How to brute-force web-based authentication system

Im goin to give this a try and see how it goes ^.^

Glad you find it useful. If you need any help post in the thread and I’ll help with what I can.

Also thanks to @~flabby for resizing the images so as to fit the thread layout :)

Cool article. Here are some things I thought about;

First, unless Hydra uses a proxy (which I doubt as that would slow things down by a lot), your IP will be clearly visible in the server’s logs. And yes, thousands of attempts at logging in as admin kind of sticks out, even on a larger site. Just something to keep in mind, as I’d imagine this would be considered illegal in many countries.

Following what I said above, about easily identifiable attempts. Many sites implement some sort of additional authentication for multiple wrong login attempts (such as a captcha). Not sure if Hydra can handle such things, but even if it does it will drastically increase the time it would take.

Another quite problematic thing about remote brute forcing is the time it takes to make a request. Even on a site with a ridiculously low response time of 0.5 seconds, and with you making 200 requests simultaneously, that’s still only 400 guesses per second. It might sound like a lot, but an alphanumerical password of just 5 characters can be combined in (26+10)⁵ = 60466176 ways. That would take you three and a half days to try them all. This, of course, can be reduced in numerous ways (e.g. using a dictionary), but it is still a major flaw to this approach.

Finally, please keep in mind that this tool can (intentionally or not) generate enough traffic to break the bandwidth limit of a smaller site. That could end up being quite expensive.

Thanks for the HQ comment verath! First of all, I myself, use nVPN without log files and tunnelization in PuTTy. No matter of the multiple IP changes, the connection is quite stable. And about the additional authentication filtration I usually divide the attack to different ports over 443. The main attack is running 80 but all others are scattered on different ports. Also the requests are not a problem if you have a team. Let’s say we are 10 people running full attacks on different ports in that way our attack will be like x10 times larger and much more successful if each of us uses a different wordlist. And yes for your final paragraph I totally agree. Smaller websites usually use free hosting services with low bandwidth. But I don’t suppose they’d be a target for anyone since they don’t conceal important information as they are not that “popular”.

Again thanks for pointing out those factors so as to keep users aware of the actual situation and direct them how to use properly. What’s more, I’ll even make a tutorial on hiding your IP address and all stuff around becoming anonymous on the web.

Good points there verath. Always cover and protect yourself when doing anything like this. Although this would/will be slow I believe Hydra can be used with proxychains and Tor proxychains ./hydra -L /root/usernames.txt -P /root/HugeDB.txt -e ns -vV -s 80 site.com http-post-form "/login.php&username=^USER^&password=^PASS^
It’s worth remembering that you could still be traced but it would be more hassle to do so when your using proxychains and/or Tor :)

EDIT:: Or even better like Keeper said :D

about the additional authentication filtration I usually divide the attack to different ports over 443
I would imagine any larger system would not only block attempts based on the remote IP/port, but also based on the user that are being accessed. As in, no matter where the requests are coming from, if the user miss typed his/her password some x times in y seconds the server would simply not allow any more login attempts for this user for a couple of seconds. Alternatively the server might force a captcha for signing in. I think Google does this for example, if you miss type a few times you’ll have to enter a captcha code to be able to log in, no matter where you are trying to log in from.

About spreading the requests, it would indeed speed up the process. 10 people would still take (using the same assumption as earlier) 3.5/10 = 0.35 days, or about 21 hours. I guess the ideal would be to control a botnet of a couple of thousand computer. Not only would this make IP filtering close to impossible, it would decrease the time necessary to being somewhat bearable. Problem would be that this most likely would overload the server (as it not only has to respond to the request, but also calculate hashes for all of them).

It’s an interesting topic. I for one would probably prefer just about any other method, but you can’t really dismiss it. It will work eventually :P

I suppose if it’s a bigger website (let’s say a company), that the administrator would just disable the login as he would not be able to handle to attacks. Either ways there could be an alternative method. Let’s say he simply deletes the login form or the page for authentication passing. We could still manage to code up our own using Persistent XSS and embed a login form with the correct destionation path for authentication. If so, then we can create numerous login forms around the whole web. But that’s just an alternative if the admin decides to disable the login.

As for captchas, if we are skilled enough and we can code a captcha bypassing or auto-filling script based on image identification, then we can really get rid of that precaution matter. Either ways, it will eventually take some time for the script to execute but nevertheless, it will manage to bypass it and resume the attack. Or even automatically changing/spoofing the IP address every 3 attempts would still not be a problem. The connection would be stable and the change itself would not last for more than 3,4 seconds I suppose. We actually don’t need that much of IPs, just two which will switch every 3 attempts.

Basically: depending on where you live, it can be (probably is) illegal and if you are traced, then you are in trouble… Hydra isn’t the most stealth tool, but brute forcers rarely are…

im new at this i can now deface a website but thats the most i learn fast but what is backtrack???

so repetitiveness would result in the police busting through your door ?