SMTP Brute Force / Dictionary Attack

[650m]

Hi,

I have some issues with smtp brute forcing:

I tried to brute force my own gmail account with hydra (Im using Kali Linux)

I have a little wordlist where I included the password of the account.

The probem is that hydra sometimes show different positive password matches.

My syntax:

Code: [Select]

hydra -S -l account@gmail.com -P wordlist.txt -e ns -V -s 465 smtp.gmail.com smtp
As I said, the process works but sometimes I get false positives...

Can someone explain how to fix this or are there good alternatives for smtp brute forcing?

[Syntax990]

When you launch an attack on a Gmail account, Google take this as an attack on them.

This attack is effective against a small time SMTP network but not a huge enterprise network who get these kinds of attacks every day.

[650m]

So you want to say, that these false positives are forced by Google?

[d4rkcat]

So you want to say, that these false positives are forced by Google?

most likely.
It's a smart way of fucking with brute forcers.

[madf0x]

And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.

As for OP, one of the better way to do bruteforcing against some anti-bruteforce measures is to use a smaller wordlist, like 3 password attempts small, and then use a LARGE potential users list. Many anti-bruteforce measures these days don't limit against user attempts. Granted this is only useful if you need to target a bunch of low hanging fruit for secondary purposes or if you are targeting a large organization. Oh and be sure to check for some sort of password policy. Wasting an attempt on Password123 won't help if they need a symbol, then youd use P@ssword123 ;P

[650m]

And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.

As for OP, one of the better way to do bruteforcing against some anti-bruteforce measures is to use a smaller wordlist, like 3 password attempts small, and then use a LARGE potential users list. Many anti-bruteforce measures these days don't limit against user attempts. Granted this is only useful if you need to target a bunch of low hanging fruit for secondary purposes or if you are targeting a large organization. Oh and be sure to check for some sort of password policy. Wasting an attempt on Password123 won't help if they need a symbol, then youd use P@ssword123 ;P

Well, if you targeting  one particular account, a 3 password list won't help at all

I think for a successful brute force attack it needs an exploit which allows a large attempts of password tries.

Another question: what do you guys thing about brute forcing via VPN ?

[d4rkcat]

And if it isn't thats still a nifty idea. Not sure when the next time comes around that I'd have to restrict bruteforce attempts, but its a neat idea to try.

I'm pretty sure one of the google devs saw this talk at defcon.
That's where I first heard of this idea, it's neat.

@OP Brute forcing is so boring, so 1995.
It doesn't matter if you use a VPN it is still coming from one IP address it is the exact same thing apart from harder to track back to you. I guess if you really have to you could use a huge list of proxies and cycle through them.
I would personally go for social engineering or spear phishing.

[madf0x]

Well, if you targeting  one particular account, a 3 password list won't help at all

No shit lol that was literally my point. If you want to try to use an online bruteforce method, you'll have to broaden your horizons a little bit. The whole point instead of running the gambit against one joe in an organization, you'd go after everyone and use the lowest hanging fruits as a foot closer to your target. You silly.