Note: Brutus is simple,but kind of sucks. I would use Hydra,but as it is a command line program its harder to use.
How to Brute Force a website which contains normal HTTP Login Form.
That means it has an entry for a username and a password. We will do so by using a program called Brutus. In order to do so, you must find a website that 1) Contains only Username and Password fields, and 2) Allows unlimited attempts at guessing a specific password. In order to test if the website allows this, try multiple incorrect passwords for a random username and see what response you get after x amount of attempts. If you get no redirect page and you are not limited in the number of login attempt, chances are the website is vulnerable to Brute Forcing.
An introduction to BruteForce:
Put simply,making a program test a list of passwords to a list of usernames and hopefully you will have matched a username and password combination that is correct. There are many disadvantages in using this method to hack, such as time (you need to test thousands if not millions of combination) and most websites now have features that limit the number of incorrect guesses at one’s password, or make a human verification field mandatory when logging in.
What You Will Need:
1) Download Brutus: http://www.hoobie.net/brutus/
2) Download Password List: http://area51archives.com/index.php?title=Ultimate_Password_List
3) You will need a proxy or VPN that changes your IP address for all programs, not just your web browser. I would suggest using CyberGhost VPN or Hot Spot Shield. They are pretty easy to use and are well documented so if you need help using them, please search or go to their websites. Also you can check my post on Staying Anonymous Online.
Step One: Start Brutus:
Leave the target field alone for the moment and where it says type choose HTTP (Form) You will see that below it a new option has appeared called “Modify Sequence.” Press this.
Step Two: Specifying Your Target:
Find the URL that links directly to the login page of the website. For example: http://www.website.com/login; Insert that URL into the Target Field.
On the left hand side it states “Field Name” that gives options such as username and password. Select the Username under the Field Name list and press the button that says Username. Do the same with the password and hit password. This lets Brutus now where to input its list. Press accept and it will return you to your previous screen. If, when you were testing you got a message that says, “Incorrect login” or something similar, copy it and paste it under the HTML Response boxes. Press Okay when your complete.
Step Three: Setting the Word lists
The Next step is fairly simple. Go to the option that says “User File” and select the text file that contains the usernames you would like to Brute Force. The beside under “Pass File” specify your password list. Before you hit Start make sure all the optional variables are set to your satisfaction (the default are usually fine); start your proxy, make sure your IP address is masked than hit Start. Allow the program to run for as long as you want or until it has completed and hopefully you have gotten some passwords!
No comments:
Post a Comment