Search
Search titles only
By:
Search titles only
By:
Log in
Register
Search
Search titles only
By:
Search titles only
By:
Menu
Install the app
Install
Forums
New posts
All threads
Latest threads
New posts
Trending threads
Trending
Search forums
What's new
New posts
New ads
New profile posts
Latest activity
Free Ads
Latest reviews
Search ads
Members
Current visitors
New profile posts
Search profile posts
Contact us
Latest ads
NURSING , CAREGIVER , HOTEL & BEAUTY COURSES
IVA Para Medical Campus
Updated:
Yesterday at 9:24 AM
Handmade Character Soft Toys Peppa Pig Family
anil1961
Updated:
Wednesday at 9:58 PM
Ad icon
Video Content Creator
pramukag
Updated:
Sunday at 6:10 AM
Ad icon
QA Engineer Intern
pramukag
Updated:
Sunday at 6:07 AM
Ad icon
Sell your Land, House on idamata.lk for FREE
sajith.xp.pk
Updated:
Jun 25, 2026
Electronics
Vehicles
Property
Search
Reply to thread
Forums
Computers & Internet
Tips & Tricks
Tips & Tricks Collection of DC
Get the App
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="||~DxxCxxxx~||" data-source="post: 7334285" data-attributes="member: 137393"><p><strong>Introduction to Brute Force Attack</strong></p><p></p><p><img src="http://i41.tinypic.com/ek24ra.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>This article is designed to demonstrate how to accomplish a brute force attack, and what it looks like from the receiving end. Brute force means password guessing. This can only feasibly be accomplished with the aid of good target reconnaissance and some automated programs. While it is very easy to write your own brute force program, there are several available for free online. I find Brutus to be one of the best brute force tools. You can find it at Hoobie.net.</p><p></p><p>The first step in a brute force attack (or for that matter, any attack) is target enumeration. This is the process by which we find where and how a target is vulnerable. I use NMAP for almost all of my initial cursory scans of networks. Lets use the target of my own desktop server and run an NMAP scan to find out what we have to play with. The output from my scan follows:</p><p></p><p>nmap -sS -O 216.25.200.135</p><p></p><p>Starting nmap V. 2.30BETA17 by fyodor @insecure.org (http:// www. insecure.org/nmap/ )</p><p>Interesting ports on ip-216-25-200-135.covad.dsl.fcc.net </p><p>(216.25.200.135):</p><p>Port State Service</p><p>21/tcp open ftp </p><p>25/tcp open smtp </p><p>80/tcp open http </p><p>135/tcp open loc-srv </p><p>139/tcp open netbios-ssn </p><p>443/tcp open https </p><p>445/tcp open microsoft-ds </p><p>1025/tcp open listen </p><p>1026/tcp open nterm </p><p>1031/tcp open iad2 </p><p></p><p>TCP Sequence Prediction: Class=random positive increments</p><p> Difficulty=7635 (Worthy challenge)</p><p>Remote operating system guess: Windows 2000 RC1 through final release</p><p></p><p>Nmap run completed -- 1 IP address (1 host up) scanned in 1 second</p><p></p><p>Ok, so we've got several services to choose from on this target. The first one that catches my eye is FTP. We can use this to brute force passwords, and we can use smtp to check for user accounts. Now the fun begins. I'll first try ftp to find if anonymous ftp is enabled (which could potentially make my task a lot easier, there are rare computers with completely open upload/download ftp servers without strong restrictions (allowing you to upload and download to the web root folder)).</p><p></p><p>C:\>ftp 216.25.200.135</p><p>Connected to 216.25.200.135.</p><p>220 WIN2KSERVER Microsoft FTP Service (Version 5.0).</p><p>User (216.25.200.135 none)): anonymous</p><p>331 Password required for anonymous.</p><p>Password:foo@nowhere.com</p><p>530 User anonymous cannot log in.</p><p>Login failed.</p><p>ftp> quit</p><p>221 Fuck off!</p><p></p><p>It seems that anonymous ftp isn't enabled, and not only that the server is quite rude when I leave. The server did give some confirmation that it is running Windows NT, or in this case Windows 2000 (dead giveaway in the machines name "WIN2KSERVER"). We'll try the SMTP server now to check for user names.</p><p></p><p>220 WIN2KSERVER Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 </p><p>ready at Fri, 22 Jun 2001 09:08:49 “0400 vrfy smellydell</p><p>252 2.1.5 Cannot VRFY user, but will take message for smellydell</p><p>vrfy administrator</p><p>252 2.1.5 Cannot VRFY user, but will take message for administrator</p><p></p><p>well, there's no use in verifying anyone on this server as it seems that the server will give the same message for real and bogus accounts (all NT servers have an “administrator" account, in much the same way that *nix have root accounts). The "expn" command didn't work at all on this server (replied with “unknown command at expn postmaster). So at this point I'm S.O.L., but some machines will give a very good list of users and or active accounts using the smtp server.