Penetration Testing mailing list archives
RE: Guessing passwords with Hydra
From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Mon, 20 Feb 2006 08:39:26 +0100
Grumble: It really should be a requirement than any post passing through a SecurityFocus mailing-list gets that mailing-list as a CC: address, at least. From: alias () securityfocus com
Now we are trying to brute-force the server with Hydra but surprisingly Hydra does not support guessing technique but only dictionary attack.
This type of password guessing needs preparation. And guessing is tricky business ... what's right for one situation tends to be wrong for another. For remote password guessing (as different from password hash cracking) you need to know what passwords can be expected to be in common use: you very rarely have time for a *real* brute force attack. That changes very quickly ... and you very often learn about those changes by cracking password hashes. These days, Harry Potter-related passwords are fairly high on the list, some years back Babylon, Star Trek and Tolkien-related passwords were most popular. Cars, football and artists are always high. You also need to know what passwords variations appear: that appending digits to the end (secret00) is far more common that putting them at the head (00secret), and that some combinations of these digits are more common than others. It's useless to have a guessing algorithm that begins with guessing '00xyz', and works it's way through all combinations before it produces 'xyz00', which of course is the more likely combination. Same thing with special characters: some are very usual, others very rarely appear. If you have a basic password list, it's easy enough to create rewritten passwords. I like using john the ripper (JtR), as 'john --wordlist=<file> --rules --stdout' after enabling all relevant rules in the config file. 'john --incremental --stdout', after priming the .chr files with appropriate statistics is also useful, even though it tends to produce more passwords than can easily be handled ... but this list is better than plain enumeration. (I'd use plain password lists first, go on to variations of them (--rules), then --incremental list for a while before deciding if time allows for real brute force. That's when you do full dictionaries over various subsets of passwords (all 1-4 character passwords, all printable 5 character passwords, all alphanumerical 6 character passwords, all alphanumerical with digits at the end only for lengths 7 and up, for example.) As you know what system you are testing, you also know what passwords it allows -- perhaps you can do only upper-case letters. These are simple enough to generate by program. And again, if you already know the password rules (at least one alphabetical, one numerical and one special), you can easily produce such lists by program or by one of several passwords-generating utilities that can be found (isnt't there already one in the THC set?) or even by tweaking the JtR config file suitably, Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Guessing passwords with Hydra alias (Feb 19)
- Re: Guessing passwords with Hydra (POP3 over SSL) Martin Mačok (Feb 20)
- <Possible follow-ups>
- RE: Guessing passwords with Hydra Anders Thulin (Feb 20)