Introduction

During a recent authorized penetration testing engagement, I shifted from a traditional black-box mindset to a more structured attack approach.

Instead of blindly attacking services, I focused on understanding the target's exposed infrastructure first.

The objective was simple:

  1. Identify exposed services.

2. Build tailored attack path.

3. Avoid generic noise.

4. Simulate realistic adversary behavior.

Phase 1: Enumeration with Nmap

Using Nmap, I scanned the target host and identified multiple open services. Among them was Remote Desktop Protocol (RDP).

RDP exposure to the internet is always a high-value finding because:

  • It provides direct system-level access.
  • It is commonly targeted by automated brute-force campaigns.
  • Weak credential hygiene often exists in enterprise environments.

Rather than rushing into brute-force attempts, I thought of not just making but crafting a wordlist using different utilities.

Phase 2: Simple wordlist gathering with CeWL

As, Generic wordlists create noise.Instead of relying purely on generic password lists, I generated a custom wordlist using CeWL.

CeWL scraped publicly accessible website content to extract:

  • Organization names
  • Internal terminology
  • Project references
  • Common naming patterns

Why?

Because humans reuse context.

Passwords are often derived from:

  • Company names
  • Department names
  • Seasonal patterns
  • Years
  • Role-based prefixes (Admin, IT, HR)

Phase 3: Wordlist Mutation with Hashcat

The scraped list was only the foundation.

I then used Hashcat-style mutation logic to generate realistic variations:

  • Capitalization patterns
  • Appended years
  • Special character suffixes
  • Role-based combinations(I preferred Admin here)

Instead of millions of useless combinations, this produced a refined, human-like candidate list.

Phase 4: Credential Testing with Hydra

With:

  • A contextual password list
  • A base username list(here is used rockyou.txt but grepped all the admin related terminologies as my target was admin user)
  • A clearly exposed RDP service

I initiated controlled credential testing using Hydra.

Enumeration → Customization → Mutation → Brute-Forcing → Initial Access

This approach dramatically reduces noise while increasing success probability.