Jump to content

Brute-force

shesellsseaSHELLS

By shesellsseaSHELLS
in Security

 Share

Recommended Posts

shesellsseaSHELLS Newbie

shesellsseaSHELLS

Posted
Posted

Hi guys just very curious as to how or if there is any tools in the backtrack distro's that allow brute-forcing dictionary attacks on HTTPS forms.

Im curious as to how linux would handle the " Human Vericode Verification " after a certain number of failed passwords.

If there is any scripts/tools that allow some way for this technique to be acheived please do explain.

I guess what made me think of this is a recent story about some of hollywoods e-mail's being cracked with brute-forcing the email passwords,

Is this attack possible for example on ymail or gmail or any other generic email providers even when they prompt for a veri-code authentication after a certain amount of wrong passwords.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

You can use Burp to do form based auth brute forcing, not sure if it comes with BT but it is just a jar file so easy to add.

And CAPTCHA is possible to bypass with success levels being based on the type used. There was a really good paper on it published recently which shows success rates of automating the process.

A lot of groups who do want to bypass it simply outsource reading them to India where labour is cheap enough to have actual humans red them.

Link to comment
Share on other sites
12600 Newbie

12600

Posted
Posted

You can use Burp to do form based auth brute forcing, not sure if it comes with BT but it is just a jar file so easy to add.

And CAPTCHA is possible to bypass with success levels being based on the type used. There was a really good paper on it published recently which shows success rates of automating the process.

A lot of groups who do want to bypass it simply outsource reading them to India where labour is cheap enough to have actual humans red them.

I just tried searching for the Bypassing Captcha Paper and found nothing on it but a bunch of info I don't want/already know. Could you provide more info, who did it, ect. Thank you.\

Link to comment
Share on other sites
ihackforfun Newbie

ihackforfun

Posted
Posted (edited)

I read it a few weeks ago so it is gone from my list. I'll ask on Twitter tomorrow to see if anyone has a link to it.

I believe this is the link you are looking for: http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf

If it was not, this is a good article on the subject anyway ;-)

Edited by ihackforfun
Link to comment
Share on other sites
12600 Newbie

12600

Posted
Posted (edited)

No it doesn't. I got into an Argument with a "studio worker" [person who sits in chat rooms to redirect to webcam site (she's the one who refered to herself as a "studio worker")] in a chat room on Captcha she stated how easy it was to get around and insisted everyone posting ads in the chat room was a bot. Due to the chat room having captcha for every room, the likely hood of 25+% of them being strictly bot automation I found highly unlikely. And was just trying to look for further proof to show how hard it was that most of them were complete Bot Automation without a human first inputting the Captcha to allow entrance for their bot program to run. This was inside a Chat Client btw.

I've noticed no one added info for OP. SHELLS, Back when I was cracking accounts for yahoo, bypassing captcha after getting too many failed attempts was made possible by using a Proxy Cracker. How it worked was you would scan say Yahoo for ex. for their log in servers. After gathering say 100+ you could then plug them into the proxy cracker also it would have a place to put known good proxies in and it would attempt to crack the account with the word lift cycling through and changing the Server and Proxy each time, thus never getting to the Captcha.

Edited by 12600
Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

If you would like to chat on skype 12600 about yahoo cracking... I am familiar. Fact is Yahoo Chat has tons of bots. Brute force is more and more difficult nowadays. I started programming programs (crackers, mass bot logins, etc.) on yahoo in 1999. If you'd like to chat about it to tell your "studio worker" how things really worked let me know.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

It all depends on how the captcha is implemented. I've seen them where the solution is included in a hidden field which makes it completely useless. I've also seen ones where you can replay a known solution by replaying the ID.

Link to comment
Share on other sites
Mr-Protocol Grand Master

Mr-Protocol

Posted
Posted

It all depends on how the captcha is implemented. I've seen them where the solution is included in a hidden field which makes it completely useless. I've also seen ones where you can replay a known solution by replaying the ID.

Yeah, I've not really gotten into bypassing captcha, but I have seen where you get a correct pair and pass the ID with the phrase. That was a long time ago though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...