Author Topic: Brute-forcing with Multi network  (Read 4327 times)

0 Members and 4 Guests are viewing this topic.

Offline arci

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Brute-forcing with Multi network
« on: December 04, 2012, 01:44:48 pm »
Hello everyone, this is a nice community to share ideas and knowledge. So, here is my first topic;

FTP/MySQL password guesing from multi-network is a good idea or it will become DDoS rather than password guesing?

Just think about 20 different network/pc and all have internet access and I have access to them (or they are willing to try this). Simple python script will fine with multi-threaded ftp/MySQL connection.

Most ftp servers have a limit for currently connected client but mysql don't. One network can make 20 request per second/2 seconds (based on connection) and that will be equal to 400 request per second.

Is it a good idea or just a "garbage".
« Last Edit: December 04, 2012, 01:46:20 pm by arci »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Brute-forcing with Multi network
« Reply #1 on: December 05, 2012, 07:55:43 am »
Brute force are most of the time useless. However, I guess you can get lucky. Brute force is not much used for targeted attacks anymore, but on a large scale you might get one or two correct every now and then.

When it comes to DoS and brute force, it happens. A lot. But a regular MySQL/web server should be able to handle a simple brute force.

Not quite sure what you mean by multi network. If you mean using multiple computers/adapters, itll most likely end in DoS.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
Re: Brute-forcing with Multi network
« Reply #2 on: December 05, 2012, 08:11:19 am »

welcome to the forum, consider making an introduction in the introduction section


NOW to your post

there is an vulnerability is some older mysql servers.

Quote
This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.


More info Here
« Last Edit: December 05, 2012, 08:12:39 am by relax »

Offline arci

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
    • View Profile
Re: Brute-forcing with Multi network
« Reply #3 on: December 08, 2012, 03:11:48 pm »
Actually I am trying to design cracking network that runs on volunteers computer. For now I am preparing for md5 and aircrack only.

For example, 20 people are willing to join this network to crack one wifi network. Client script (written in python) will fetch the cap file and wordlist range from server (written in python) then every computer will try to crack from their wordlist range. that's all.

1. pc; 00000000 - 09999999
2. pc; 10000000 - 19999999 ... and so

Are hackers using something like this on zombie computers? If not, they should. Because you can easily crack the hardest password with hundreds of zombie pces.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Brute-forcing with Multi network
« Reply #4 on: December 10, 2012, 04:53:53 pm »
Actually I am trying to design cracking network that runs on volunteers computer. For now I am preparing for md5 and aircrack only.

For example, 20 people are willing to join this network to crack one wifi network. Client script (written in python) will fetch the cap file and wordlist range from server (written in python) then every computer will try to crack from their wordlist range. that's all.

1. pc; 00000000 - 09999999
2. pc; 10000000 - 19999999 ... and so

Are hackers using something like this on zombie computers? If not, they should. Because you can easily crack the hardest password with hundreds of zombie pces.

Distributed cracking has been done on massive scales before by botnets and alike. But this certainly wont work with online systems. With hashes and encryptions, sure.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true