Online

Brute force on online services.

Unlike offline cracking, the online attack must take into consideration:

Lockout threshold

Possible attempts before being blocked

Lockout duration

Duration of the block

Lockout observation window

After how long does the reset of attempts occur

Hydra

hydra -L <USERS.list> -P <PASS.list> [-s <PORT>] <IP> <SERVICE>
hydra -L <USERS.list> -P <PASS.list> <SERVICE>://<IP>:<PORT>

Proxy: export HYDRA_PROXY_HTTP="http://127.0.0.1:8080/"

-C <USER:PASS.list>
-l <SINGLE_USER>
-p <SINGLE_PASS>
-U <SERVICE> # Service info
-e nsr # try NoPass, SameUser and ReverseUser as password
-f # Ends on the first success
-u # Try all users on passwords instead of trying all passwords on users

Website

http-post-form "/index.php:usr=^USER^&pas=^PASS^:Login failed. Invalid"
http-post-form "/index.php:usr=^USER^&pas=^PASS^:F=403"
http-post-form "/index.php:usr=^USER64^&pas=^PASS64^:F=403"

Get the data (index.php, usr, pas, and “Login failed. Invalid”) by analyzing the http request.

To find usernames take into consideration:

Login form
Registration form (to use the same email: dot s.t.u.d.e.n.t@gmail.com, tag student+htb@gmail.com)
Password reset form
Check cookie (ex. cookie named “failed_login” only when the user name is valid.)
Response time (use long password)
Status codes
Error messages
Blocking of attempts only if made on an existing username

Netexec

nxc [smb/winrm/mssql/ssh/ftp/rdp/wmi] <IP> -u <USERS.list> -p <PASS.list>

--continue-on-success
--no-bruteforce # Try all users on passwords instead of trying all passwords on users

Bypass Account Locking

Search for headers that bypass IP blocking (ex. X-Forwarded-For)
Try a correct login on your account to reset attempts (with macro in Burp set max 1 concurrent requests)

Last updated 1 month ago

Was this helpful?