should I use/ how to use Brutus to hack websites?

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...
Post Reply
JojoGamesDev
n00b
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Location: Germany
Contact:

should I use/ how to use Brutus to hack websites?

Post by JojoGamesDev » Fri Jun 17, 2016 3:19 pm

Hi, I have installed Brutus a while ago and am now trying to hack into my own website. I added my username and passwort to the "words" and "users" documents, but Brutus interrupts the process if he finds the username, for example

my username: (fake) userofthissite

Brutus stops at, for example:

userofthissite - ansfrgdvhiqwrrg45fsg
userofthissite - userofthissite
userofthissite - password1234

I did put my password in the words.txt.
(I want to hack the website itself, not a register/login form on the website)

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: should I use/ how to use Brutus to hack websites?

Post by Cool_Fire » Sun Jun 19, 2016 1:47 pm

Let's start with a little background info;
The responses you set in brutus determine if it considers a login successful or not. Usually you only need to set the negative response. (Sometimes this is the only response you'll know.) What brutus does is just check if that text fragment you set as the response appears in the page.

So my guess as to what is happening here is that the website returns a different response when you enter an invalid username & password vs. when you enter a VALID username but invalid password. (Which is really bad practice, but that's besides the point here.) Anyway, my guess is when the response is different for a valid username, the text fragment you're looking for in the invalid response isn't on the page anymore, thus brutus considers it a valid login and halts the brute force process.

Side note:
Brutus is a piece of shit and hasn't been updated in 15 years. Back when it was new it wasn't that great either, but now it just doesn't work anymore at all in a lot of cases. I'm constantly amazed people are still using it.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

JojoGamesDev
n00b
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Location: Germany
Contact:

Re: should I use/ how to use Brutus to hack websites?

Post by JojoGamesDev » Thu Jul 14, 2016 5:52 pm

I read about Brutus being shit before, are there any tools like Brutus that you would suggest to use instead?

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: should I use/ how to use Brutus to hack websites?

Post by Cool_Fire » Fri Jul 15, 2016 12:19 am

thc-hydra is at least still being maintained. However, if my suspicions about why Brutus was giving bad results is correct, chances are hydra won't do much better under the same circumstances since it detects successful logins in a very similar way.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

JojoGamesDev
n00b
Posts: 6
Joined: Fri Jun 17, 2016 2:48 pm
Location: Germany
Contact:

Re: should I use/ how to use Brutus to hack websites?

Post by JojoGamesDev » Sun Jul 17, 2016 4:45 am

So there are no "very easy" solutions to hack websites themselfes?
Are there other, more efficient ways to do so, like using code?

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: should I use/ how to use Brutus to hack websites?

Post by Cool_Fire » Tue Jul 19, 2016 7:16 am

If it's very easy it's been automated and gets done on a global scale by botnets.
So the short answer is; usually not.

The long answer is (as always); it depends. There's definitely other things you can attack besides the login form. You can attack other parts of the website, you can attack the software that hosts the website or other software that runs on the same machine. In case of a VM you can try to attack the hypervisor, or try to leak info from another vm on the same hardware node. You can try network based attacks to get in between the server and an already authenticated/privileged user and lots and lots more. The types of attacks you can try are mostly limited by how much time you have, and in some cases what kind of access/entry points you have.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply