On 25 May 2012 21:59, Sherif El-Deeb <[email protected]> wrote: > Back when nothing was supporting Outlook Web Access bruteforcing, I've > written a simple bash script that automated the process using "curl"... I > suggest you do the same. > > "curl --ntlm" -> it will be two nested for loops, the outer iterates through > usernames, the inner iterates through passwords... then process server's > answer using multiple grep and cut to check for correct/bad credentials > using variables and "if". > > The only problem with that method will be the speed(lack of), so, I have > included a simple function to make sure at least "32" instances of curl are > running at any given time > > ===== start of code example===== > #!/bin/bash > ..... > ..... > CheckCurl(){ > CurlCount=$(pidof curl | wc -w) > [ $CurlCount -ge 32 ] && CheckCurl > } > > echo [*] Starting... > for USER in $(cat $userList) > do > for PASSWORD in $(cat $passList) > do > #before running the command, we want to make sure that the running instances > of curl are not greater than 32 > CheckCurl > #note that this will save the output to a folder called "html_out", change > that or create it. > curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah blah > ....... & # the ending ampersand is very important for multithreading > done > > done > > ===== End of code example===== > > Hope that helps, > Sherif Eldeeb.
I was reading backwards through the mails so I just got curl working then got to this mail which is a great script, I'll give it a go. And to the people who suggested watch out for lockout, I will. Robin > > On Fri, May 25, 2012 at 11:10 PM, Robin Wood <[email protected]> wrote: >> >> On 25 May 2012 16:59, Navarro, Gregory J <[email protected]> >> wrote: >> > Do you know of a valid login but just not the password. If so just fuzz >> > it with Burp >> >> I have no credentials but even if I did I don't think Burp does NTLM, >> for it to do it it would have to be able to work with the four way >> handshake and I've not seen anywhere that that appears to be an >> option. If you can point me at how to do it I'll happily try. >> >> Robin >> >> > From: [email protected] [mailto:[email protected]] >> > On Behalf Of Robin Wood >> > Sent: Thursday, May 24, 2012 6:08 AM >> > To: Tony Turner; PaulDotCom Security Weekly Mailing List >> > Cc: _; [email protected] >> > Subject: Re: [Pauldotcom] hydra and HTTP NTLM >> > >> > On 24 May 2012 13:36, Tony Turner <[email protected]> wrote: >> >> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is >> >> there >> >> a reason you wanted to use Hydra? >> > >> > I've tried that but it seems to expect the login request for a simple >> > GET. I'm testing a FrontPage install which allows me to read but then >> > fails on write. Checking the traffic when I click save it sends an >> > OPTIONS request which gets a reply of 401 which triggers FP to then >> > start the handshake. >> > >> > Robin >> > >> >> ________________________________ >> >> From: Robin Wood <[email protected]> >> >> To: _ <[email protected]> >> >> Cc: "[email protected]" <[email protected]>; >> >> PaulDotCom >> >> Mailing List <[email protected]> >> >> Sent: Thursday, May 24, 2012 8:17 AM >> >> Subject: Re: [Pauldotcom] hydra and HTTP NTLM >> >> >> >> On 24 May 2012 13:06, _ <[email protected]> wrote: >> >>> http ntlm is IIS based windows auth. >> >> >> >> Yes but I still don't know how to attack it. >> >> >> >> Robin >> >> >> >>> On May 23, 2012, at 6:14 AM, Robin Wood <[email protected]> wrote: >> >>> >> >>>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying >> >>>> to brute force a MS Front Page login which only asks for >> >>>> authentication when the OPTIONS method is used as far as I can tell. >> >>>> >> >>>> Robin >> >>>> >> >>>> >> >>>> >> >>>> This list is sponsored by Cenzic >> >>>> -------------------------------------- >> >>>> Let Us Hack You. Before Hackers Do! >> >>>> It's Finally Here - The Cenzic Website HealthCheck. FREE. >> >>>> Request Yours Now! >> >>>> http://www.cenzic.com/2009HClaunch_Securityfocus >> >>>> -------------------------------------- >> >>>> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > This list is sponsored by Cenzic >> > -------------------------------------- >> > Let Us Hack You. Before Hackers Do! >> > It's Finally Here - The Cenzic Website HealthCheck. FREE. >> > Request Yours Now! >> > http://www.cenzic.com/2009HClaunch_Securityfocus >> > -------------------------------------- >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
