bruteforcing question

For beginners, flames not allowed...(just by the staff :P)
Post Reply
User avatar
n3rd
Staff Member
Staff Member
Posts: 1474
Joined: 15 Nov 2005, 17:00
15
Location: my own perfect world in ma head :)
Contact:

bruteforcing question

Post by n3rd »

ok this is a noob question ( yay XD )

I have a site, it is written in asp.

now I want to bruteforce login passwords, I got the login name.

but how come most bruteforcers dont work?, what am I doing wrong.

the password is md5.

thanks

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
16
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

I don't know the answer, but i surely know that most of the time Website logs ip ^_^ and connection attempt. If you were a website admin and you would see something like:

Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
Bad Login attemp on 4-2-2006 at 8pm from 127.0.0.1
( bleh I didn't had other ideas for the ip :P)

You would be like :" Oh man who the fuck si 127.0.0.1"

So you would go on a small database... let's say ARIN :lol: and type the ip and figure out he's from a country with a service provider which has a email for abuse...

Now, you would simply send a mail to the abuse@ISP.com with the logfile and the attacker would be "toast".

The other thing you would maybe do because you know computer and don't like people messing with yours would be to fightback...

So if you still want to bruteforce the website, I feel sorry you...
Oh yeah and bruteforcing is a *go to jail card*

P.S.: BruteForcing is like playing "SUDOKU" and trying all possible number and when you block, you start again with a different number on the first case... or second... or third etc... It is way better to get it the first time you do it with your head(using your brain can something be more productive *joke* peace :P ) So it's the same thing here, why don't you try to get the password file, or a single password ? I'm sure you would learn a lot from this.
(I'm not flamming you, just want you to realize what might append b4 you do the actual bruteforcing stuff)
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11609
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

Post by bad_brain »

not to forget that many hosts have a maximum ammount of login attempts, when reaching the max your IP or even the whole account gets freezed (sometimes even the owner is notified). bruteforcing is like breaking into a house and carrying a ghettoblaster running on max volume at the same time while the owner is at home... :lol:
and to show you that nerdzoncrack is right I show you how your attempts would be logged:

Code: Select all

02/24-21:13:03.384618  [**] [1:2565:1] WEB-PHP modules.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 66.249.66.xx:59272 -> xx.xx.xx.xx:80
it´s just an example, but as you can see you can´t hide from the logs.

it also seems you don´t really understand the purpose of md5-hashes, when you open an account on a site your password is hashed and stored in the database, when you enter your password in the login it´s hashed again and compared to the hash stored in the database, so it has nothing to do with bruteforcing... :wink:

User avatar
n3rd
Staff Member
Staff Member
Posts: 1474
Joined: 15 Nov 2005, 17:00
15
Location: my own perfect world in ma head :)
Contact:

Post by n3rd »

actually it does, see if I where to bruteforce, I sometimes get results in like

login: whatever
pass: AAAA ( cause of the md5 )

but I think I wrote something wrong.

I want to bruteforce myself, just to check ofcourse.

but If I try with brutus, my results are shit,

I tried. munga bunga, but it needs a file of some sort, and I dont know how to create ( I think it was .def file) it.

User avatar
Stavros
ΜΟΛΩΝ ΛΑΒΕ
ΜΟΛΩΝ ΛΑΒΕ
Posts: 1092
Joined: 02 Jan 2006, 17:00
15
Location: Mississippi, U.S.A.

Post by Stavros »

To quote DNR (I think), "It is the equivalent to using a street sweeper (shotgun) to lock pick a door."

