PaulDotCom mailing list archives
Re: hydra and HTTP NTLM
From: Robin Wood <robin () digininja org>
Date: Sat, 26 May 2012 22:35:29 +0100
On 25 May 2012 21:59, Sherif El-Deeb <archeldeeb () gmail com> wrote:
Back when nothing was supporting Outlook Web Access bruteforcing, I've written a simple bash script that automated the process using "curl"... I suggest you do the same. "curl --ntlm" -> it will be two nested for loops, the outer iterates through usernames, the inner iterates through passwords... then process server's answer using multiple grep and cut to check for correct/bad credentials using variables and "if". The only problem with that method will be the speed(lack of), so, I have included a simple function to make sure at least "32" instances of curl are running at any given time ===== start of code example===== #!/bin/bash ..... ..... CheckCurl(){ CurlCount=$(pidof curl | wc -w) [ $CurlCount -ge 32 ] && CheckCurl } echo [*] Starting... for USER in $(cat $userList) do for PASSWORD in $(cat $passList) do #before running the command, we want to make sure that the running instances of curl are not greater than 32 CheckCurl #note that this will save the output to a folder called "html_out", change that or create it. curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah blah ....... & # the ending ampersand is very important for multithreading done done ===== End of code example===== Hope that helps, Sherif Eldeeb.
I was reading backwards through the mails so I just got curl working then got to this mail which is a great script, I'll give it a go. And to the people who suggested watch out for lockout, I will. Robin
On Fri, May 25, 2012 at 11:10 PM, Robin Wood <robin () digininja org> wrote:On 25 May 2012 16:59, Navarro, Gregory J <Gregory.J.Navarro () disney com> wrote:Do you know of a valid login but just not the password. If so just fuzz it with BurpI have no credentials but even if I did I don't think Burp does NTLM, for it to do it it would have to be able to work with the four way handshake and I've not seen anywhere that that appears to be an option. If you can point me at how to do it I'll happily try. RobinFrom: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Robin Wood Sent: Thursday, May 24, 2012 6:08 AM To: Tony Turner; PaulDotCom Security Weekly Mailing List Cc: _; webappsec () securityfocus com Subject: Re: [Pauldotcom] hydra and HTTP NTLM On 24 May 2012 13:36, Tony Turner <tony_l_turner () yahoo com> wrote:Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is there a reason you wanted to use Hydra?I've tried that but it seems to expect the login request for a simple GET. I'm testing a FrontPage install which allows me to read but then fails on write. Checking the traffic when I click save it sends an OPTIONS request which gets a reply of 401 which triggers FP to then start the handshake. Robin________________________________ From: Robin Wood <robin () digininja org> To: _ <packetnull () gmail com> Cc: "webappsec () securityfocus com" <webappsec () securityfocus com>; PaulDotCom Mailing List <pauldotcom () mail pauldotcom com> Sent: Thursday, May 24, 2012 8:17 AM Subject: Re: [Pauldotcom] hydra and HTTP NTLM On 24 May 2012 13:06, _ <packetnull () gmail com> wrote:http ntlm is IIS based windows auth.Yes but I still don't know how to attack it. RobinOn May 23, 2012, at 6:14 AM, Robin Wood <robin () digininja org> wrote:Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying to brute force a MS Front Page login which only asks for authentication when the OPTIONS method is used as far as I can tell. Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.comThis list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- hydra and HTTP NTLM Robin Wood (May 23)
- Message not available
- Re: hydra and HTTP NTLM Robin Wood (May 24)
- Re: hydra and HTTP NTLM Tony Turner (May 24)
- Re: hydra and HTTP NTLM Robin Wood (May 24)
- Message not available
- Re: hydra and HTTP NTLM Robin Wood (May 25)
- Re: hydra and HTTP NTLM Sherif El-Deeb (May 25)
- Re: hydra and HTTP NTLM Robin Wood (May 26)
- Re: hydra and HTTP NTLM Robert Wahl (May 25)
- Re: hydra and HTTP NTLM Robin Wood (May 24)
- Message not available
- Re: hydra and HTTP NTLM Robin Wood (May 25)
- Message not available
- Re: hydra and HTTP NTLM Robin Wood (May 27)