Web Application Security
Re: [Pauldotcom] hydra and HTTP NTLM May 26 2012 09:35PM
Robin Wood (robin digininja org)
On 25 May 2012 21:59, Sherif El-Deeb <archeldeeb (at) gmail (dot) com [email concealed]> wrote:
> Back when nothing was supporting Outlook Web Access bruteforcing, I've
> written a simple bash script that automated the process using "curl"... I
> suggest you do the same.
>
> "curl --ntlm" -> it will be two nested for loops, the outer iterates through
> usernames, the inner iterates through passwords... then process server's
> answer using multiple grep and cut to check for correct/bad credentials
> using variables and "if".
>
> The only problem with that method will be the speed(lack of), so, I have
> included a simple function to make sure at least "32" instances of curl are
> running at any given time
>
> ===== start of code example=====
> #!/bin/bash
> .....
> .....
> CheckCurl(){
> CurlCount=$(pidof curl | wc -w)
> [ $CurlCount -ge 32  ] && CheckCurl
> }
>
> echo [*] Starting...
> for USER in $(cat $userList)
> do
>         for PASSWORD in $(cat $passList)
>         do
> #before running the command, we want to make sure that the running instances
> of curl are not greater than 32
>                 CheckCurl
> #note that this will save the output to a folder called "html_out", change
> that or create it.
>                 curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah blah
> ....... & # the ending ampersand is very important for multithreading
>         done
>
> done
>
> ===== End of code example=====
>
> Hope that helps,
> Sherif Eldeeb.

I was reading backwards through the mails so I just got curl working
then got to this mail which is a great script, I'll give it a go.

And to the people who suggested watch out for lockout, I will.

Robin

>
> On Fri, May 25, 2012 at 11:10 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>
>> On 25 May 2012 16:59, Navarro, Gregory J <Gregory.J.Navarro (at) disney (dot) com [email concealed]>
>> wrote:
>> > Do you know of a valid login but just not the password.  If so just fuzz
>> > it with Burp
>>
>> I have no credentials but even if I did I don't think Burp does NTLM,
>> for it to do it it would have to be able to work with the four way
>> handshake and I've not seen anywhere that that appears to be an
>> option. If you can point me at how to do it I'll happily try.
>>
>> Robin
>>
>> > From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>> > On Behalf Of Robin Wood
>> > Sent: Thursday, May 24, 2012 6:08 AM
>> > To: Tony Turner; PaulDotCom Security Weekly Mailing List
>> > Cc: _; webappsec (at) securityfocus (dot) com [email concealed]
>> > Subject: Re: [Pauldotcom] hydra and HTTP NTLM
>> >
>> > On 24 May 2012 13:36, Tony Turner <tony_l_turner (at) yahoo (dot) com [email concealed]> wrote:
>> >> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is
>> >> there
>> >> a reason you wanted to use Hydra?
>> >
>> > I've tried that but it seems to expect the login request for a simple
>> > GET. I'm testing a FrontPage install which allows me to read but then
>> > fails on write. Checking the traffic when I click save it sends an
>> > OPTIONS request which gets a reply of 401 which triggers FP to then
>> > start the handshake.
>> >
>> > Robin
>> >
>> >> ________________________________
>> >> From: Robin Wood <robin (at) digininja (dot) org [email concealed]>
>> >> To: _ <packetnull (at) gmail (dot) com [email concealed]>
>> >> Cc: "webappsec (at) securityfocus (dot) com [email concealed]" <webappsec (at) securityfocus (dot) com [email concealed]>;
>> >> PaulDotCom
>> >> Mailing List <pauldotcom (at) mail.pauldotcom (dot) com [email concealed]>
>> >> Sent: Thursday, May 24, 2012 8:17 AM
>> >> Subject: Re: [Pauldotcom] hydra and HTTP NTLM
>> >>
>> >> On 24 May 2012 13:06, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
>> >>> http ntlm is IIS based windows auth.
>> >>
>> >> Yes but I still don't know how to attack it.
>> >>
>> >> Robin
>> >>
>> >>> On May 23, 2012, at 6:14 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> >>>
>> >>>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
>> >>>> to brute force a MS Front Page login which only asks for
>> >>>> authentication when the OPTIONS method is used as far as I can tell.
>> >>>>
>> >>>> Robin
>> >>>>
>> >>>>
>> >>>>
>> >>>> This list is sponsored by Cenzic
>> >>>> --------------------------------------
>> >>>> Let Us Hack You. Before Hackers Do!
>> >>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> >>>> Request Yours Now!
>> >>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> >>>> --------------------------------------
>> >>>>
>> >> _______________________________________________
>> >> Pauldotcom mailing list
>> >> Pauldotcom (at) mail.pauldotcom (dot) com [email concealed]
>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> >> Main Web Site: http://pauldotcom.com
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Pauldotcom mailing list
>> >> Pauldotcom (at) mail.pauldotcom (dot) com [email concealed]
>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> >> Main Web Site: http://pauldotcom.com
>> >
>> >
>> >
>> > This list is sponsored by Cenzic
>> > --------------------------------------
>> > Let Us Hack You. Before Hackers Do!
>> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> > Request Yours Now!
>> > http://www.cenzic.com/2009HClaunch_Securityfocus
>> > --------------------------------------
>> >
>> _______________________________________________
>> Pauldotcom mailing list
>> Pauldotcom (at) mail.pauldotcom (dot) com [email concealed]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom (at) mail.pauldotcom (dot) com [email concealed]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus