Announcement

Collapse
No announcement yet.

Visual Basic 6 - SB Brute Forcer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Visual Basic 6 - SB Brute Forcer

    I was screwing around in Visual Basic a while back and wrote this. Just found it on my hard drive, and thought I'd share it here. It works decently well, but I think it may have problems with wordlists that are too large (haven't really checked beyond a thousand or so). Also, I didn't bother packaging the OCX file with it. I had the OCX file installed on my computer, but I found some other computers with XP don't have it, so I put up a download link for it too (just keep it in the same directory as the program, I believe).

    Enjoy. If anyone is interested in developing this application further, or wants to see the code to learn from it, post here and I will. I just have to be motivated (I'd have to search a bit for the source)




    Download:
    http://seanybob.net/codedownloads/br...ruteForcer.exe
    http://seanybob.net/codedownloads/br...cer/MSINET.OCX
    [tabmenu]
    [tab='McCode Mods - 2 Player Live Games']
    $15-$75
    [mp]198[/mp]
    [/tabmenu]

  • #2
    mmm... not sure it's a smart tool to give away here...
    - Make Web Games
    - Creator of NWE
    - Owner of Nowhere Else and beyond
    - Mad developer

    Comment


    • #3
      I'd like to view source to view if its a true brute force and not just a password cracker. ;]
      Coding Samples :: Tips :: Discussions :: Game Directory => Game Makers Forums
      Online RPG Creator

      Comment


      • #4
        Originally posted by Sim','index.php?page=Thread&postID=159084#post1590 84
        I'd like to view source to view if its a true brute force and not just a password cracker. ;]
        lol a brute forcer is easier than a password cracker.
        [font='Verdana, Helvetica, sans-serif'][/font]

        Comment


        • #5
          no its not. a password cracker just uses a word list to check if the password is right or not.

          brute forcer cycles through chars to check response time
          ex:

          password: "abc"



          abd = responds faster as first 2 letters are correct
          ace = responds faster then abd but is wrong
          bcd = responds fastest
          Coding Samples :: Tips :: Discussions :: Game Directory => Game Makers Forums
          Online RPG Creator

          Comment


          • #6
            Originally posted by Sim','index.php?page=Thread&postID=159088#post1590 88
            no its not. a password cracker just uses a word list to check if the password is right or not.
            brute forcer cycles through chars to check response time
            ex:
            password: "abc"

            abd = responds faster as first 2 letters are correct
            ace = responds faster then abd but is wrong
            bcd = responds fastest
            Now that i didn't know... I used to create crackers in Visual Basics which basically only worked if they were exact passwords, i also had issues with large lists like you SeanyBob. I do actually still have about 20 mb's of word lists involving pet names, ladies, men, arab and so on if anyone is interested... lol Fruitful pasts are so interesting i think.

            Note i do know 20 mb's is small compared to the tb's of them out there but ain't bad for 5 years old lists lol

            Also i've not opened VB in several years i wouldn't mind the source of this also just to see if i still remember anything.

            Question i just asked myself, winsock?

            If the bad login message is multiple lines would it be html or /r to signify new line ie

            Sitename Bad login

            Invalid password or username.
            >back
            would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.

            Comment


            • #7
              Judging from the screenshot, this program uses a dictionary attack, not brute force.

              Originally posted by Sim','index.php?page=Thread&postID=159088#post1590 88
              no its not. a password cracker just uses a word list to check if the password is right or not.

              brute forcer cycles through chars to check response time
              ex:

              password: "abc"



              abd = responds faster as first 2 letters are correct
              ace = responds faster then abd but is wrong
              bcd = responds fastest
              lol, ummm, no. You got the response time wrong, the more correct strings would have a longer response time.
              Response time by characters?! That would depend on how the strings are compared, and I doubt many systems compare on a character by character basis.
              What's easier? Comparing a 256bit string at once, or comparing 256 bits separately?
              Also, your method wouldn't work over the internet as loading time would completely overshadow any difference in computation.

              Using a word list to try passwords is a dictionary attack.
              Trying every permutation of characters is a brute force attack.
              Password cracking isn't a method, it's a description of an activity. Brute forcing is a method of password cracking, as is a dictionary attack, as is guessing.
              [font='Verdana, Helvetica, sans-serif'][/font]

              Comment


              • #8
                Yes, yes, you're all correct - the correct name for the method this program uses is a dictionary attack. I used the term 'brute force' in a general way, as it doesn't use logic or anything of that nature, but just word by word throws a possibility at a website and checks to see if it works (thus, brute force).

                True Brute Forcing would be checking all possible permutations, etc, etc.

                Bertrand, I can take this off if it bothers you, but really - there are dozens of much better programs that are easily found online that perform a similar or better function. While that doesn't justify posting it on here, I think that does make it so there is very little risk involved in doing so. But you're welcome to delete this thread at any time you wish to.

                I just want to re-iterate; this program doesn't work super-well. It was one of the first things I wrote in VB. You'll notice from the code it's actually a very, very simple program.

                Source:
                http://seanybob.net/codedownloads/bruteforcer/brute.zip
                [tabmenu]
                [tab='McCode Mods - 2 Player Live Games']
                $15-$75
                [mp]198[/mp]
                [/tabmenu]

                Comment


                • #9
                  Originally posted by CrimGame.com','index.php?page=Thread&postID=159094 #post159094
                  If the bad login message is multiple lines would it be html or /r to signify new line ie

                  Sitename Bad login

                  Invalid password or username.
                  >back
                  would it not be easier to just check if it goes to a specific file like on MC loggedin.php after authenticate, and stays on authenticate if there's a problem.
                  Probably. But since the phrase 'Bad login' or 'Invalid password' are unlikely to appear on a successfully logged in page, they serve the purpose just as well.
                  [tabmenu]
                  [tab='McCode Mods - 2 Player Live Games']
                  $15-$75
                  [mp]198[/mp]
                  [/tabmenu]

                  Comment


                  • #10
                    No you can keep it, simply it's not something that... bland.

                    On the other site, site owners should limit the number of trials a given IP could do in a given time. I allow 4 in 15min, which means after 4 trials you will have to wait 15 min before being able to check another password. That makes basically this kind of attack useless.
                    - Make Web Games
                    - Creator of NWE
                    - Owner of Nowhere Else and beyond
                    - Mad developer

                    Comment


                    • #11
                      Isn't hard to add proxies to a list also though and then simply run through the proxies - 1500 proxies - 100 names - 10000 passwords would take a long time to run through the proxies specially if it moved through the names rather than the passwords...

                      I will use GD to put a sum into a image and they need the result inputted after 3 false passwords... simple - so then they need to manually write the CAPTCHA result in every 3 goes... good luck with that. (haven't implemented this yet will update on progress)

                      Comment


                      • #12
                        indeed proxy could be used... However I blocked them not long ago by doing some sort of port scan from the server to the host which call me. Therefore proxies are defeated. However nothing is really safe, and if somebody is smart / good enough and is willing to spend the time, he/she may find ways around any kind of security.

                        The only real secure things then, end up by using devices which generate codes based on some algo and the time, and every 60 sec they change. So you would need to use the same secure device to be able to log + your username and password.
                        - Make Web Games
                        - Creator of NWE
                        - Owner of Nowhere Else and beyond
                        - Mad developer

                        Comment

                        Working...
                        X