seanybob Posted January 18, 2010 Share Posted January 18, 2010 I was screwing around in Visual Basic a while back and wrote this. Just found it on my hard drive, and thought I'd share it here. It works decently well, but I think it may have problems with wordlists that are too large (haven't really checked beyond a thousand or so). Also, I didn't bother packaging the OCX file with it. I had the OCX file installed on my computer, but I found some other computers with XP don't have it, so I put up a download link for it too (just keep it in the same directory as the program, I believe). Enjoy. If anyone is interested in developing this application further, or wants to see the code to learn from it, post here and I will. I just have to be motivated (I'd have to search a bit for the source) Download: http://seanybob.net/codedownloads/bruteforcer/BruteForcer.exe http://seanybob.net/codedownloads/bruteforcer/MSINET.OCX Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted January 18, 2010 Share Posted January 18, 2010 mmm... not sure it's a smart tool to give away here... Quote Link to comment Share on other sites More sharing options...
Sim Posted January 18, 2010 Share Posted January 18, 2010 I'd like to view source to view if its a true brute force and not just a password cracker. ;] Quote Link to comment Share on other sites More sharing options...
Zeggy Posted January 18, 2010 Share Posted January 18, 2010 I'd like to view source to view if its a true brute force and not just a password cracker. ;] lol a brute forcer is easier than a password cracker. Quote Link to comment Share on other sites More sharing options...
Sim Posted January 18, 2010 Share Posted January 18, 2010 no its not. a password cracker just uses a word list to check if the password is right or not. brute forcer cycles through chars to check response time ex: password: "abc" abd = responds faster as first 2 letters are correct ace = responds faster then abd but is wrong bcd = responds fastest Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted January 19, 2010 Share Posted January 19, 2010 no its not. a password cracker just uses a word list to check if the password is right or not. brute forcer cycles through chars to check response time ex: password: "abc" abd = responds faster as first 2 letters are correct ace = responds faster then abd but is wrong bcd = responds fastest Now that i didn't know... I used to create crackers in Visual Basics which basically only worked if they were exact passwords, i also had issues with large lists like you SeanyBob. I do actually still have about 20 mb's of word lists involving pet names, ladies, men, arab and so on if anyone is interested... lol Fruitful pasts are so interesting i think. Note i do know 20 mb's is small compared to the tb's of them out there but ain't bad for 5 years old lists lol Also i've not opened VB in several years i wouldn't mind the source of this also just to see if i still remember anything. Question i just asked myself, winsock? If the bad login message is multiple lines would it be html or /r to signify new line ie Sitename Bad login Invalid password or username. >back would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem. Quote Link to comment Share on other sites More sharing options...
Zeggy Posted January 19, 2010 Share Posted January 19, 2010 Judging from the screenshot, this program uses a dictionary attack, not brute force. no its not. a password cracker just uses a word list to check if the password is right or not. brute forcer cycles through chars to check response time ex: password: "abc" abd = responds faster as first 2 letters are correct ace = responds faster then abd but is wrong bcd = responds fastest lol, ummm, no. You got the response time wrong, the more correct strings would have a longer response time. Response time by characters?! That would depend on how the strings are compared, and I doubt many systems compare on a character by character basis. What's easier? Comparing a 256bit string at once, or comparing 256 bits separately? Also, your method wouldn't work over the internet as loading time would completely overshadow any difference in computation. Using a word list to try passwords is a dictionary attack. Trying every permutation of characters is a brute force attack. Password cracking isn't a method, it's a description of an activity. Brute forcing is a method of password cracking, as is a dictionary attack, as is guessing. Quote Link to comment Share on other sites More sharing options...
seanybob Posted January 19, 2010 Author Share Posted January 19, 2010 Yes, yes, you're all correct - the correct name for the method this program uses is a dictionary attack. I used the term 'brute force' in a general way, as it doesn't use logic or anything of that nature, but just word by word throws a possibility at a website and checks to see if it works (thus, brute force). True Brute Forcing would be checking all possible permutations, etc, etc. Bertrand, I can take this off if it bothers you, but really - there are dozens of much better programs that are easily found online that perform a similar or better function. While that doesn't justify posting it on here, I think that does make it so there is very little risk involved in doing so. But you're welcome to delete this thread at any time you wish to. I just want to re-iterate; this program doesn't work super-well. It was one of the first things I wrote in VB. You'll notice from the code it's actually a very, very simple program. Source: http://seanybob.net/codedownloads/bruteforcer/brute.zip Quote Link to comment Share on other sites More sharing options...
seanybob Posted January 19, 2010 Author Share Posted January 19, 2010 If the bad login message is multiple lines would it be html or /r to signify new line ie Sitename Bad login Invalid password or username. >back would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem. Probably. But since the phrase 'Bad login' or 'Invalid password' are unlikely to appear on a successfully logged in page, they serve the purpose just as well. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted January 20, 2010 Share Posted January 20, 2010 No you can keep it, simply it's not something that... bland. On the other site, site owners should limit the number of trials a given IP could do in a given time. I allow 4 in 15min, which means after 4 trials you will have to wait 15 min before being able to check another password. That makes basically this kind of attack useless. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted January 20, 2010 Share Posted January 20, 2010 Isn't hard to add proxies to a list also though and then simply run through the proxies - 1500 proxies - 100 names - 10000 passwords would take a long time to run through the proxies specially if it moved through the names rather than the passwords... I will use GD to put a sum into a image and they need the result inputted after 3 false passwords... simple - so then they need to manually write the CAPTCHA result in every 3 goes... good luck with that. (haven't implemented this yet will update on progress) Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted January 20, 2010 Share Posted January 20, 2010 indeed proxy could be used... However I blocked them not long ago by doing some sort of port scan from the server to the host which call me. Therefore proxies are defeated. However nothing is really safe, and if somebody is smart / good enough and is willing to spend the time, he/she may find ways around any kind of security. The only real secure things then, end up by using devices which generate codes based on some algo and the time, and every 60 sec they change. So you would need to use the same secure device to be able to log + your username and password. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.