</p><p></p><p>Ok, so I'm off to brute forcing. The first thing I do is fire up Brutus.</p><p></p><p>Screenshot of brutus at startup</p><p></p><p>Next I'll have to modify my users list (found in users.txt in the Brutus directory) to include users I suspect to be on an NT server. NT always has a “Guest" account and an “Administrator" account. I'll add a few more guesses. In the end my users list looks like this:</p><p></p><p>A text file list of users</p><p></p><p>The next step is to fire Brutus at the target, when configured for an ftp attack, Brutus appears thus:</p><p></p><p>Configuring brutus</p><p></p><p>You'll notice I set the timeout higher than the default. Brutus nicely circumvents connection limits by creating new connections for every request. This is useful because some servers will cut your connection after 3 bad guesses at passwords. Brutus uses the targets ability to take multiple ftp requests and creates a new request for every guess (I have set the program to make 10 requests simultaneously). The timeout is the lag time that the program will allow before it makes a new request. If you don't set this high enough you are likely to flood the target and either crash its server, or simply hang Brutus. You can use a really high connection and low timeout rate as an effective DoS attack that will knock weak servers completely off the net.</p><p></p><p>So now I'll fire Brutus at the target. I'm using the default password list that comes with the program, but there are several larger, and more complete word lists available online. What Brutus will do is try every username listed in the users file with every password in the word list (and can even generate its own random word list to include all combinations of letters, characters, and numbers). Remember that most passwords are 8 characters long, so its usually not worthwhile to try and brute force very short passwords. </p><p></p><p>Now, the downside to brute forcing is that it is extremely noisy, and even the worst sysadmin should notice it. During my demonstration my server immediately popped an alert that the system log was full. A quick examination of the system log reveals the problem immediately:</p><p></p><p></p><p>All those warnings you see are bad FTP login attempts. A double click on the alert shows:</p><p></p><p>It isn't hard to figure out exactly what is going on. Even more disturbing is the log file left behind. Heres a snippit:</p><p></p><p>13:30:18 216.25.200.135 [5]USER admin 331</p><p>13:30:18 216.25.200.135 [6]USER admin 331</p><p>13:30:18 216.25.200.135 [7]USER admin 331</p><p>13:30:18 216.25.200.135 [8]USER admin 331</p><p>13:30:18 216.25.200.135 [9]USER admin 331</p><p>13:30:18 216.25.200.135 [10]USER admin 331</p><p>13:30:18 216.25.200.135 [11]USER admin 331</p><p>13:30:18 216.25.200.135 [12]USER admin 331</p><p>13:30:18 216.25.200.135 [13]USER admin 331</p><p>13:30:18 216.25.200.135 [4]PASS - 530</p><p>13:30:18 216.25.200.135 [14]USER admin 331</p><p>13:30:18 216.25.200.135 [5]PASS - 530</p><p>13:30:18 216.25.200.135 [6]PASS - 530</p><p>13:30:18 216.25.200.135 [7]PASS - 530</p><p>13:30:18 216.25.200.135 [8]PASS - 530</p><p>13:30:18 216.25.200.135 [9]PASS - 530</p><p>13:30:18 216.25.200.135 [10]PASS - 530</p><p>13:30:18 216.25.200.135 [11]PASS - 530</p><p>13:30:18 216.25.200.135 [15]USER admin 331</p><p>13:30:18 216.25.200.135 [16]USER admin 331</p><p></p><p>Not only do you notice all the tries for the same account, but you can tell it is an automated attempt to brute force because the times of the attempts are so close together (60 or so attempts a second). Even more damning is that my IP address is logged all over the huge log file. Its not hard to spot me or figure out what I'm attempting to do. Be warned if you attempt a brute force that you are probably going to get notice.</p><p></p><p>Now, I happened to be successful on this attempt and got on username and password. The results are displayed in Brutus under the “Positive Authentication Results window:</p><p></p><p>Screenshot showing brutus successfully identifying login information</p><p></p><p>You can see the username “user and password “charles" worked on the server. Lets try them out:</p><p></p><p>C:\>ftp 216.25.200.135</p><p>Connected to 216.25.200.135.</p><p>220 WIN2KSERVER Microsoft FTP Service (Version 5.0).</p><p>User (216.25.200.135 none)): user</p><p>331 Password required for user.</p><p>Password: charles</p><p>230-Fuck you!</p><p>230 User user logged in.</p><p>ftp></p><p></p><p>Boom, and its just that easy. Now that I'm in my first step should be to attempt to clean up the traces of my attack (i.e. the log files and system event logs). Accomplishing this task takes more explanation than I have time for here, but hopefully you get the idea.