Brute Force/Time outs ... HELP!!!

[ErichKartmann]

Hey there Mates,

greetings from Germany. I'm new here and in the business generally. I wanna introduce myself before asking for help.

Okay ... I'm not that completely new to IT stuff, but I'm from PLC programming which is completely different to the IT things here. I don't know about Protocols and stuff. I've read a book about the language "C", but never finished it. I've ended when it came to "diving Programms with functions in modules" so I know a bit about programming, but almost nothing about Networks and connections.

That being said well look here's the deal: I wanna get back my Email account and I've head of a tool called "Brutus AET2" which (that's the way I understood it) trys every combination of Letters and Numbers. It is "guessing" the password.


So when I was guessing the password, after about 5 times the website refused my login trys. So that's when I read about Brutus, but I've read a German threat on another website which had a user saying that he has had an account at the same provider (web.de) and he has tried it with Brutus, but brutus told him quote:

" Warning: Too many consecutive auth sequenze errors whilst receiving password prompt- Assuming user is invalid
Aborting attack due to invalid user/bad authentication sequenze!"

No one responded to the thread. I wanna get my mail account back. Could someone please come up with a solution?

Greetings

[Cool_Fire]

Hi and welcome.

So a few things that are relevant here;

The type of attack you're doing is usually called a "brute force" attack. There's a few variations like trying lists of common passwords, trying all combinations of letters/numbers, trying a small list of passwords on many different accounts and a few more variations and combinations of these, but they all boil down to doing a lot of automated login attempts to try and find valid credentials.

However, this is not a novel or unknown type of attack by any stretch of the imagination and pretty much any sensible website or online service these days has some protection against such attacks on their login system. This is most likely why after 5 attempts or so it failed for you. The login you're trying to brute force noticed a sudden burst of failed login attempts from you and blocked you.

Lastly, Brutus is not likely to work on many sites these days, even if they don't have any brute force protection. It was last updated in the early 2000's and is not compatible with a lot of the newer web technologies or even encryption standards used for https these days. If you want to try your hand at this sort of thing on a modern target, Hydra (also called thc-hydra) is pretty much the default go-to tool. There's a lot of other ones that may be better, faster, or more feature rich for certain types of targets but Hydra should give you pretty good coverage and pretty good performance across a wide range of targets.

Having said all that, chances of a successful attack on a major online service provider are still slim to none. Hydra does not solve your attacks being detected and you getting blocked, and it also doesn't stop them reporting you to your ISP and getting you disconnected or arrested (depending on where you live, local laws etc).

My suggestion would be to set up a very simple local web server with basic auth and try to attack that. It's fast, it's legal, you can see what's happening on both sides and you can configure a known good credential to sanity check and make sure your attack setup works.

As for the specific question of getting your account back; Try their password reset procedure or contact their support team.

[ErichKartmann]

Hey,

well there are a whole lotta things, which I don't understand. Would you explain that to me. I mean I don't know what to do at all. How to set a webserver on and stuff.

[Cool_Fire]

The easiest way would probably be to set up a Linux virtual machine in something like VirtualBox and install the web server in there. Or set up docker and run a container with a web server.