Jump to content
MakeWebGames

Visual Basic 6 - SB Brute Forcer

seanybob

By seanybob
in Other Programming

 Share

Recommended Posts

seanybob Newbie

seanybob

Posted
Posted

I was screwing around in Visual Basic a while back and wrote this. Just found it on my hard drive, and thought I'd share it here. It works decently well, but I think it may have problems with wordlists that are too large (haven't really checked beyond a thousand or so). Also, I didn't bother packaging the OCX file with it. I had the OCX file installed on my computer, but I found some other computers with XP don't have it, so I put up a download link for it too (just keep it in the same directory as the program, I believe).

Enjoy. If anyone is interested in developing this application further, or wants to see the code to learn from it, post here and I will. I just have to be motivated (I'd have to search a bit for the source)

 

bruteforcer.PNG

Download:

http://seanybob.net/codedownloads/bruteforcer/BruteForcer.exe

http://seanybob.net/codedownloads/bruteforcer/MSINET.OCX

Link to comment
Share on other sites
Sim Community Regular

Sim

Posted
Posted

no its not. a password cracker just uses a word list to check if the password is right or not.

brute forcer cycles through chars to check response time

ex:

password: "abc"

 

abd = responds faster as first 2 letters are correct

ace = responds faster then abd but is wrong

bcd = responds fastest

Link to comment
Share on other sites
Zero-Affect Newbie

Zero-Affect

Posted
Posted
no its not. a password cracker just uses a word list to check if the password is right or not.

brute forcer cycles through chars to check response time

ex:

password: "abc"

abd = responds faster as first 2 letters are correct

ace = responds faster then abd but is wrong

bcd = responds fastest

Now that i didn't know... I used to create crackers in Visual Basics which basically only worked if they were exact passwords, i also had issues with large lists like you SeanyBob. I do actually still have about 20 mb's of word lists involving pet names, ladies, men, arab and so on if anyone is interested... lol Fruitful pasts are so interesting i think.

Note i do know 20 mb's is small compared to the tb's of them out there but ain't bad for 5 years old lists lol

Also i've not opened VB in several years i wouldn't mind the source of this also just to see if i still remember anything.

Question i just asked myself, winsock?

If the bad login message is multiple lines would it be html or /r to signify new line ie

 

Sitename Bad login

Invalid password or username.

>back

would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.

Link to comment
Share on other sites
Zeggy Newbie

Zeggy

Posted
Posted

Judging from the screenshot, this program uses a dictionary attack, not brute force.

 

no its not. a password cracker just uses a word list to check if the password is right or not.

brute forcer cycles through chars to check response time

ex:

password: "abc"

 

abd = responds faster as first 2 letters are correct

ace = responds faster then abd but is wrong

bcd = responds fastest

lol, ummm, no. You got the response time wrong, the more correct strings would have a longer response time.

Response time by characters?! That would depend on how the strings are compared, and I doubt many systems compare on a character by character basis.

What's easier? Comparing a 256bit string at once, or comparing 256 bits separately?

Also, your method wouldn't work over the internet as loading time would completely overshadow any difference in computation.

Using a word list to try passwords is a dictionary attack.

Trying every permutation of characters is a brute force attack.

Password cracking isn't a method, it's a description of an activity. Brute forcing is a method of password cracking, as is a dictionary attack, as is guessing.

Link to comment
Share on other sites
seanybob Newbie

seanybob

Posted
  • Author
Posted

Yes, yes, you're all correct - the correct name for the method this program uses is a dictionary attack. I used the term 'brute force' in a general way, as it doesn't use logic or anything of that nature, but just word by word throws a possibility at a website and checks to see if it works (thus, brute force).

True Brute Forcing would be checking all possible permutations, etc, etc.

Bertrand, I can take this off if it bothers you, but really - there are dozens of much better programs that are easily found online that perform a similar or better function. While that doesn't justify posting it on here, I think that does make it so there is very little risk involved in doing so. But you're welcome to delete this thread at any time you wish to.

I just want to re-iterate; this program doesn't work super-well. It was one of the first things I wrote in VB. You'll notice from the code it's actually a very, very simple program.

Source:

http://seanybob.net/codedownloads/bruteforcer/brute.zip

Link to comment
Share on other sites
seanybob Newbie

seanybob

Posted
  • Author
Posted

If the bad login message is multiple lines would it be html or /r to signify new line ie

 

Sitename Bad login

Invalid password or username.

>back

would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.

Probably. But since the phrase 'Bad login' or 'Invalid password' are unlikely to appear on a successfully logged in page, they serve the purpose just as well.

Link to comment
Share on other sites
a_bertrand Newbie

a_bertrand

Posted
Posted

No you can keep it, simply it's not something that... bland.

On the other site, site owners should limit the number of trials a given IP could do in a given time. I allow 4 in 15min, which means after 4 trials you will have to wait 15 min before being able to check another password. That makes basically this kind of attack useless.

Link to comment
Share on other sites
Zero-Affect Newbie

Zero-Affect

Posted
Posted

Isn't hard to add proxies to a list also though and then simply run through the proxies - 1500 proxies - 100 names - 10000 passwords would take a long time to run through the proxies specially if it moved through the names rather than the passwords...

I will use GD to put a sum into a image and they need the result inputted after 3 false passwords... simple - so then they need to manually write the CAPTCHA result in every 3 goes... good luck with that. (haven't implemented this yet will update on progress)

Link to comment
Share on other sites
a_bertrand Newbie

a_bertrand

Posted
Posted

indeed proxy could be used... However I blocked them not long ago by doing some sort of port scan from the server to the host which call me. Therefore proxies are defeated. However nothing is really safe, and if somebody is smart / good enough and is willing to spend the time, he/she may find ways around any kind of security.

The only real secure things then, end up by using devices which generate codes based on some algo and the time, and every 60 sec they change. So you would need to use the same secure device to be able to log + your username and password.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...