bruteforcing question

[n3rd]

ok this is a noob question ( yay XD )

I have a site, it is written in asp.

now I want to bruteforce login passwords, I got the login name.

but how come most bruteforcers dont work?, what am I doing wrong.

the password is md5.

thanks

[Nerdz]

I don't know the answer, but i surely know that most of the time Website logs ip ^_^ and connection attempt. If you were a website admin and you would see something like:

Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
( bleh I didn't had other ideas for the ip )

You would be like :" Oh man who the fuck si 127.0.0.1"

So you would go on a small database... let's say ARIN and type the ip and figure out he's from a country with a service provider which has a email for abuse...

Now, you would simply send a mail to the abuse@ISP.com with the logfile and the attacker would be "toast".

The other thing you would maybe do because you know computer and don't like people messing with yours would be to fightback...

So if you still want to bruteforce the website, I feel sorry you...
Oh yeah and bruteforcing is a *go to jail card*

P.S.: BruteForcing is like playing "SUDOKU" and trying all possible number and when you block, you start again with a different number on the first case... or second... or third etc... It is way better to get it the first time you do it with your head(using your brain can something be more productive *joke* peace ) So it's the same thing here, why don't you try to get the password file, or a single password ? I'm sure you would learn a lot from this.
(I'm not flamming you, just want you to realize what might append b4 you do the actual bruteforcing stuff)

[bad_brain]

not to forget that many hosts have a maximum ammount of login attempts, when reaching the max your IP or even the whole account gets freezed (sometimes even the owner is notified). bruteforcing is like breaking into a house and carrying a ghettoblaster running on max volume at the same time while the owner is at home...
and to show you that nerdzoncrack is right I show you how your attempts would be logged:

Code: Select all

02/24-21:13:03.384618  [**] [1:2565:1] WEB-PHP modules.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 66.249.66.xx:59272 -> xx.xx.xx.xx:80

it´s just an example, but as you can see you can´t hide from the logs.

it also seems you don´t really understand the purpose of md5-hashes, when you open an account on a site your password is hashed and stored in the database, when you enter your password in the login it´s hashed again and compared to the hash stored in the database, so it has nothing to do with bruteforcing...

[n3rd]

actually it does, see if I where to bruteforce, I sometimes get results in like

login: whatever
pass: AAAA ( cause of the md5 )

but I think I wrote something wrong.

I want to bruteforce myself, just to check ofcourse.

but If I try with brutus, my results are shit,

I tried. munga bunga, but it needs a file of some sort, and I dont know how to create ( I think it was .def file) it.

[Stavros]

To quote DNR (I think), "It is the equivalent to using a street sweeper (shotgun) to lock pick a door."

[n3rd]

dont go offtopic please.

makes the post useless. so only post if U have any usefull comments.

thank you

[LaBlueGirl]

dont go offtopic please.

makes the post useless. so only post if U have any usefull comments.

thank you

Useless is subjective, as is useful.
The post to which you were referring to was on topic, dear. Just for clarification, this is what an O/T post looks like:

I want to marry my computer. It is my bestest friend in the whole widest world. It maketh me to lay down in green pastures and restoreth my soul. Yea, though I walk through the valley of the Blue Screen of Death, I shall fear no evil.

And since I am such a nice person:

http://gilchrist.ca/jeff/md5GUI/
http://www.wisdom.weizmann.ac.il/~tromer/twirl/

Login spoofing.

http://www.wisdom.weizmann.ac.il/~tromer/acoustic/

http://www.freedownloadscenter.com/Sear ... ck_W1.html

[jake3340]

before u perform the attack change ur ip so the logs will be different or use a proxy tht way it will give an invalid ip address and the admin wont know your real ip.

[Gogeta70]

Most proxy servers have a log, so it's not a good idea to use a proxy either, instead use a chain of proxies (if you know how), it'll be harder to track.

[jake3340]

u can still change ur ip from control pannel

[pseudo_opcode]

u can still change ur ip from control pannel

lol...are you talking about internal ip??

[DNR]

Is this off topic, probably.

Proxies are the only 'legal' alternative to spoof your IP.It is not a crime to use a proxy, not yet anyways. Gogeta is right, they will have logs, any decent sysadmin will have logs running on a server. Back in my day, there was no legal/federal requirements to save logs, so sysadmins would delete heavy logs to save disk space or rid of unneeded 'paperwork'. Some sysadmins only check their logs if there was a problem with the server, again, they'll overwrite the old log file with a new one. Now days, the Feebs (feds) want anyone that has a server connected to the internet to keep logs for something like five years. Violations may result in a slap on the hands. Laws are different for other countries so record keeping and sharing nfo may not be required/allowed. The country might even be hostile to US anyways. There are 'Black' proxies, a server set up by a hacker, these can steal your nfo as you use the server as they can have a sniffer running on it, so don't do your personal banking here.

I wanted to expand on this comment "use a chain of proxies".

Understand that proxy servers can be located in many different countries, owned by many different companies, governed by different laws pertaining privacy, information sharing, and even record keeping requirements. To get information on the next hop you need to contact each admin of each proxy server. It takes two weeks for AOL to respond to a lawful request on a AOL screen name. How do you get nfo from a company in Turkey or Albaniastan? How much trouble did you cause? Is it enough for a sysadmin to contact 3 proxy server admins and wait/pray for their timely response? How about 7 proxy server admins, including one 'black' server who will likely have a bogus whois. Maybe the feds/dod will take the time to do that, they got all the time in the world.

Proxy servers always seem to go offline, some are unusable because every other hacker is on it. A fresh proxy list is best. look for discussion groups like proxy-elite@yahoo-groups or something, they get fresh list because they are crazy about scanning for proxies.

Beware the sniffer 'Black' Proxy servers..

DNR