User manual
66
bruteforce.txt file initially installed with PhoneSweep contains a basic list of common username/password
combinations, but most users will need to make changes to it to suit the needs of their organizations.
Changes can be made in any of these ways:
1. Edit the username/password list directly on the Effort tab. These changes will be recorded to the
internal database. If you want the changes to be applied to the bruteforce.txt file, use the Export
button to export the changes to the file.
2. Use brutecreate.exe to add to the bruteforce.txt file (combining separate Username and Password
files to add to the bruteforce.txt file), then create a new profile or import the file into
PhoneSweep.
3. Edit bruteforce.txt directly using a text editor, then create a new profile or import the file into
PhoneSweep.
4. Create your own source file directly with a text editor, and import it into PhoneSweep (see
Section 6.2, Importing Brute Force Information).
(If you are editing or creating a file, use care if all you have available is a word processor - the file format
must be MS-DOS style text with line breaks).
Three additional source files are included with PhoneSweep:
• largebrute.txt: This file contains the dictionary of passwords that hackers commonly use. This
file can be used with brutecreate.exe.
• largebruteback.txt: This file contains the same dictionary words as largebrute.txt, but each of
them is backwards. This file can be used with brutecreate.exe.
• systemdefault.txt: This resource file contains a master list of default usernames and passwords
used by many common operating systems. Use this file as a resource for sweeping against
systems in your workplace in order to verify that default username/ password settings have been
changed. The file is organized by operating system; so you can copy the appropriate
usernames/passwords and paste them into your bruteforce.txt file. This file cannot be used with
brutecreate.exe.
Formatting for bruteforce.txt: Enclose the username and password by double-quote characters, and
separate each username/password combination by a carriage return/line feed. Any text that is not enclosed
in a double quote will be ignored. You can have blank User Names and Passwords (two double quotes, no
spaces: “”). Note: Whether you use bruteforce.txt or create your own source file to import, you must use
this format.
For example,
"root","password" Example PhoneSweep 'bruteforce.txt' file
“” ,“guest” This shows a blank UserName and a Password
“admin”,“” This shows a UserName of admin and a blank Password
If username/password guessing restrictions are in effect, the bruteforce.txt file should be arranged so
that the distinct usernames are distributed evenly through the password file, rather than arranged in
blocks. This will help keep PhoneSweep from getting into situations where it is no longer allowed to
guess because the next guess would exceed the maximum allowed guesses per day. (Note: