PDA

View Full Version : Visual Basic 6 - SB Brute Forcer



seanybob
01-18-2010, 01:45 PM
I was screwing around in Visual Basic a while back and wrote this. Just found it on my hard drive, and thought I'd share it here. It works decently well, but I think it may have problems with wordlists that are too large (haven't really checked beyond a thousand or so). Also, I didn't bother packaging the OCX file with it. I had the OCX file installed on my computer, but I found some other computers with XP don't have it, so I put up a download link for it too (just keep it in the same directory as the program, I believe).

Enjoy. If anyone is interested in developing this application further, or wants to see the code to learn from it, post here and I will. I just have to be motivated (I'd have to search a bit for the source)


http://seanybob.net/codedownloads/bruteforcer/bruteforcer.PNG

Download:
http://seanybob.net/codedownloads/bruteforcer/BruteForcer.exe ('http://seanybob.net/codedownloads/bruteforcer/BruteForcer.exe')
http://seanybob.net/codedownloads/bruteforcer/MSINET.OCX ('http://seanybob.net/codedownloads/bruteforcer/MSINET.OCX')

a_bertrand
01-18-2010, 06:36 PM
mmm... not sure it's a smart tool to give away here...

Sim
01-18-2010, 09:04 PM
I'd like to view source to view if its a true brute force and not just a password cracker. ;]

Zeggy
01-18-2010, 09:53 PM
I'd like to view source to view if its a true brute force and not just a password cracker. ;]

lol a brute forcer is easier than a password cracker.

Sim
01-18-2010, 10:55 PM
no its not. a password cracker just uses a word list to check if the password is right or not.

brute forcer cycles through chars to check response time
ex:

password: "abc"



abd = responds faster as first 2 letters are correct
ace = responds faster then abd but is wrong
bcd = responds fastest

Zero-Affect
01-19-2010, 02:05 AM
no its not. a password cracker just uses a word list to check if the password is right or not.
brute forcer cycles through chars to check response time
ex:
password: "abc"

abd = responds faster as first 2 letters are correct
ace = responds faster then abd but is wrong
bcd = responds fastest
Now that i didn't know... I used to create crackers in Visual Basics which basically only worked if they were exact passwords, i also had issues with large lists like you SeanyBob. I do actually still have about 20 mb's of word lists involving pet names, ladies, men, arab and so on if anyone is interested... lol Fruitful pasts are so interesting i think.

Note i do know 20 mb's is small compared to the tb's of them out there but ain't bad for 5 years old lists lol

Also i've not opened VB in several years i wouldn't mind the source of this also just to see if i still remember anything.

Question i just asked myself, winsock?

If the bad login message is multiple lines would it be html or /r to signify new line ie


Sitename Bad login

Invalid password or username.
>back

would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.

Zeggy
01-19-2010, 09:52 AM
Judging from the screenshot, this program uses a dictionary attack, not brute force.


no its not. a password cracker just uses a word list to check if the password is right or not.

brute forcer cycles through chars to check response time
ex:

password: "abc"



abd = responds faster as first 2 letters are correct
ace = responds faster then abd but is wrong
bcd = responds fastest

lol, ummm, no. You got the response time wrong, the more correct strings would have a longer response time.
Response time by characters?! That would depend on how the strings are compared, and I doubt many systems compare on a character by character basis.
What's easier? Comparing a 256bit string at once, or comparing 256 bits separately?
Also, your method wouldn't work over the internet as loading time would completely overshadow any difference in computation.

Using a word list to try passwords is a dictionary attack.
Trying every permutation of characters is a brute force attack.
Password cracking isn't a method, it's a description of an activity. Brute forcing is a method of password cracking, as is a dictionary attack, as is guessing.

seanybob
01-19-2010, 08:01 PM
Yes, yes, you're all correct - the correct name for the method this program uses is a dictionary attack. I used the term 'brute force' in a general way, as it doesn't use logic or anything of that nature, but just word by word throws a possibility at a website and checks to see if it works (thus, brute force).

True Brute Forcing would be checking all possible permutations, etc, etc.

Bertrand, I can take this off if it bothers you, but really - there are dozens of much better programs that are easily found online that perform a similar or better function. While that doesn't justify posting it on here, I think that does make it so there is very little risk involved in doing so. But you're welcome to delete this thread at any time you wish to.

I just want to re-iterate; this program doesn't work super-well. It was one of the first things I wrote in VB. You'll notice from the code it's actually a very, very simple program.

Source:
http://seanybob.net/codedownloads/bruteforcer/brute.zip ('http://seanybob.net/codedownloads/bruteforcer/brute.zip')

seanybob
01-19-2010, 08:03 PM
If the bad login message is multiple lines would it be html or /r to signify new line ie


Sitename Bad login

Invalid password or username.
>back

would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.

Probably. But since the phrase 'Bad login' or 'Invalid password' are unlikely to appear on a successfully logged in page, they serve the purpose just as well.

a_bertrand
01-20-2010, 05:17 AM
No you can keep it, simply it's not something that... bland.

On the other site, site owners should limit the number of trials a given IP could do in a given time. I allow 4 in 15min, which means after 4 trials you will have to wait 15 min before being able to check another password. That makes basically this kind of attack useless.

Zero-Affect
01-20-2010, 05:32 AM
Isn't hard to add proxies to a list also though and then simply run through the proxies - 1500 proxies - 100 names - 10000 passwords would take a long time to run through the proxies specially if it moved through the names rather than the passwords...

I will use GD to put a sum into a image and they need the result inputted after 3 false passwords... simple - so then they need to manually write the CAPTCHA result in every 3 goes... good luck with that. (haven't implemented this yet will update on progress)

a_bertrand
01-20-2010, 09:31 AM
indeed proxy could be used... However I blocked them not long ago by doing some sort of port scan from the server to the host which call me. Therefore proxies are defeated. However nothing is really safe, and if somebody is smart / good enough and is willing to spend the time, he/she may find ways around any kind of security.

The only real secure things then, end up by using devices which generate codes based on some algo and the time, and every 60 sec they change. So you would need to use the same secure device to be able to log + your username and password.