Password Attacksbrute forcerdpsshkeyopenvpnvncpenetration testing

Crowbar

Crowbar is a brute forcing tool for penetration tests that supports OpenVPN, RDP with NLA, SSH private key authentication, and VNC key authentication. It differs from typical brute forcers by using SSH keys instead of username/password pairs for SSH.

Description

Crowbar, formerly known as Levye, is designed for brute forcing specific protocols during penetration testing. Unlike standard tools that rely on username and password combinations for SSH, Crowbar leverages SSH private keys obtained in tests to target other SSH servers. This approach enables testers to utilize compromised keys effectively.

The tool targets services like OpenVPN, Remote Desktop Protocol (RDP) including NLA support, SSH private key authentication, and VNC key authentication. It supports both single static targets and multiple targets from a file, with options for usernames and wordlists.

Crowbar is particularly useful in scenarios where private keys or specific credentials are available, allowing for more targeted brute force attacks in penetration testing environments.

How It Works

Crowbar performs brute force attacks on specified protocols: OpenVPN (-b openvpn), RDP with NLA support (-b rdp), SSH private key authentication (-b sshkey), and VNC key authentication (-b vnckey). For RDP, it iterates through usernames and passwords from wordlists against target hosts. For SSH, it uses provided private keys instead of password guessing. It supports single hosts or lists from files, with threading for efficiency, and logs successes like RDP-SUCCESS with credentials.

Installation

bash

sudo apt install crowbar

Flags

-b, --brute {openvpn,rdp,sshkey,vnckey}Target service

-s, --server SERVERStatic target

-S, --serverfile SERVER_FILEMultiple targets stored in a file

-u, --username USERNAME [USERNAME ...]Static name to login with

-CWordlist for passwords (inferred from example)

-nNumber of threads (inferred from example)

Examples

Brute force the RDP service on a single host with a specified username and wordlist, using 1 thread. Results in RDP-SUCCESS with credentials victim:s3cr3t.

crowbar -b rdp -s 192.168.86.61/32 -u victim -C /root/words.txt -n 1

Brute force RDP on a single host using default threads.

crowbar -b rdp -s 192.168.86.61/32 -u victim -C /root/words.txt

Brute force SSH private key authentication on a single host (based on supported protocol).

crowbar -b sshkey -s target_host -k /path/to/private_key

Brute force OpenVPN on a static target with username and wordlist.

crowbar -b openvpn -s vpn_server -u user -C passwords.txt

Brute force VNC key authentication on a single host.

crowbar -b vnckey -s 192.168.1.100/32 -k vnc_keys.txt

Brute force RDP on multiple targets from a file.

crowbar -b rdp -S targets.txt -C /root/words.txt

Show help message and usage information.

crowbar -h

Updated 2026-04-16kali.org ↗