Brute-forcing with Multi network

[arci]

Hello everyone, this is a nice community to share ideas and knowledge. So, here is my first topic;

FTP/MySQL password guesing from multi-network is a good idea or it will become DDoS rather than password guesing?

Just think about 20 different network/pc and all have internet access and I have access to them (or they are willing to try this). Simple python script will fine with multi-threaded ftp/MySQL connection.

Most ftp servers have a limit for currently connected client but mysql don't. One network can make 20 request per second/2 seconds (based on connection) and that will be equal to 400 request per second.

Is it a good idea or just a "garbage".

[ande]

Brute force are most of the time useless. However, I guess you can get lucky. Brute force is not much used for targeted attacks anymore, but on a large scale you might get one or two correct every now and then.

When it comes to DoS and brute force, it happens. A lot. But a regular MySQL/web server should be able to handle a simple brute force.

Not quite sure what you mean by multi network. If you mean using multiple computers/adapters, itll most likely end in DoS.

[relax]

welcome to the forum, consider making an introduction in the introduction section


NOW to your post

there is an vulnerability is some older mysql servers.

This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

More info Here

[arci]

Actually I am trying to design cracking network that runs on volunteers computer. For now I am preparing for md5 and aircrack only.

For example, 20 people are willing to join this network to crack one wifi network. Client script (written in python) will fetch the cap file and wordlist range from server (written in python) then every computer will try to crack from their wordlist range. that's all.

1. pc; 00000000 - 09999999
2. pc; 10000000 - 19999999 ... and so

Are hackers using something like this on zombie computers? If not, they should. Because you can easily crack the hardest password with hundreds of zombie pces.

[ande]

Actually I am trying to design cracking network that runs on volunteers computer. For now I am preparing for md5 and aircrack only.

For example, 20 people are willing to join this network to crack one wifi network. Client script (written in python) will fetch the cap file and wordlist range from server (written in python) then every computer will try to crack from their wordlist range. that's all.

1. pc; 00000000 - 09999999
2. pc; 10000000 - 19999999 ... and so

Are hackers using something like this on zombie computers? If not, they should. Because you can easily crack the hardest password with hundreds of zombie pces.

Distributed cracking has been done on massive scales before by botnets and alike. But this certainly wont work with online systems. With hashes and encryptions, sure.