# Brute Force Using the valid\_usernames.txt file I generated in the previous task, I can now use this to attempt a brute force attack on the login page (). A brute force attack is an automated process that tries a list of commonly used passwords against either a single username or, like in this case, a list of usernames. ``` ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.13.84/customers/login -fc 200 ``` This ffuf command is a little different to the previous one. Previously I used the **FUZZ** keyword to select where in the request the data from the wordlists would be inserted, but because Im using multiple wordlists, I have to specify my own FUZZ keyword. In this instance, we've chosen `W1` for our list of valid usernames and `W2` for the list of passwords I will try. The multiple wordlists are again specified with the `-w` argument but separated with a comma. For a positive match, I'm using the `-fc` argument to check for an HTTP status code other than 200. ![](/files/Pvrs3vGT2obV7w1a4Y01) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oklencodes.gitbook.io/untitled/offensive-security/basic-authentication-bypass/brute-force.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.