Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BruteForcing?

From: Paolo Scarabelli <paolo () msw it>
Date: Tue, 17 Oct 2006 22:06:49 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there...

Maybe you can try Expect:

http://expect.nist.gov/

- From the website:
"Expect is a tool for automating interactive applications such as
telnet, ftp, passwd, fsck, rlogin, tip, etc. Expect really makes this
stuff trivial. Expect is also useful for testing these same
applications. And by adding Tk, you can also wrap interactive
applications in X11 GUIs. Expect can make easy all sorts of tasks that
are prohibitively difficult with anything else. You will find that
Expect is an absolutely invaluable tool - using it, you will be able to
automate tasks that you've never even thought of before - and you'll be
able to do this automation quickly and easily."


Regards,


Paolo.



-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of 09sparky () gmail com
Sent: Sunday, October 15, 2006 12:03 PM
To: pen-test () securityfocus com
Subject: BruteForcing?


This is more of a general brute forcing question, but one which I could use some assistance.

I am attempting to brute force some telnet sessions (Cisco Routers - CISCO IOS 12.2 and IOS 12.3(8), Cisco 1721 
router).  When telnet'ing in, it only prompts me for a PW (Not a username).  It has a 3 attempts disconnect, so I get 
disconnected and have to reconnect.  

My question is:
How and what tool should I use to try and brute force (dictionary attack) this session?
I have tried Hydra, but when I get disconnected (after 3 attempts), it tells me it is "finished".  Not sure if there 
is a way to make it reconnect.  Is there a better tool or other techniques that would work better?

Second question: Brute forcing also, but against WebPages.  For example, a Cisco 3000 VPN Concentrator, I have the 
webpage asking for username/password.  How would I attempt to dictionary attack this?

Thanks,
Sparky


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFNON5qAaEpZvj+VMRAtqkAKCfmdx7LiyLZ03PzbVyruD6gNX69gCeNJo0
YBf3lK5fcRu5KJrcEm1CLNI=
=xg8u
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: