Given a black box system for pentest, you know there are some minimum security set in:
- There is a lockout for X retries (usually not 65535...)
- There are a large amount of user (easily deduced from company size)
- The users are lazy and like to choose easy passwords (always a given. Even if there is password limit, it will still be simple passwords like P@ssword123 or qwerty12345 which passed the password requirement)
Point 3 is where we would base this attack on. In order to show them how bad their passwords are, we probably need to crack some majority of it and bruteforcing is required unless we can dump the hashes (in Windows) or offline crack their salted password (from Linux). Traditionally, bruteforce will choose a useraname (example admin) and try to guess the password (admin, password, admin123, iamgod...) and before you know it, the account is locked (Shit! damn...). See point 1 above.
So, lets think out of the box. How many user would use lets say the password "password" (if its allowed by the password policy). Probably a lot. That's why I am going to introduce another to bruteforce such a system. This is what I call Reverse Bruteforcing. Instead of using a username and bruteforcing the password, we choose a password and bruteforce the username instead. Of course, in some case, we might even have the username (from the emails servers, or client contact list etc). But in the worst case, this will work.
So, we would go:
"password" - user1, user2, user3 etc...
This will not lock out the accounts as quickly as traditional bruteforcing, but it will eventually depending on how they set it up. If its time based (x attempts in x mins), then by spacing out the bruteforce, we might actually overcome it totally. Go online and get a list of commonly used password and mix in some variation with the company's name, slogan etc and you have a good list to start with.
Actually in some of my previous pentests, this methods proves to be quite effective and can be easily automated and while it run, you can proceed with your Metasploit or other attacks. Its a quick win any day! (P.S. My best win is root, root without locking the account up :P)