30Haz
Pentesters: Is it common for bruteforce/ dictionary attacks, e.g. for SSH username enumeration, to be successful in the real-world pentests? [closed]
I am learning and practicing on vulnerable-by-design machines (vulnhub, metasploitable etc.). I found that this machine is running OpenSSH 7.5, and I tried a few exploits of Username enumeration from ExploitDB, which all ask for a wordlist. I have tried ssh-usernames.txt but it is pretty small.
I have a feeling that people wouldn't use usernames or passwords which are found in wordlists, and so bruteforce and dictionary attacks are just for play, and not practical once you are carrying out any real pentests (rather than on vulnhub machines). Is that true?
