Sethioz Industries Forum

[KEN]

I have to get access to: http://rotitnhoj.tumblr.com/
but it is password protected.

It have unlimited tries with no capcha of any sort so any bruteforce should work, except I don't know what to use.

So far I tried Brutus, it finds the password but it's wrong.
It finds the wrong password / I am using some wrong settings.
Sometimes it just gives a 1 letter pass like this:

what am I doing wrong here or should I use some other tool?

[Sethioz]

yeah brutus is jurassic tool and always gives false positives, don't know who's the idiot who made it, it never worked for me either.
I don't think there is such thing as universal http bruteforcer, you have to think of your own way.
If you lack programming skills or can't bother with it, use CommView + Luigi's TCPFP, it will work creat.
I think it was TCPFP, not 100% sure. I used one of Luigi's tools + CommView to bruteforce something, you generate a user:pass list and tell TCPFP (or whatever this tool was) to go thru that whole list.
in CommView setup a filter/rule to STOP capture when correct password is confirmed. so for this attack to work, you also need to know how tumblr confirms the pass, you have to make your own page/account and "guess" a password, so that you can setup a rule to stop capture based on that confirmation packet.

Just record 2 packets, 1 confirmed pass and 1 wrong, compare them and make sure that only confirmed pass will trigger the rule. In Commview its easy to set alarm/rule that stops the capture when alarm has been triggered.

You might have to go through last 5-10 packets, but that takes you less than 1 min to try last 10 combinations.

[Legu]

>brute forcing html
This will never work. Not even with dictionary. Your speed is limited to your inet speed, so even with the best inet connection, it could take a freaking long time.

[Sethioz]

Even with shitty connection, you can send 10000 packets a second, well yeah, brute force ain't gonna happen (might get lucky tho), but wordlist attack is very possible, might take a week or month, but will work.
If you don't know the login name / email / id, then there's not much point in trying.

[KEN]

There's just a pass to be entered, no username / email etc. so this might work.
I haven't tried it yet. I can try to leave it on my server 24/7.
How much time as an estimate can it take on this?

I can't leave it on it right now for almost another week.

[Sethioz]

I assume that's VPN? It has nothing to do with speed tho, well might do a little if you run multi-session, but internet speed has very little to do with this, you need good ping.
If speed is good, you can run more than 1 session, split the attack into many pieces and run many instances of the attack (tool you're using)

If you use the method i recommended, then you can run like 1000 instances easy. If each instance does like 10000 per second, then you do the math, however it may cause a DoS and as a result you get false readings, even tho pass was guessed, it may lag and not give a response back.
You can send out tons of packets, but other end has only port 80 to accept all this, so it would be the bottleneck probably. You have to test and see what works. I recommend running attack against your own PC via VPN and see how it performs.
OR better yet, make fake tumblr account and attack it, see how it performs and if you can guess the pass.