0

I am trying to penetration test one of my websites.Username and Password is unknown to me.I am trying to break username and password using brute force attack.

Although,This strategy should be straight as I need to keep generating a new alphanumeric combination of variable length each time and posting it using some self written program.

But this strategy needs a lots of processing time and power. My Simple doubt is that is this strategy good enough for username and password breaking or some other task is expected to be done.

I have heard a lot about dictionary attack,But that too requires a predefined and pre-expected lists of usernames and passwords.

Should I go for brutus(but it didn't worked for me) or a self written program? What is the right way of enlisting the username and passwords?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
user3431522
  • 13
  • 1
  • 2
    Here's a good article that gives info on how easy it is for a seasoned hacker to crack passwords: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ – mttdbrd Mar 18 '14 at 04:45
  • Passwords chosen by humans *aren't* random or particular well-distributed - this is one reason why I've switched to using a tool like KeyPass and randomly generate distinct 128~bit keys, and pass-phrases otherwise. There are papers out suggesting that it is much more "cost effective" to try a limited selection of passwords, by frequency, against *many* accounts. – user2864740 Mar 18 '14 at 07:25
  • This question appears to be off-topic because it is not about programming. – Eugene Mayevski 'Callback Mar 18 '14 at 11:14
  • 3
    This question appears to be off-topic because it is about security. Try http://security.stackexchange.com/ instead – SilverlightFox Mar 19 '14 at 11:42

2 Answers2

2

Online brute-force attacks against a live system are not viable as it’s simply too slow: limited bandwidth, latency, throttling, perhaps Captchas, etc. One could try a dictionary attack, but probably only with a very short list of passwords.

But for offline password attacks, where the attacker is in possession of the password hash, the only limiting factor is the hardware and software of his own system. However, often brute-force attacks are still viable only against high-value targets due to cost-benefit ratio.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • With fast hashes such as MD5/SHA (and passwords that are still not well distributed or otherwise reducible), brute force is "viable" against even low-value targets. One doesn't need to crack any particular password to be able to recover a good number of passwords .. – user2864740 Mar 18 '14 at 07:21
1

Not only is it achievable, with modern approaches using GPUs and FPGAs, it's an incredibly viable approach. Note this doesn't necessarily apply to client-server models. However, if you have encrypted data protected by something such as PBKDF2, it is possible with enough computing power that the password and therefore key could be recovered. The appropriate approach depends on what it is you're trying to attack. Attacking websites is much more difficult as without a distributed attack the site can simple throttle its responses, slowing your attack time.

Jeff
  • 2,701
  • 2
  • 22
  • 35