</p><p></p><p>If nothing else, this short article should show you the value of good passwords. If I hadn't set up the account “user" with such a crappy password this attack most likely would have been unsuccessful. See my article on passwords for a good run down of how to pick a good password to keep your accounts safe from brute force attempts.</p><p></p><p><span style="color: Blue"><strong>If you do like this post then give me a (+ <img src="/styles/default/xenforo/smilies/default/love.gif" class="smilie" loading="lazy" alt=":love:" title="Love :love:" data-shortname=":love:" />) reputation for publishing in Elakiri <img src="/styles/default/xenforo/smilies/default/yes.gif" class="smilie" loading="lazy" alt=":yes:" title="Yes :yes:" data-shortname=":yes:" /><img src="/styles/default/xenforo/smilies/default/wink.gif" class="smilie" loading="lazy" alt=";)" title="Wink ;)" data-shortname=";)" /><img src="/styles/default/xenforo/smilies/default/cool.gif" class="smilie" loading="lazy" alt=":cool:" title="Cool :cool:" data-shortname=":cool:" /></strong></span></p><p><strong>Enjoy!</strong></p></blockquote><p></p>
[QUOTE="||~DxxCxxxx~||, post: 7334285, member: 137393"] [b]Introduction to Brute Force Attack[/b] [IMG]http://i41.tinypic.com/ek24ra.jpg[/IMG] This article is designed to demonstrate how to accomplish a brute force attack, and what it looks like from the receiving end. Brute force means password guessing. This can only feasibly be accomplished with the aid of good target reconnaissance and some automated programs. While it is very easy to write your own brute force program, there are several available for free online. I find Brutus to be one of the best brute force tools. You can find it at Hoobie.net. The first step in a brute force attack (or for that matter, any attack) is target enumeration. This is the process by which we find where and how a target is vulnerable. I use NMAP for almost all of my initial cursory scans of networks. Lets use the target of my own desktop server and run an NMAP scan to find out what we have to play with. The output from my scan follows: nmap -sS -O 216.25.200.135 Starting nmap V. 2.30BETA17 by fyodor @insecure.org (http:// www. insecure.org/nmap/ ) Interesting ports on ip-216-25-200-135.covad.dsl.fcc.net (216.25.200.135): Port State Service 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open listen 1026/tcp open nterm 1031/tcp open iad2 TCP Sequence Prediction: Class=random positive increments Difficulty=7635 (Worthy challenge) Remote operating system guess: Windows 2000 RC1 through final release Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Ok, so we've got several services to choose from on this target. The first one that catches my eye is FTP. We can use this to brute force passwords, and we can use smtp to check for user accounts. Now the fun begins. I'll first try ftp to find if anonymous ftp is enabled (which could potentially make my task a lot easier, there are rare computers with completely open upload/download ftp servers without strong restrictions (allowing you to upload and download to the web root folder)). C:\>ftp 216.25.200.135 Connected to 216.25.200.135. 220 WIN2KSERVER Microsoft FTP Service (Version 5.0). User (216.25.200.135 none)): anonymous 331 Password required for anonymous. Password:foo@nowhere.com 530 User anonymous cannot log in. Login failed. ftp> quit 221 Fuck off! It seems that anonymous ftp isn't enabled, and not only that the server is quite rude when I leave. The server did give some confirmation that it is running Windows NT, or in this case Windows 2000 (dead giveaway in the machines name "WIN2KSERVER"). We'll try the SMTP server now to check for user names. 220 WIN2KSERVER Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Fri, 22 Jun 2001 09:08:49 “0400 vrfy smellydell 252 2.1.5 Cannot VRFY user, but will take message for smellydell vrfy administrator 252 2.1.5 Cannot VRFY user, but will take message for administrator well, there's no use in verifying anyone on this server as it seems that the server will give the same message for real and bogus accounts (all NT servers have an “administrator" account, in much the same way that *nix have root accounts). The "expn" command didn't work at all on this server (replied with “unknown command at expn postmaster). So at this point I'm S.O.L., but some machines will give a very good list of users and or active accounts using the smtp server. Ok, so I'm off to brute forcing. The first thing I do is fire up Brutus. Screenshot of brutus at startup Next I'll have to modify my users list (found in users.txt in the Brutus directory) to