, it registers the credential pair as found. It’s important to note that the script doesn’t necessarily break anything; it’s simply trying to log in. The success of the script is entirely dependent on the quality and completeness of your users.txt and pass.txt files.
Consider the smb-brute script. It targets the SMB (Server Message Block) protocol, commonly used by Windows for file and printer sharing. With a wordlist, you can quickly check if any users on a Windows machine can be logged into using common passwords.
nmap -p 445 --script smb-brute --script-args smb-brute.threads=20,userdb=./win_users.txt,passdb=./common_pass.txt 192.168.1.101
Here, -p 445 targets the default SMB port. The arguments are similar, but smb-brute.threads=20 increases concurrency, and the wordlists are tailored for Windows usernames and common passwords.
A crucial aspect often overlooked is that these scripts can be noisy. They generate a significant amount of network traffic, and many intrusion detection systems (IDS) can flag this activity as a brute-force attack. Running these scripts without explicit permission on a network you don’t own is illegal and unethical.
While these scripts are excellent for finding default or weak credentials, they are not designed for complex password cracking scenarios. For those, tools like Hashcat or John the Ripper, which work with captured password hashes, are far more appropriate and powerful. Nmap’s brute-force scripts are best used as a quick and dirty initial reconnaissance step.
The most surprising thing about these scripts is how often they succeed against well-established systems. It’s not uncommon to find default credentials still active on production servers, especially in less mature or rapidly deployed environments. This isn’t a flaw in Nmap, but a reflection of human error and oversight in security practices.
When using ssh-brute, the script will attempt to authenticate using the provided credentials. If it succeeds, Nmap will report the successful username and password. It doesn’t just guess randomly; it systematically tries each pair from your lists. The ssh-brute.retries argument, if set, determines how many times Nmap will retry a failed login attempt for a given user before moving on, though for sheer speed, often it’s set to 1.
If you successfully find credentials using ssh-brute and then try to connect manually using ssh user@host, you might still encounter issues if the SSH server has strict rate limiting or account lockout policies enabled. The script might find credentials, but your manual login could be blocked.
The next common problem you’ll encounter after successfully using Nmap’s brute-force scripts is realizing the limitations of your wordlists and the need for more sophisticated credential discovery methods.