RE: Brutus issue

["Isaac Van Name" <ivanname () southerlandsleep com>]

Well, Base 64 is an encryption method... of course, that would really only
matter if you had the hashes.  That being said, you had the answer the whole
time.  Note this excerpt from the readme.txt file for a Hydra Windows
package:

ADDITIONAL HINTS
----------------
* uniq your dictionary files! this can save you a lot of time :-)
    cat words.txt | sort | uniq > dictionary.txt
* if you know that the target is using a password policy (allowing users
  only to choose password with a minimum length of 6, containing a least one
  letter and one number, etc. use the tool pw-inspector which comes along
  with the hydra package to reduce the password list:
    cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt

Yeah, read that second one.  That's what the readme is there for.  If you
get lost after reading that, I suggest you pursue a different line of work.

Oh, and after you're done "pen testing" your client, I've got an igloo I've
love to sell them.


Isaac Van Name
Systems Administrator

"What good would you do with an ignorant employee? Ignorance is grounds for
dismissal..." - Mario Spinthiras
 
Open Source developing at its finest:
"Written in vim, W3C valid and UTF-8 encoded, for her pleasure."
 
Disclaimer:  This email is intended only to be used to feign intellectual
mastery of a subject or superhuman command of the English language, when
profanity is involved.  By reading this email, you are agreeing to cease all
correspondence with the sender upon realizing your own ignorance, and
furthermore to refrain from taking legal action against said sender when
your compounding ignorance crushes your inadequate self-esteem.  Have a nice
day.

Original> -----Original Message-----
Original> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
Original> On Behalf Of Juan B
Original> Sent: Tuesday, October 31, 2006 5:28 PM
Original> To: pen-test () securityfocus com
Original> Subject: Brutus issue
Original> 
Original> Hi,
Original> 
Original> I am conducting a pen test for a client of mine.
Original> in his web server he is using basic authntication
Original> (base 64)
Original> I need to issue a brute force attack against his
Original> authentication scheme.
Original> I know that the users and password are all numbers.
Original> foe example the user might be something as:
Original> 5486
Original> and the password could be :
Original> 
Original> 546846533
Original> The users are limited to 4 numbers and the passwords
Original> for 8 numbers.
Original> 
Original> How I can tell brutus or hydra to use only numbers in
Original> the brute force?
Original> 
Original> Thanks very much !
Original> 
Original> Juan
Original> 
Original> 
Original> 
Original>
_________________________________________________________________________
Original> ___________
Original> Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call
rates
Original> (http://voice.yahoo.com)
Original> 
Original> 
Original>
------------------------------------------------------------------------
Original> This List Sponsored by: Cenzic
Original> 
Original> Need to secure your web apps?
Original> Cenzic Hailstorm finds vulnerabilities fast.
Original> Click the link to buy it, try it or download Hailstorm for FREE.
Original>
http://www.cenzic.com/products_services/download_hailstorm.php?camp
Original> =701600000008bOW
Original>
------------------------------------------------------------------------
Original> 



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------