OWASP ZAP bruteforce 3 parameters Request from 3 payloads (parallel)

How i can fuzz request with 3 parameters(locations) and 3 payloads

request1 => parameter1=payload1.1; parameter2=payload2.1; parameter3=payload3.1;

request2 => parameter1=payload1.2; parameter2=payload2.2; parameter3=payload3.2;

request3 => parameter1=payload1.3; parameter2=payload2.3; parameter3=payload3.3;

Where payload1.2 means take string#2 from payload1 … etc

Thanks.

Bruteforce OpenSSL generated password

I recently lost a password to a Linux box, luckily due to various reasons I had manually set the password after generating it with openssl passwd -crypt and I still have this generated string. Would it be possible to use this to login via SSH or otherwise try some brute force attack locally comparing it with the hashed password string and if so how would I go about doing this? Thanks.

Hydra Brute-force attack on Gitlab doesn’t work!

I’m using hydra to test my organization’s security since our GitLab is accessible online, I wanted to make sure the security of the login itself before implementing other types of security measure (e.g. hiding the subdomain, or .htaccess or Recaptcha)

here’s what I’m facing exactly:

the domain is: git.website.com

the URL after it, as a default of GitLab is: /users/sign_in

so if you even type git.website.com it redirects to git.website.com/users/sign_in

my THC Hydra command is :

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=^USER^&user%5Bpassword%5D=^PASS^&user%5Bremember_me%5D=0:F=Invalid Login or Password." -vv 

I’m using Burpsuite for capturing the request and this is what’s shown:

POST /users/sign_in HTTP/1.1 Host: git.website.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://git.website.com/users/sign_in Content-Type: application/x-www-form-urlencoded Content-Length: 211 Origin: https://git.website.com DNT: 1 Connection: close Cookie: _gitlab_session=fb399cff612eecda0c4a75770700e655 Upgrade-Insecure-Requests: 1  utf8=%E2%9C%93&authenticity_token=%2F4y5%2BI62o%2Fi7nfnnwVsdAwCbMhpXqtOW1tnqrLziGyRvHBOXXdh6r%2BmNxi2xIAcWOMG0a8rxUM5B2g%2FVyaTxcg%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0 

gitlab request, POST data

So when I’m trying to send these parameters to hydra it always returns one of these 2 scenarios:

  1. if I type this command, it just prints the manual:

Command:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0:F=Invalid Login or password." -vv 

Result:

Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:20:01 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]  Options:   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE   -C FILE   colon separated "login:pass" format, instead of -L/-P options   -M FILE   list of servers to attack, one entry per line, ':' to specify port   -t TASKS  run TASKS number of connects in parallel per target (default: 16)   -U        service module usage details   -m OPT    options specific for a module, see -U output for information   -h        more command line options (COMPLETE HELP)   server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)   service   the service to crack (see below for supported protocols)   OPT       some service modules support additional input (-U for module help)  Supported services: adam6500 asterisk cisco cisco-enable cvs ftp http-{head|get|post} http-{get|post}-form http-proxy http-proxy-urlenum icq imap irc ldap2 ldap3[s] mssql mysql(v4) nntp pcanywhere pcnfs pop3 redis rexec rlogin rpcap rsh rtsp s7-300 smb smtp smtp-enum snmp socks5 teamspeak telnet vmauthd vnc xmpp  Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL v3.0. The newest version is always available at; https://github.com/vanhauser-thc/thc-hydra Please don't use in military or secret service organizations, or for illegal purposes. (This is a wish and non-binding - most such people do not care about laws and ethics anyway - and tell themselves they are one of the good ones.)  Example:  hydra -l user -P passlist.txt ftp://192.168.0.1 

which means hydra is not even processing my command, so something is wrong

  1. when i trim down the command, remove UTF8, authenticity_token & rememeber_me in post request and also change the way i write the domain.module.module-options following hydra guidelines:

Command:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv 

Result:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv [1] 75788 Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:24:46 [WARNING] You must supply the web page as an additional option or via -m, default path set to / [ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: (null) [1]    exit 255   hydra -l root -P /Users/john/Desktop/realhuman_phill.txt  Login incorrect login:  

P.S 1: I need to mention that I have thoroughly searched and didn’t get a solution, most videos and guidelines test it on single IP without extra URLs (e.g. /users/sign_in) so they have been practically useless.