User avatar
n3rd
Staff Member
Staff Member
Posts: 1474
Joined: 15 Nov 2005, 17:00
15
Location: my own perfect world in ma head :)
Contact:

Post by n3rd »

dont go offtopic please.

makes the post useless. so only post if U have any usefull comments.

thank you

User avatar
LaBlueGirl
Suckopithicus chickasaurus
Suckopithicus chickasaurus
Posts: 513
Joined: 22 Mar 2006, 17:00
15
Location: Brussel
Contact:

THIS IS OFF TOPIC

Post by LaBlueGirl »

n3rd wrote:dont go offtopic please.

makes the post useless. so only post if U have any usefull comments.

thank you
Useless is subjective, as is useful.
The post to which you were referring to was on topic, dear. Just for clarification, this is what an O/T post looks like:

I want to marry my computer. It is my bestest friend in the whole widest world. It maketh me to lay down in green pastures and restoreth my soul. Yea, though I walk through the valley of the Blue Screen of Death, I shall fear no evil.

And since I am such a nice person:

http://gilchrist.ca/jeff/md5GUI/
http://www.wisdom.weizmann.ac.il/~tromer/twirl/

Login spoofing.

http://www.wisdom.weizmann.ac.il/~tromer/acoustic/

http://www.freedownloadscenter.com/Sear ... ck_W1.html
"Hey, Crash!
Ever tried walking with no legs?

It's real slow!"
~Crunch, Crash Bandicoot TTR

User avatar
jake3340
Newbie
Newbie
Posts: 4
Joined: 28 Aug 2006, 16:00
15

Post by jake3340 »

before u perform the attack change ur ip so the logs will be different or use a proxy tht way it will give an invalid ip address and the admin wont know your real ip.

User avatar
Gogeta70
^_^
^_^
Posts: 3274
Joined: 25 Jun 2005, 16:00
16

Post by Gogeta70 »

Most proxy servers have a log, so it's not a good idea to use a proxy either, instead use a chain of proxies (if you know how), it'll be harder to track.
¯\_(ツ)_/¯ It works on my machine...

User avatar
jake3340
Newbie
Newbie
Posts: 4
Joined: 28 Aug 2006, 16:00
15

Post by jake3340 »

u can still change ur ip from control pannel

pseudo_opcode
cyber messiah
cyber messiah
Posts: 1201
Joined: 30 Apr 2006, 16:00
15
Location: 127.0.0.1

Post by pseudo_opcode »

jake3340 wrote:u can still change ur ip from control pannel
lol...are you talking about internal ip??

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
15
Location: Michigan USA
Contact:

anonymous by proxy

Post by DNR »

Is this off topic, probably.

Proxies are the only 'legal' alternative to spoof your IP.It is not a crime to use a proxy, not yet anyways. Gogeta is right, they will have logs, any decent sysadmin will have logs running on a server. Back in my day, there was no legal/federal requirements to save logs, so sysadmins would delete heavy logs to save disk space or rid of unneeded 'paperwork'. Some sysadmins only check their logs if there was a problem with the server, again, they'll overwrite the old log file with a new one. Now days, the Feebs (feds) want anyone that has a server connected to the internet to keep logs for something like five years. Violations may result in a slap on the hands. Laws are different for other countries so record keeping and sharing nfo may not be required/allowed. The country might even be hostile to US anyways. There are 'Black' proxies, a server set up by a hacker, these can steal your nfo as you use the server as they can have a sniffer running on it, so don't do your personal banking here.

I wanted to expand on this comment "use a chain of proxies".

Understand that proxy servers can be located in many different countries, owned by many different companies, governed by different laws pertaining privacy, information sharing, and even record keeping requirements. To get information on the next hop you need to contact each admin of each proxy server. It takes two weeks for AOL to respond to a lawful request on a AOL screen name. How do you get nfo from a company in Turkey or Albaniastan? How much trouble did you cause? Is it enough for a sysadmin to contact 3 proxy server admins and wait/pray for their timely response? How about 7 proxy server admins, including one 'black' server who will likely have a bogus whois. Maybe the feds/dod will take the time to do that, they got all the time in the world.

Proxy servers always seem to go offline, some are unusable because every other hacker is on it. A fresh proxy list is best. look for discussion groups like proxy-elite@yahoo-groups or something, they get fresh list because they are crazy about scanning for proxies.

Beware the sniffer 'Black' Proxy servers..

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply