scan4all includes a powerful password cracking engine (hydra) that supports brute force attacks against 23 different protocols. The cracker features intelligent dictionary management, concurrent execution, and automatic protocol detection.
Supported Protocols scan4all can perform password brute force attacks against the following protocols:
VNC (Virtual Network Computing)
Enabling Password Cracking By default, password brute forcing is disabled . Enable it with the priorityNmap configuration:
# Enable password cracking priorityNmap = true scan4all -host 192.168.1.1 -v
Password cracking is performed on services detected during port scanning. Ensure port scanning is enabled and services are correctly identified.
How It Works Architecture The password cracking engine uses a concurrent goroutine pool architecture:
Service Detection
After port scanning, services are identified and categorized by protocol (SSH on 22, MySQL on 3306, etc.)
Dictionary Loading
Protocol-specific username and password dictionaries are loaded:
Default dictionaries embedded in the binary
Custom dictionaries from config/ directory
User-provided dictionaries
Credential Generation
Username and password combinations are generated based on dictionary merge strategy:
Replace mode : Use only custom dictionariesMerge mode : Combine custom with default dictionaries
Concurrent Execution
Credentials are tested concurrently using a worker pool: // Configurable thread pool Pool : pool . NewPool ( threads ) Interval : time . Microsecond * 13 // Rate limiting
Result Validation
Successful authentications are validated and reported immediately. The cracker stops on first success.
Dictionary Management Default Dictionaries scan4all includes built-in dictionaries for all supported protocols:
# Dictionary location in source pkg/hydra/dicts/ ├── ftp.txt ├── mysql.txt ├── ssh.txt ├── rdp.txt └── ...
Custom Dictionaries Override default dictionaries with custom wordlists:
Username Dictionary
Password Dictionary
Initialization
# Create custom username list cat > config/usernames.txt << EOF admin root administrator user test EOF
Dictionary Merge Strategies Replace Mode (default): if CustomAuthMap . IsEmpty () == false { list . Replace ( CustomAuthMap ) // Use only custom dictionaries return list }
Merge Mode: if isAuthUpdate { list . Merge ( CustomAuthMap ) // Combine custom + default return list }
Protocol-Specific Features SSH / rsh-spx / LDAP // SSH cracker with key-based auth support func sshCracker ( info AuthInfo ) { // Supports: // - Password authentication // - Public key authentication // - Interactive keyboard authentication }
Usage: scan4all -host 192.168.1.1 -p 22 -v
Redis (Password-Only) Redis uses password-only authentication:
if info . Protocol == "redis" { c . onlyPassword = true // No username required }
Common Redis passwords checked:
(empty password)
redispasswordCustom passwords from dictionary
Oracle Database Oracle requires SID detection before brute forcing:
case "oracle" : if oracle . CheckProtocol ( ip , port ) == false { c . Pool . OutDone () return // Skip if SID unknown } c . Pool . Function = oracleCracker ( ip , port )
SID detection:
Automatic TNS listener enumeration
Common SID wordlist: ORCL, XE, PROD, DEV
Telnet Telnet includes unauthorized access detection:
serverType := getTelnetServerType ( ip , port ) if serverType == gotelnet . UnauthorizedAccess { // No authentication required - report immediately c . authInfo . Auth . Other [ "Status" ] = "UnauthorizedAccess" c . authInfo . Status = true return }
SMB Protocol SMB cracking includes vulnerability detection:
func smbCracker ( info AuthInfo ) { // Also checks for: // - MS17-010 (EternalBlue) // - SmbGhost (CVE-2020-0796) }
SMB vulnerabilities detected:
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0147
CVE-2017-0148
CVE-2020-0796 (SmbGhost)
HTTP Authentication HTTP brute forcing includes multiple authentication types:
Basic Auth
Standard HTTP Authorization header
Base64 credential encoding
WebDAV
WebDAV-specific authentication
PROPFIND/OPTIONS method support
SVN (Subversion)
Apache Subversion authentication
Repository enumeration
Application-Specific
Weblogic console
Tomcat manager
JBoss admin
Automatic activation: # HTTP password brute force automatically activates # when HTTP authentication is detected scan4all -host example.com -v
HTTP brute forcing is enabled by default and activates automatically when authentication is required, without manual intervention.
