Join our NFL football pool, $5 a week and a chance to win a lot more than that! Check the topic here: CLICK HERE

Victim of Venomz's Scam? Contact me, I may be able to help you recover some funds - TuxifieD

Make a recent trade or sale? Use the feedback system to leave a review!

 

Sign in to follow this  
Followers 0

[TUT]How to Brute force with Brutus.

123 posts in this topic

Posted · Report post

Hey fkn0wned,

[hide]

In the following tutorial i will show you how to Brute Force a website which contains normal HTTP Login Form. That means it has an entry for a username and a password. We will do so by using a program called Brutus. In order to do so, you must find a website that 1) Contains only Username and Password fields, and 2) Allows unlimited attempts at guessing a specific password. In order to test if the website allows this, try multiple incorrect passwords for a random username and see what response you get after x amount of attempts. If you get no redirect page and you are not limited in the number of login attempt, chances are the website is vulnerable to Brute Forcing.

*Some credit should be given to littleX on his original tutorial on Brutus Press Here for his Post but it wasn't very thorough or easily comprehended so i created this to be completely noob friendly.

Before we get started you might be wondering what Brute Forcing is; it is simply testing a list of passwords to a list of usernames and hopefully you will have matched a username and password combination that is correct. There are many disadvantages in using this method to hack, such as time (you need to test thousands if not millions of combination) and most websites now have features that limit the number of incorrect guesses at one's password, or make a human verification field mandatory when logging in. Let's get started.

What You Will Need:

1) Download Brutus: http://www.hoobie.net/brutus/

2) Download Password List: http://area51archives.com/index.php?titl...sword_List

3) You will need a proxy or VPN that changes your IP address for all programs, not just your web browser. I would suggest using CyberGhost VPN or Hot Spot Shield. They are pretty easy to use and are well documented so if you need help using them, please search or go to their websites.

4) [Optional] A list of usernames, but if you are trying to get a specific users password, you can simply create your own text file with the username written within it. This will help reduce the amount of time needed for the program to run (because you only have one user)

Getting Started:

An example of a simple form Login is one as follows (which i just created in HTML as a means to demonstrate such) I am not going to give any real websites just to avoid any conflict. Once you have found a website that looks similar to that, test it a few times to makes sure it doesn't limit how many times you type in an incorrect password. Once you have verified that it may be vulnerable to Brute Forcing, lets get started.

Posted Image

Step One: Start Brutus:

Posted Image

Leave the target field alone for the moment and where it says type choose HTTP (Form) You will see that below it a new option has appeared called "Modify Sequence." Press this.

Step Two: Specifying Your Target:

Find the URL that links directly to the login page of the website. For example: http://www.website.com/login; Insert that URL into the Target Field. After doing so press learn from settings. You will now see something similar to the following screen:

Posted Image

As you see, On the left hand side it states "Field Name" that gives options such as username and password. Select the Username under the Field Name list and press the button that says Username. Do the same with the password and hit password. This lets Brutus now where to input its list. Press accept and it will return you to your previous screen. If, when you were testing you got a message that says, "Incorrect login" or something similar, copy it and paste it under the HTML Response boxes. Press Okay when your complete. We need to do one more thing before we start.

Step Three: Setting the Word lists

The Next step is fairly simple. Go to the option that says "User File" and select the text file that contains the usernames you would like to Brute Force. The beside under "Pass File" specify your password list. Before you hit Start make sure all the optional variables are set to your satisfaction (the default are usually fine); start your proxy, make sure your IP address is masked than hit Start. Allow the program to run for as long as you want or until it has completed and hopefully you have gotten some passwords!

[/hide]

+rep NIGGAS

StrikkerPT, dgrock and mart1nez like this

Share this post


Link to post
Share on other sites

Posted · Report post

better be goodcan never get this to work

Share this post


Link to post
Share on other sites

Posted · Report post

thanks man :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0