Brute Force

[iago]

I really don't think it's necessary to store all the combinations into a file just to try each one.  I'm sure the computer is well capable of generating them on the fly.

Indeed. I once wrote an FTP brute forcer that generated passwords in order on-the-fly. It would save the current password that it's trying to disk, so that you could actually stop, reboot, and then resume where you left off. Useful for if you don't have a server to run it on and your computer crashes a lot (or you decide to reboot every time your installs or games don't work right).

It actually got me into two different FTP sites, after about three months running on my server trying about 2.5 passwords/sec.

Writing to disk would slow it down a lot.  L0phtcrack (LC4) can save the progress when you tell it.  I really like LC4, I use it to crack the admin password on my computer at work.  It's 14 characters, but lucky Windows splits it up into two 7-character buffers.  What that means is that on Windows, there's no reason to make your passwords longer than 7 characters unless you know how to disable that style of password storage.

[spear]

Much easier method:

Tell them to register for you forum or w/e, anything that uses md5 or even plain-text!

if md5, break it in a couple hours max. Battle.net brute forcing is way to tedious.

If you visit Battle.net's website, specifically to their forums, you can logon to your Battle.net account through their website with your current Username/Password. You can select between all of their realms. You must also provide a cdkey. Bruting through their website would be MUCH more efficient, for numerous obvious reasons.

1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.
2. You can use CDKey's that are in use on Battle.net
3. The user does not see any Failed Login attempts, thus is unaware of your attack.

It is also extreamly easy to make a bruter using simple PHP arguments.

To save you some time, at the top right hand courner there is the box where you can login.
http://www.battle.net/forums/board.aspx?ForumName=battlenet-status

[I_Smell_Tuna]

Genius.

[Eric]

1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.

The webserver will deny you the ability to login after a very small number of failed attempts.

[I_Smell_Tuna]

Even so it would be far easier to do it via HTTP.

[Eric]

Even so it would be far easier to do it via HTTP.

Actually, the forum requires that you hash both the password and the CD-Key before sending them, and in addition to that, you'd have to sort through the returned data for the result of the login, so it would actually be much slower than using the Telnet protocol, not mentioning that it would most likely also result in your CD-Key being banned.

[hismajesty]

Even so it would be far easier to do it via HTTP.

Maybe if his password was 'a'.

[spear]

1. Doesn't require a Battle.net connection, thus no Proxies, and no IPban.

The webserver will deny you the ability to login after a very small number of failed attempts.

Ok, but HTTP proxies are a hell of a lot eaiser to find than proxies that will work on Battle.net.

[iago]

The 26mb wordlist comes with Knoppix-STD.

Auditor comes with a 13-mb English list, as well as lists for every other language including joke languages (like Yiddish), movie names, zipcodes, people's names, etc.  Auditor also has a pretty exhaustive list of default passwords on networking gear (routers, etc.) which is pretty handy.

[Yegg]

Actually it isn't that much of a genius idea. Killer~Rival thought of the exact same thing over a year ago. of course he didn't know how he would do any of the brute forcing. He just thought that it would be simple to continuously attempt to login to an account through the website, considering you won't become ipbanned.

Genius.

Are you sure Battle.net's webserver actually denies your request to login after a certain amount of tries?

[Tuberload]

Actually it isn't that much of a genius idea. Killer~Rival thought of the exact same thing over a year ago. of course he didn't know how he would do any of the brute forcing. He just thought that it would be simple to continuously attempt to login to an account through the website, considering you won't become ipbanned.

Genius.

Are you sure Battle.net's webserver actually denies your request to login after a certain amount of tries?

A properly configured server of any kind should denial access after a pre-determined amount of failures.

[Arta]

lol, that's a big leap. Just because it's a good idea doesn't mean people will do it.

[Tuberload]

lol, that's a big leap. Just because it's a good idea doesn't mean people will do it.

I stated what should be an obvious answer; I am not trying to make any big leaps.

Just because people might not do it, I should not state a good idea?

[Ban]

After testing it seems that Tuberload is indeed correct (try putting in bogus info for a few logins then try a real login, no go.)

[QwertyMonster]

Also: Attempting to create an account and it exists, or invalid password : 10 times will result in not able to log onto a valid password account. It seems it disables the cdkey for a while. I swapped CDKEYS and it worked fine. Interesting.