lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 12 Nov 2010 11:59:05 -0500 (EST)
From: Ryan Sears <rdsears@....edu>
To: nix@...roxylists.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NiX - Linux Brute Forcer (the beast) has been
 released!]

Well that's not really a useful response. He asked a simple question (the first one that popped into my head as well). 

Basically it comes down to this: THC's Hydra already does all that stuff, and they've been doing it for years and years. How does your tool fit in with it? It sounds like you basically coded the exact same thing, and while frustrating - happens. 

Medusa:
Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net. It currently has modules for the following services: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

THC-Hydra:
Currently this tool supports:
  TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
  RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
  ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable,
  AFP, LDAP2, Cisco AAA (incorporated in telnet module).

Comparison between the two (keep in mind hydra is currently at 5.8 and medusa is at v2):
http://www.foofus.net/~jmk/medusa/medusa-compare.html

These can crack any authentication protocol that I can really think of, and they're stable. People are probably not going to stop using what they know how to use, especially if it works and fills up the space the tool is required for nicely (as both of these currently do).  

How does your tool provide any advantage over this? Not to mention that password brute-forcing is rarely needed for anything even remotely constructive, if you want to make sure people's passwords are secure - enforce better password policies, because even aaaaaaa9! is still better than aaaa (or god, sex, love, and secret :-P). People are getting smarter with their passwords (for the most part) which is largely rendering password cracking pretty useless IMHO. There are normally much better and more efficient ways of gaining access to a machine than brute force anyway, it's noisy and probably going to be noticed. Even breaking basic passwords over the internet takes forever, because a lot smarter people then myself have coded the crypto in most cases to be quite strong. 

Just my 2 cents => take it or leave it.

Ryan

----- Original Message -----
From: nix@...roxylists.com
To: full-disclosure@...ts.grok.org.uk
Sent: Friday, November 12, 2010 12:23:18 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] NiX - Linux Brute Forcer (the beast) has been released!]

---------------------------- Original Message ----------------------------
Subject: Re: [Full-disclosure] NiX - Linux Brute Forcer (the beast) has
been released!
From:    "Abuse 007" <abuse007@...il.com>
Date:    Fri, November 12, 2010 3:22 am
To:      nix@...roxylists.com
--------------------------------------------------------------------------

>> Why would we use this tool over say Hydra or Medusa?

I have just compiled Hydra first time (donĀ“t know about Medusa, please
link me). Obviously you did not read nor understood features it offers
over any other similar tool.

Please read again features listed at my site and you get the answer to
your question.

On Fri, Nov 12, 2010 at 11:16 AM,  <nix@...roxylists.com> wrote:
> NiX Brute Forcer is a parallel login brute-forcer. This tool is intended
> to demonstrate the importance of choosing strong passwords. The goal of
> NiX is to support a variety of services that allow remote authentication
> such as: HTTP(S) BASIC/FORM, MySQL, SSH, FTP. It is based on NiX Proxy
> Checker.
>
> If anyone is interested in beta testing new releases before the public
> release, please sent me an email.
>
> Current features:
>
> - Basic Authorization & FORM support
> - HTTP/SOCKS 4 and 5 proxy support
> - FORM auto-detection & Manual FORM input configuration.
> - It is multi-threaded
> - Auto-removal of dead or unreliable proxy and when site protection
> mechanism blocks the proxy
> - Integrated proxy randomization to defeat certain protection mechanisms
> - With Success and Failure Keys results are 99% accurate
> - Wordlist shuffling via macros
> - Advanced coding and timeout settings makes it outperform any other brute
> forcer
>
> TODO:
>
> MySQL, SSH, FTP and IMAP support. You suggest more?
>
>
> Download and installation: http://myproxylists.com/nix-brute-force
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