**This is technically a dictionary attack.
Brute force, by me.
VB6.
Attempts to log on as a CHAT client. Uses socks4 protocol for proxies. Source code commented, for the most part. Educational use only.
*INCLUDES*
Source files
Executable
Needed .txt and .ini files
http://www.javaop.com/uploads/guest/BruteForce.zip
Please leave any comments, corrections or suggestions.
Thanks to: iago for upload :)
Incidentally, if anybody cares, either "Auditor" or "Knoppix-std" (live Linux security-based distributions) comes with a 26mb dictionary file. It's pretty damn elite. I forget which one it is, though.
http://packetstormsecurity.nl/Crackers/dicts.zip
That dictionary is small compared to the one I'm talking about :)
I'll figure out which distro it is on Monday and let you know.
Do you have anything better to do besides create tools meant to harass and steal? Get a life, please.
The first thing I want to do with this is brute force tazo's account to teach him a lesson.
26mb is nothing. I had a 3 gig file once which generated like every combination with letters from 2 characters to 12 in length. I don't think it ever finished though
I had this program that created those files userloser, and the farthest I ever got was 35gb. I'll see if I can get it again from agarwaen.
Here is a BF DLL I made. Easy incrimentation for BF.
http://68.58.200.72/bruteforce.zip
I really don't think it's necessary to store all the combinations into a file just to try each one. I'm sure the computer is well capable of generating them on the fly.
Somewhat oxymoronic to call such a file a dictionary.
Much easier method:
Tell them to register for you forum or w/e, anything that uses md5 or even plain-text!
if md5, break it in a couple hours max. Battle.net brute forcing is way to tedious.
Also I can't believe you guys actually support this....-.-
You'd probably need only a hundred or so, assuming you're planning on bruting it longterm. Failed logon locks only last fifteen minutes, maybe more.
Lenny is correct: storing the random combinations in a file would be dumb. The dictionary that I talk of is actual phoenetic words (in various languages, leet-speakness, etc.
Bruteforcing it if it's MD5, if it's a decent password, can still take a long time. A combination of 7 keyboard characters can take up to 15 days to guess. 8 would take longer than you'd be willing to wait.
That's also assuming they use the same password for forums and Battle.net. I know I don't, I use a separate password for important things, and for things that somebody I don't trust has access to my password. Plus, if you're cool like me, your bot will automatically cycle your password :-)
Quote from: Lenny on May 15, 2005, 12:30 AM
I really don't think it's necessary to store all the combinations into a file just to try each one. I'm sure the computer is well capable of generating them on the fly.
Indeed. I once wrote an FTP brute forcer that generated passwords in order on-the-fly. It would save the current password that it's trying to disk, so that you could actually stop, reboot, and then resume where you left off. Useful for if you don't have a server to run it on and your computer crashes a lot (or you decide to reboot every time your installs or games don't work right).
It actually got me into two different FTP sites, after about three months running on my server trying about 2.5 passwords/sec.
Did nobody notice the like to a DLL that generates random passwords on the fly?
Quote from: tA-Kane on May 15, 2005, 04:26 AM
Quote from: Lenny on May 15, 2005, 12:30 AM
I really don't think it's necessary to store all the combinations into a file just to try each one. I'm sure the computer is well capable of generating them on the fly.
Indeed. I once wrote an FTP brute forcer that generated passwords in order on-the-fly. It would save the current password that it's trying to disk, so that you could actually stop, reboot, and then resume where you left off. Useful for if you don't have a server to run it on and your computer crashes a lot (or you decide to reboot every time your installs or games don't work right).
It actually got me into two different FTP sites, after about three months running on my server trying about 2.5 passwords/sec.
Writing to disk would slow it down a lot. L0phtcrack (LC4) can save the progress when you tell it. I really like LC4, I use it to crack the admin password on my computer at work. It's 14 characters, but lucky Windows splits it up into two 7-character buffers. What that means is that on Windows, there's no reason to make your passwords longer than 7 characters unless you know how to disable that style of password storage.
Quote from: Networks on May 15, 2005, 01:51 AM
Much easier method:
Tell them to register for you forum or w/e, anything that uses md5 or even plain-text!
if md5, break it in a couple hours max. Battle.net brute forcing is way to tedious.
If you visit Battle.net's website, specifically to their forums, you can logon to your Battle.net account through their website with your current Username/Password. You can select between all of their realms. You must also provide a cdkey. Bruting through their website would be MUCH more efficient, for numerous obvious reasons.