include users I suspect to be on an NT server. NT always has a “Guest" account and an “Administrator" account. I'll add a few more guesses. In the end my users list looks like this: A text file list of users The next step is to fire Brutus at the target, when configured for an ftp attack, Brutus appears thus: Configuring brutus You'll notice I set the timeout higher than the default. Brutus nicely circumvents connection limits by creating new connections for every request. This is useful because some servers will cut your connection after 3 bad guesses at passwords. Brutus uses the targets ability to take multiple ftp requests and creates a new request for every guess (I have set the program to make 10 requests simultaneously). The timeout is the lag time that the program will allow before it makes a new request. If you don't set this high enough you are likely to flood the target and either crash its server, or simply hang Brutus. You can use a really high connection and low timeout rate as an effective DoS attack that will knock weak servers completely off the net. So now I'll fire Brutus at the target. I'm using the default password list that comes with the program, but there are several larger, and more complete word lists available online. What Brutus will do is try every username listed in the users file with every password in the word list (and can even generate its own random word list to include all combinations of letters, characters, and numbers). Remember that most passwords are 8 characters long, so its usually not worthwhile to try and brute force very short passwords. Now, the downside to brute forcing is that it is extremely noisy, and even the worst sysadmin should notice it. During my demonstration my server immediately popped an alert that the system log was full. A quick examination of the system log reveals the problem immediately: All those warnings you see are bad FTP login attempts. A double click on the alert shows: It isn't hard to figure out exactly what is going on. Even more disturbing is the log file left behind. Heres a snippit: 13:30:18 216.25.200.135 [5]USER admin 331 13:30:18 216.25.200.135 [6]USER admin 331 13:30:18 216.25.200.135 [7]USER admin 331 13:30:18 216.25.200.135 [8]USER admin 331 13:30:18 216.25.200.135 [9]USER admin 331 13:30:18 216.25.200.135 [10]USER admin 331 13:30:18 216.25.200.135 [11]USER admin 331 13:30:18 216.25.200.135 [12]USER admin 331 13:30:18 216.25.200.135 [13]USER admin 331 13:30:18 216.25.200.135 [4]PASS - 530 13:30:18 216.25.200.135 [14]USER admin 331 13:30:18 216.25.200.135 [5]PASS - 530 13:30:18 216.25.200.135 [6]PASS - 530 13:30:18 216.25.200.135 [7]PASS - 530 13:30:18 216.25.200.135 [8]PASS - 530 13:30:18 216.25.200.135 [9]PASS - 530 13:30:18 216.25.200.135 [10]PASS - 530 13:30:18 216.25.200.135 [11]PASS - 530 13:30:18 216.25.200.135 [15]USER admin 331 13:30:18 216.25.200.135 [16]USER admin 331 Not only do you notice all the tries for the same account, but you can tell it is an automated attempt to brute force because the times of the attempts are so close together (60 or so attempts a second). Even more damning is that my IP address is logged all over the huge log file. Its not hard to spot me or figure out what I'm attempting to do. Be warned if you attempt a brute force that you are probably going to get notice. Now, I happened to be successful on this attempt and got on username and password. The results are displayed in Brutus under the “Positive Authentication Results window: Screenshot showing brutus successfully identifying login information You can see the username “user and password “charles" worked on the server. Lets try them out: C:\>ftp 216.25.200.135 Connected to 216.25.200.135. 220 WIN2KSERVER Microsoft FTP Service (Version 5.0). User (216.25.200.135 none)): user 331 Password required for user. Password: charles 230-Fuck you! 230 User user logged in. ftp> Boom, and its just that easy. Now that I'm in my first step should be to attempt to clean up the traces of my attack (i.e. the log files and system event logs). Accomplishing this task takes more explanation than I have time for here, but hopefully you get the idea. If nothing else, this short article should show you the value of good passwords. If I hadn't set up the account “user" with such a crappy password this attack most likely would have been unsuccessful. See my article on passwords for a good run down of how to pick a good password to keep your accounts safe from brute force attempts. [COLOR=Blue][B]If you do like this post then give me a (+ :love:) reputation for publishing in Elakiri :yes:;):cool:[/B][/COLOR] [B]Enjoy![/B] [/QUOTE]
Insert quotes…
Verification
Hath warak paha keeyada? (hatha wadikireema paha)
Post reply
Top
Bottom