[Question] Duckey Account Brute Forcer?

[overwraith]

Does anyone know if anyone has made a duckey login brute forcer?

Any tips if I wanted to make my own?

I would probably use a java app to generate the duckscript based on a dictionary file.

If I had multiple ducks and multiple computers, say an un-gaurded computer lab, I could probably get in faster.

[overwraith]

I have looked around for brute forcer code, and discovered that the number of combinations required for even 4 character passwords make it impractical to impliment a duckey brute forcer. The only way to possably make this feasible would be to use something like CUPP the common user password profiler to generate a small password file, and then use a modified version of my duckscript converter or someone elses duckscript converter to turn the file to duckscript. Even then it still might prove impractical. Probably best to keep the duck running command line exploits and payloads ect.

[AshiOni]

In the example given you're probably better off finding a way to boot a clone drive of whatever flavor you want and then try the attack away from the target area.

But really if you have the ability to boot a thumbdrive or disk in the first place you're probably better off just grabbing the SAM file and not the entire disk. Grabbing the entire disk is only handy if you believe there are parts of that disk you need to have access to that you wouldn't otherwise be able to read when mounted to a linux box.

As for the duck, maybe just have it try the most common passwords? or possibly just have it wait extremely long periods of time before trying to collect the SAM file (assumes windows) then rinse repeat. This assumes you're willing to play the high ricks odds of getting caught... (not the best solution)

[overwraith]

You got a good point about just grabbing the SAM file instead of preforming a Brute force on site. I'm not really a pen tester or hacker, so I'm just starting to learn the ropes. Thanks for the reply.