Penetration Testing mailing list archives
RE: brute force tools
From: "Robert E. Lee" <robert () dyadsecurity com>
Date: Fri, 21 May 2004 08:50:15 -0700
Don, I have had good luck with the 4.0 version of hydra. It's not 100% intuitive, but it does work somewhat reliably once you get used to it. For this demo I made a file called passlist that had 5 lines (username:a, :aa, usename:aaa, foo:aaaa, bar:aaaaa). I set up a htpasswd/htaccess pair that had username username and password a. root:/var/tmp/hydra-4.0# hydra -l username -C ./passlist \ www.domain.com http /dir -s 80 Hydra v4.0 (c) 2004 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2004-05-21 08:27:24 [DATA] 5 parallel tasks, 1 servers, 5 login tries (l:1/p:5), ~1 tries per task [DATA] attacking service www on port 80 [STATUS] attack finished for www.domain.com [80][www] host: 333.333.333.333 login: username password: a Hydra (http://www.thc.org) finished at 2004-05-21 08:27:25 With the -C option you set up a file that has the following syntax: Username:password I believe you may be able to get away with: :password I didn't see a good permuting option from the command line, but I'm sure you could whip sometime up to play with your dictionary file prior to use by hydra. Best of luck :). Robert -----Original Message----- From: don.williams () verizonwireless com [mailto:don.williams () verizonwireless com] Sent: Thursday, May 20, 2004 4:34 PM To: pen-test () securityfocus com Subject: brute force tools Frequently I attempt to brute force web applications and have found a few problems with the programs I have used. For instance Brutus always informs me a few successful attempts yet when I try they fail. (2) Webcrack not reliable. What I would like is some other tools you may have used with good success and hopefully a perl based script which enumerate common words substituting letters for numbers as users do everyday (ie. pa$$w0rd). Also attempting the crack ColdFusion it only requests the password not the user name / password combo as most tools only allow. Windows or Linux is fine. Thx
Current thread:
- brute force tools don.williams (May 21)
- RE: brute force tools Tom (May 21)
- RE: brute force tools Robert E. Lee (May 21)
- Re: brute force tools Andrés Roldán (May 25)