1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.
2. You can use CDKey's that are in use on Battle.net
3. The user does not see any Failed Login attempts, thus is unaware of your attack.
It is also extreamly easy to make a bruter using simple PHP arguments.
To save you some time, at the top right hand courner there is the box where you can login.
http://www.battle.net/forums/board.aspx?ForumName=battlenet-status
Genius.
Quote1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.
The webserver will deny you the ability to login after a very small number of failed attempts.
Even so it would be far easier to do it via HTTP.
Quote from: I_Smell_Tuna on May 15, 2005, 08:04 PM
Even so it would be far easier to do it via HTTP.
Actually, the forum requires that you hash both the password and the CD-Key before sending them, and in addition to that, you'd have to sort through the returned data for the result of the login, so it would actually be much slower than using the Telnet protocol, not mentioning that it would most likely also result in your CD-Key being banned.
Quote from: I_Smell_Tuna on May 15, 2005, 08:04 PM
Even so it would be far easier to do it via HTTP.
Maybe if his password was 'a'.
Quote from: LoRd[nK] on May 15, 2005, 07:38 PM
Quote1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.
The webserver will deny you the ability to login after a very small number of failed attempts.
Ok, but HTTP proxies are a hell of a lot eaiser to find than proxies that will work on Battle.net.
The 26mb wordlist comes with Knoppix-STD.
Auditor comes with a 13-mb English list, as well as lists for every other language including joke languages (like Yiddish), movie names, zipcodes, people's names, etc. Auditor also has a pretty exhaustive list of default passwords on networking gear (routers, etc.) which is pretty handy.
Actually it isn't that much of a genius idea. Killer~Rival thought of the exact same thing over a year ago. of course he didn't know how he would do any of the brute forcing. He just thought that it would be simple to continuously attempt to login to an account through the website, considering you won't become ipbanned.
Quote from: I_Smell_Tuna on May 15, 2005, 07:27 PM
Genius.
Are you sure Battle.net's webserver actually denies your request to login after a certain amount of tries?
Quote from: Yegg on May 16, 2005, 09:52 PM
Actually it isn't that much of a genius idea. Killer~Rival thought of the exact same thing over a year ago. of course he didn't know how he would do any of the brute forcing. He just thought that it would be simple to continuously attempt to login to an account through the website, considering you won't become ipbanned.Quote from: I_Smell_Tuna on May 15, 2005, 07:27 PM
Genius.
Are you sure Battle.net's webserver actually denies your request to login after a certain amount of tries?
A properly configured server of any kind should denial access after a pre-determined amount of failures.
lol, that's a big leap. Just because it's a good idea doesn't mean people will do it.
Quote from: Arta[vL] on May 17, 2005, 10:11 AM
lol, that's a big leap. Just because it's a good idea doesn't mean people will do it.
I stated what should be an obvious answer; I am not trying to make any big leaps.
Just because people might not do it, I should not state a good idea?
After testing it seems that Tuberload is indeed correct (try putting in bogus info for a few logins then try a real login, no go.)
Also: Attempting to create an account and it exists, or invalid password : 10 times will result in not able to log onto a valid password account. It seems it disables the cdkey for a while. I swapped CDKEYS and it worked fine. Interesting. :P
Quote from: Ban on May 17, 2005, 02:59 PM
After testing it seems that Tuberload is indeed correct (try putting in bogus info for a few logins then try a real login, no go.)
*LoRd[nK]
Quote from: LoRd[nK] on May 17, 2005, 03:23 PM
Quote from: Ban on May 17, 2005, 02:59 PM
After testing it seems that Tuberload is indeed correct (try putting in bogus info for a few logins then try a real login, no go.)
*LoRd[nK]
*Joe[x86]
no
Quote from: Tuberload on May 16, 2005, 10:06 PM
Quote from: Yegg on May 16, 2005, 09:52 PM
Actually it isn't that much of a genius idea. Killer~Rival thought of the exact same thing over a year ago. of course he didn't know how he would do any of the brute forcing. He just thought that it would be simple to continuously attempt to login to an account through the website, considering you won't become ipbanned.Quote from: I_Smell_Tuna on May 15, 2005, 07:27 PM
Genius.
Are you sure Battle.net's webserver actually denies your request to login after a certain amount of tries?
A properly configured server of any kind should denial access after a pre-determined amount of failures.
Quote
*Lord[nK]
I said Tuberload!