should I use/ how to use Brutus to hack websites?

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...

should I use/ how to use Brutus to hack websites?

Postby JojoGamesDev » Fri Jun 17, 2016 3:19 pm

Hi, I have installed Brutus a while ago and am now trying to hack into my own website. I added my username and passwort to the "words" and "users" documents, but Brutus interrupts the process if he finds the username, for example

my username: (fake) userofthissite

Brutus stops at, for example:

userofthissite - ansfrgdvhiqwrrg45fsg
userofthissite - userofthissite
userofthissite - password1234

I did put my password in the words.txt.
(I want to hack the website itself, not a register/login form on the website)
JojoGamesDev
n00b
 
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Website: http://www.jojogames.de/
Location: Germany

Re: should I use/ how to use Brutus to hack websites?

Postby Cool_Fire » Sun Jun 19, 2016 1:47 pm

Let's start with a little background info;
The responses you set in brutus determine if it considers a login successful or not. Usually you only need to set the negative response. (Sometimes this is the only response you'll know.) What brutus does is just check if that text fragment you set as the response appears in the page.

So my guess as to what is happening here is that the website returns a different response when you enter an invalid username & password vs. when you enter a VALID username but invalid password. (Which is really bad practice, but that's besides the point here.) Anyway, my guess is when the response is different for a valid username, the text fragment you're looking for in the invalid response isn't on the page anymore, thus brutus considers it a valid login and halts the brute force process.

Side note:
Brutus is a piece of shit and hasn't been updated in 15 years. Back when it was new it wasn't that great either, but now it just doesn't work anymore at all in a lot of cases. I'm constantly amazed people are still using it.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d

Re: should I use/ how to use Brutus to hack websites?

Postby JojoGamesDev » Thu Jul 14, 2016 5:52 pm

I read about Brutus being shit before, are there any tools like Brutus that you would suggest to use instead?
JojoGamesDev
n00b
 
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Website: http://www.jojogames.de/
Location: Germany

Re: should I use/ how to use Brutus to hack websites?

Postby Cool_Fire » Fri Jul 15, 2016 12:19 am

thc-hydra is at least still being maintained. However, if my suspicions about why Brutus was giving bad results is correct, chances are hydra won't do much better under the same circumstances since it detects successful logins in a very similar way.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d

Re: should I use/ how to use Brutus to hack websites?

Postby JojoGamesDev » Sun Jul 17, 2016 4:45 am

So there are no "very easy" solutions to hack websites themselfes?
Are there other, more efficient ways to do so, like using code?
JojoGamesDev
n00b
 
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Website: http://www.jojogames.de/
Location: Germany

Re: should I use/ how to use Brutus to hack websites?

Postby Cool_Fire » Tue Jul 19, 2016 7:16 am

If it's very easy it's been automated and gets done on a global scale by botnets.
So the short answer is; usually not.

The long answer is (as always); it depends. There's definitely other things you can attack besides the login form. You can attack other parts of the website, you can attack the software that hosts the website or other software that runs on the same machine. In case of a VM you can try to attack the hypervisor, or try to leak info from another vm on the same hardware node. You can try network based attacks to get in between the server and an already authenticated/privileged user and lots and lots more. The types of attacks you can try are mostly limited by how much time you have, and in some cases what kind of access/entry points you have.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d


Return to ā€œ%sā€ Newbie Corner

Who is online

Users browsing this forum: No registered users and 1 guest

cron