No (online) brute force is necessary. None of the vulnerable services will require online brute force to login. Hydra, etc ARE NOT NECESSARY and may very well get you throttled. Besides, it's a waste of time. Dirb may prove useful. Most everything you need is staring you straight in the face.
john can be used for a couple of things, though not all. if rockyou.txt with rules doesn't find it, it wasn't meant to be.