I am new to kali pentesting and am working on a password attack for an assignment. The target has SSH and apache running so I go to the website apache is hosting and see a login. If I go to 'Create a new account' I can see the password description says "At least six characters long, should include numbers, punctuation and both upper and lower case". These are the password rules for the sign on form on the website however the goal is to break in through the SSH service. From the hints there is only one employee with an SSH account and I think I have his username. I realize this is likely implementation specific but do the password rules of a login form generally apply to SSH? What are the password rules for SSH? Are they customizable? Is there a way to find out what they are for a target?
We were also given the hint that some passwords can be up to 16 characters long. I'm using crunch to generate a dictionary file. Using a char list containing upper case, lowercase, numbers and special characters generating a password file is huge!
I used crunch to generate a password file of strictly length 6, it was a GB in size and Ncrack couldn't even open it. It gave me an error terminate called after throwing an instance of 'std::bad_alloc'
. How do people generally brute force passwords bigger than 6 characters?
I also used CEWL to generate site specific passwords but ncrack didn't find anything.
Edit
I got a number of comments about things to try other than password attacks. I have been working on a lot of other things for a while but my inexperience has left me coming up short. I thought I would describe what I had tried in a new question here rather than stick it on to this one.