Cracker Engine Implementation Worker Pool Architecture type Cracker struct { Pool * pool . Pool // Concurrent worker pool authList * AuthList // Username/password lists authInfo * AuthInfo // Target information Out chan AuthInfo // Success channel onlyPassword bool // Password-only mode }
Execution Flow Initialization
Task Distribution
Result Monitoring
func NewCracker ( info * AuthInfo , isAuthUpdate bool , threads int ) * Cracker { c := & Cracker {} c . Pool = pool . NewPool ( threads ) // Create worker pool c . authInfo = info c . Pool . Interval = time . Microsecond * 13 // Rate limiting return c }
Success Detection The cracker implements an “early exit” strategy:
if count > 0 && count <= 5 { c . Out <- info .( AuthInfo ) // Report success } if count > 5 { // Too many successes = protocol not supported or error }
Thread Configuration # Default: 25 threads scan4all -host 192.168.1.1 -c 25 # More aggressive (faster) scan4all -host 192.168.1.1 -c 50 # Conservative (slower, stealthier) scan4all -host 192.168.1.1 -c 5
Rate Limiting Built-in rate limiting prevents DoS:
c . Pool . Interval = time . Microsecond * 13 // ~76,923 attempts/second max
Adjust global rate with -rate flag:
scan4all -host 192.168.1.1 -rate 100 # 100 requests/second
Timeout Configuration # Increase timeout for slow services scan4all -host 192.168.1.1 -timeout 5000 # 5 seconds
Security Considerations Legal and Ethical Use Only Password brute forcing should only be performed:
On systems you own
With explicit written permission
For legitimate security testing purposes
Unauthorized password cracking is illegal in most jurisdictions. Account Lockout Be aware of account lockout policies:
Common lockout thresholds : - Windows Active Directory : 5 attempts - Unix PAM : 3-5 attempts - Database systems : Varies - Network devices : Often no lockout
Recommendations:
Use small, targeted dictionaries
Test with known credentials first
Monitor for lockout indicators
Implement delays between attempts
Network Detection Brute force attacks are easily detected:
IDS/IPS systems will trigger alerts
SIEM systems log authentication failures
Firewalls may block after multiple failures
Application logs record all attempts
Stealth techniques: # Slow, low-volume attacks scan4all -host target.com -c 1 -rate 10 -timeout 10000
Output and Reporting Successful credentials are reported immediately:
{ "protocol" : "ssh" , "ip" : "192.168.1.100" , "port" : 22 , "username" : "admin" , "password" : "Password123" , "status" : true , "timestamp" : "2026-03-05T10:30:00Z" }
Elasticsearch Storage Results can be stored in Elasticsearch:
# Query successful authentications curl "http://127.0.0.1:9200/auth_index/_search?q=status:true" # Query by protocol curl "http://127.0.0.1:9200/auth_index/_search?q=protocol:ssh"
Advanced Features Protocol Detection Automatic protocol verification:
func Ok ( protocol string ) bool { if misc . IsInStrArr ( ProtocolList , protocol ) { return true } return false }
Username file (usernames.txt): admin root administrator user operator
Password file (passwords.txt): password 123456 admin Password123 P@ssw0rd letmein qwerty
Combined credentials (credentials.txt): admin:admin root:password administrator:Password123 user:user123
Weblogic-Specific Dictionaries scan4all includes specialized Weblogic dictionaries from real-world penetration tests:
pkg/hydra/dicts/weblogic_users.txt pkg/hydra/dicts/weblogic_passwords.txt pkg/hydra/dicts/webshell_paths.txt # For file fuzzing
Example Workflows Single Host
Network Range
Specific Protocol
Custom Dictionary
# Crack all services on a single host priorityNmap = true scan4all -host 192.168.1.100 -v
Troubleshooting No Credentials Found
Verify Service Detection
Ensure the service was correctly identified: scan4all -host 192.168.1.1 -v | grep "service:"
Check Dictionary Quality
Use comprehensive dictionaries:
Increase Threads
More threads = faster coverage: priorityNmap = true scan4all -host target.com -c 50
Check for Lockout
Monitor authentication logs for lockout indicators
Protocol Not Supported If you see “protocol not supported” errors:
# Check supported protocols scan4all -h | grep -A 30 "password blasting" # Verify protocol list echo $PROTOCOL | grep -i "protocol_name"
Connection Errors # Increase timeout for slow connections priorityNmap = true scan4all -host target.com -timeout 10000 # Reduce threads to avoid overwhelming the target priorityNmap = true scan4all -host target.com -c 5
Best Practices
Start with Small Dictionaries
Use top 100-1000 passwords first to avoid lockouts: head -n 100 passwords.txt > top100.txt priorityNmap = true scan4all -host target.com -passlist top100.txt
Test Known Credentials
Verify the cracker works with known valid credentials before using large dictionaries
Monitor Target Logs
Watch authentication logs during testing: # On Linux targets tail -f /var/log/auth.log # On Windows targets Get-EventLog -LogName Security -Newest 50
Document Findings
Record:
Successful credentials
Account lockout occurrences
Service response times
Network behavior
Secure Discovered Credentials
Store securely
Encrypt credential files
Limit access
Delete when testing complete