P.S 2: git.website.com is obviously fake so if you need a real example to test let me know

I would really appreciate it if you could guide me and correct me where I’m wrong.

Can bruteforce attacks be prevented with tables of valid inputs?

Can this method of encryption prevent bruteforce attacks?

If I had a hypothetical table (or function) where every grammatically valid sentence (in existence, limited to some number of words) was given an associated number, e.g:

"Good morning, how are you." = 3283 "Today is a nice day." = 2183 

Then added a number (as a key), e.g:

3283 + 1234 = 4516 

Wouldn’t this final output of 4516 be effectively protected against bruteforce attacks?

Ignoring the difficulty of producing a hashtable/function capable of reducing every valid input into a single number, and the issue of sending the key 1234 securely.

Is there any way of finding the original input only from the output?

Is limiting the domain of the encryption to only valid inputs, an effective method of preventing bruteforce attacks?

If so is there any practical example of this? Why or why not?

O(V+E) algorithm for computing chromatic number X(g) of a graph instead of brute-force?

I came up with this O(V+E) algorithm for calculating the chromatic number X(g) of a graph g represented by an adjacency list:

  1. Initialize an array of integers “colors” with V elements being 1
  2. Using two for loops go through each vertex and their adjacent nodes and for each of the adjacent node g[i][j] where j is adjacent to i, if j is not visited yet increment colors[g[i][j]] by 1.
  3. After doing this the maximum integer in the array “colors” is the chromatic number of the graph g(if the algorithm works).

Here is my C++ code:

#include <bits/stdc++.h> using namespace std;  struct graph {     vector<vector<int>> adjL;     vector<int> colours;     vector<bool> vis; };  int chrNUM(graph& G) {     int num = 1;      for(int i = 1; i < G.adjL.size(); i ++) {         for(int j = 0; j < G.adjL[i].size(); j ++) {             if(!G.vis[G.adjL[i][j]]) {                 G.colours[G.adjL[i][j]] ++;                 num = max(num, G.colours[G.adjL[i][j]]);             }         }         G.vis[i] = true;     }     return num; }  void initGET(graph& G, int N, int M) {     cin >> N >> M;     G.adjL.assign(N + 1, vector<int>(0));     G.colours.assign(N + 1, 1);     G.vis.assign(N + 1, false);     for(int i = 0; i < M; i ++) {         int u,v;         cin >> u >> v;         G.adjL[u].push_back(v);         G.adjL[v].push_back(u);     } }   int main() {     graph g;     int n;  //number of vertices     int m;  //number of edges     initGET(g, n, m);     cout << chrNUM(g); } 

I am wondering if there is a flaw? Maybe it works for certain graphs only? Maybe it gives X(g) for smaller graphs but a value higher than X(g) for larger graphs? I found it worked correctly for all the graphs I have tried (up to 20 vertices). I know this is an NP complete problem but I want some counterexamples for my algorithm if possible or an explanation as to why the method won’t work. I have also got a recursive (DFS) solution which is a bit different but mostly similar to this. Any ideas?

Thanks in advance!

How to defend against brute-force form submissions

(To be clear, in this question I’m not asking about how to protect a login form against brute-force attacks.)

I work for a company which designs and builds microsites for competitions that appear on consumer products. If you’ve ever bought a packet of crisps which has prompted you to look for a unique code printed inside the pack and enter it on a website, then you can imagine the sort of site I mean.

The codes are usually supplied to us by our clients, and with few exceptions comprise 8 uppercase alphanumeric characters.

The website asks for a unique code, the user’s name and email address, and requires that they tick an “I agree to the terms & conditions” checkbox. A successful entrant will usually be told instantly if they have won a prize.

Typically we use reCAPTCHA (the tick box variant) to mitigate against bulk form submissions, but I worry that this is insufficient to prevent a determined attacker from flooding the site with thousands or even millions of codes they have generated.

What other steps I should be taking to ensure the security of these websites? Would a DDoS protection service (such as those offered by AWS and Google Cloud) be a good fit?

Bruteforce https post using single tcp connection

So I’ve tried bruteforcing my server using thc-hydra’s https-post-form, but it floods the server very quickly and the requests start timing out.

However, If I go through the browser where the HTTP header Connection: Keep Alive is used and accepted by the server, I can make a lot of requests in rapid succession without flooding the server.

Is there a tool like hydra that can be used to send many https post requests using a single tcp connection?