EvilZone
Hacking and Security => Hacking and Security => : 650m January 12, 2015, 06:09:31 PM
-
Hi,
I have some issues with smtp brute forcing:
I tried to brute force my own gmail account with hydra (Im using Kali Linux)
I have a little wordlist where I included the password of the account.
The probem is that hydra sometimes show different positive password matches.
My syntax:
hydra -S -l account@gmail.com -P wordlist.txt -e ns -V -s 465 smtp.gmail.com smtp
As I said, the process works but sometimes I get false positives...
Can someone explain how to fix this or are there good alternatives for smtp brute forcing?
-
When you launch an attack on a Gmail account, Google take this as an attack on them.
This attack is effective against a small time SMTP network but not a huge enterprise network who get these kinds of attacks every day.
-
So you want to say, that these false positives are forced by Google?
-
So you want to say, that these false positives are forced by Google?
most likely.
It's a smart way of fucking with brute forcers.
-
And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.
As for OP, one of the better way to do bruteforcing against some anti-bruteforce measures is to use a smaller wordlist, like 3 password attempts small, and then use a LARGE potential users list. Many anti-bruteforce measures these days don't limit against user attempts. Granted this is only useful if you need to target a bunch of low hanging fruit for secondary purposes or if you are targeting a large organization. Oh and be sure to check for some sort of password policy. Wasting an attempt on Password123 won't help if they need a symbol, then youd use P@ssword123 ;P
-
And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.
As for OP, one of the better way to do bruteforcing against some anti-bruteforce measures is to use a smaller wordlist, like 3 password attempts small, and then use a LARGE potential users list. Many anti-bruteforce measures these days don't limit against user attempts. Granted this is only useful if you need to target a bunch of low hanging fruit for secondary purposes or if you are targeting a large organization. Oh and be sure to check for some sort of password policy. Wasting an attempt on Password123 won't help if they need a symbol, then youd use P@ssword123 ;P
Well, if you targeting one particular account, a 3 password list won't help at all :D
I think for a successful brute force attack it needs an exploit which allows a large attempts of password tries.
Another question: what do you guys thing about brute forcing via VPN ?
-
And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.
I'm pretty sure one of the google devs saw this talk at defcon. (https://www.youtube.com/watch?v=I3pNLB3Cq24)
That's where I first heard of this idea, it's neat.
@OP Brute forcing is so boring, so 1995.
It doesn't matter if you use a VPN it is still coming from one IP address it is the exact same thing apart from harder to track back to you. I guess if you really have to you could use a huge list of proxies and cycle through them.
I would personally go for social engineering or spear phishing.
-
Well, if you targeting one particular account, a 3 password list won't help at all :D
No shit lol that was literally my point. If you want to try to use an online bruteforce method, you'll have to broaden your horizons a little bit. The whole point instead of running the gambit against one joe in an organization, you'd go after everyone and use the lowest hanging fruits as a foot closer to your target. You silly.