Full Disclosure mailing list archives

Re: NiX - Linux Brute Forcer (the beast) has been released!]

From: Ryan Sears <rdsears () mtu edu>
Date: Fri, 12 Nov 2010 11:59:05 -0500 (EST)

Well that's not really a useful response. He asked a simple question (the first one that popped into my head as well). 

Basically it comes down to this: THC's Hydra already does all that stuff, and they've been doing it for years and 
years. How does your tool fit in with it? It sounds like you basically coded the exact same thing, and while 
frustrating - happens. 

Medusa:
Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at 
Foofus.net. It currently has modules for the following services: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), 
PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a 
generic wrapper module.

THC-Hydra:
Currently this tool supports:
  TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
  RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
  ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable,
  AFP, LDAP2, Cisco AAA (incorporated in telnet module).

Comparison between the two (keep in mind hydra is currently at 5.8 and medusa is at v2):
http://www.foofus.net/~jmk/medusa/medusa-compare.html

These can crack any authentication protocol that I can really think of, and they're stable. People are probably not 
going to stop using what they know how to use, especially if it works and fills up the space the tool is required for 
nicely (as both of these currently do).  

How does your tool provide any advantage over this? Not to mention that password brute-forcing is rarely needed for 
anything even remotely constructive, if you want to make sure people's passwords are secure - enforce better password 
policies, because even aaaaaaa9! is still better than aaaa (or god, sex, love, and secret :-P). People are getting 
smarter with their passwords (for the most part) which is largely rendering password cracking pretty useless IMHO. 
There are normally much better and more efficient ways of gaining access to a machine than brute force anyway, it's 
noisy and probably going to be noticed. Even breaking basic passwords over the internet takes forever, because a lot 
smarter people then myself have coded the crypto in most cases to be quite strong. 

Just my 2 cents => take it or leave it.

Ryan

----- Original Message -----
From: nix () myproxylists com
To: full-disclosure () lists grok org uk
Sent: Friday, November 12, 2010 12:23:18 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] NiX - Linux Brute Forcer (the beast) has been released!]

---------------------------- Original Message ----------------------------
Subject: Re: [Full-disclosure] NiX - Linux Brute Forcer (the beast) has
been released!
From:    "Abuse 007" <abuse007 () gmail com>
Date:    Fri, November 12, 2010 3:22 am
To:      nix () myproxylists com
--------------------------------------------------------------------------

Why would we use this tool over say Hydra or Medusa?


I have just compiled Hydra first time (don´t know about Medusa, please
link me). Obviously you did not read nor understood features it offers
over any other similar tool.

Please read again features listed at my site and you get the answer to
your question.

On Fri, Nov 12, 2010 at 11:16 AM,  <nix () myproxylists com> wrote:

NiX Brute Forcer is a parallel login brute-forcer. This tool is intended
to demonstrate the importance of choosing strong passwords. The goal of
NiX is to support a variety of services that allow remote authentication
such as: HTTP(S) BASIC/FORM, MySQL, SSH, FTP. It is based on NiX Proxy
Checker.

If anyone is interested in beta testing new releases before the public
release, please sent me an email.

Current features:

- Basic Authorization & FORM support
- HTTP/SOCKS 4 and 5 proxy support
- FORM auto-detection & Manual FORM input configuration.
- It is multi-threaded
- Auto-removal of dead or unreliable proxy and when site protection
mechanism blocks the proxy
- Integrated proxy randomization to defeat certain protection mechanisms
- With Success and Failure Keys results are 99% accurate
- Wordlist shuffling via macros
- Advanced coding and timeout settings makes it outperform any other brute
forcer

TODO:

MySQL, SSH, FTP and IMAP support. You suggest more?


Download and installation: http://myproxylists.com/nix-brute-force

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: NiX - Linux Brute Forcer (the beast) has been released!] nix (Nov 11)
- <Possible follow-ups>
- Re: NiX - Linux Brute Forcer (the beast) has been released!] Ryan Sears (Nov 12)