[Dyme]

Why is everyone obsessed with threading? That's not the right way to solve a concurrency problem when only networking is involved.

Honestly, just implement asynchronous socket handling.

May not be the right way, but it's what I learned and what I've used in the past. Sorry, obi-wan.

[warstrike]

I see a white hat and I want to paint it black...
They tried to kill our scene but we just stood and laughed...

I see the white hats giving talks and talking shit....
Every time I hear them talk it makes me want to spit....

This world has grown too big it's time to cut the slack....
We took a break to hack your shit but now we're back....

I see them tellin' everyone they're so sercure....
What they don't tell you is that we've owned them all before....

I look inside myself and see my heart is black....
I see that white hat only now it's painted black....

Maybe now you'll fade away and finally face the facts....
It's not easy fessin up when your whole world is black....

No more can we sit by and watch this happen here....
It's time to let you know that judgement day is near....

I see a white hat and I want to paint it black...
No whites or greys no more i want them to turn black....

I look inside myself and see my heart is black....
I see that white hat only now it's painted black....

I wanna see it painted, painted black
Black as night, black as coal
I wanna see the sun blotted out from the sky
I wanna see it painted, painted, painted, painted black

[blackhatcat]

[zf0 31337 h4x]

whitehats 'hack' for money and fame,
not for the love of the game.
They are traitors, so they got some haters.
If you claim to be a hacker,
then be ready to hack to be a hacker,
and not a whitehat cracker. Hackin's bout breaking into systems,
keeping shit on the low down,
not receiving a whitehat crown.
Hackin' ain't bout helpin',
nor is it about fame,
it's just that simple and plain.
If you see whitehat scum,
show him pr0j3kt m4yh3m,
he'll run to his mum.
Sooner or later,
he'll get fucked in his bum.
Just understand,
I'm just here to reprimand.
The blackhats need to take back the scene,
rm the whitehats,
it's not that mean.
Whitehats are full of shit,
so sooner or later they gonna get hit,
have a goddamn fit.
Ain't no such thing as ethical hackin', car hijackin', or any of the that.
Blackhats won't stand by holding their clutch.
If you think hackin's ethical, well let me remind you,
there ain't anything of the such.

[Mom]

I won't pretend to have this massive knowledge in the matter, but aren't bruteforcers in general growing obsolete? Most sites do have preventive measures against bruteforcing, and I've yet to find one able to get into something that isn't MySpace.
Except for an Asian kid I know..


The worst part is that I'm not kidding.

[blackhatcat]

I won't pretend to have this massive knowledge in the matter, but aren't bruteforcers in general growing obsolete? Most sites do have preventive measures against bruteforcing, and I've yet to find one able to get into something that isn't MySpace.
Except for an Asian kid I know..


The worst part is that I'm not kidding.

Targeted bruteforce probably is, but these SSH bruteforcers generally do massive IP ranges at once or even the whole IPv4 address space which pretty much guarantees you getting into something. A lot of them will be honeypots and some even legit boxes but if you manage to get into one then know that someone has probably already been there, people have the bruters running 24/7.

I wrote an sshd patch out of curiosity to log passwords from failed auths and I got results almost instantly. There are the usual root:root, root:toor attempts but some of these actually gather passwords from the owned box and use that in their wordlist.

Another fun thing to do is reverse SSH cracking which is using the same login they tried on you against their box, this actually works because they use owned boxes to do this from and most of the time don't change the password or change it to something really dumb.

I probably went way too in depth with this but I hope you found it useful regardless.
But yes, bruteforcing on websites is usually really pointless and most of them will have safety measures in place to lock you out after x amount of failed tries.

[redN00ws]

I won't pretend to have this massive knowledge in the matter, but aren't bruteforcers in general growing obsolete? Most sites do have preventive measures against bruteforcing, and I've yet to find one able to get into something that isn't MySpace.

It's true what you are saying but I regularly use brute forcers against my clients. It often shows that older companies, who grew through the years, are still working on older pc's and older in-company servers with security of the beginning of this millennium or even older.

Last week I was in a building construction company with about 30 employees and no real IT professionals. I immediately saw an old computer with Windows XP on it. They told me they have a server running that mostly handles their e-mails.
This kind of company is a good one to test a brute forcer on... It's always an eye opener when you can say that you were able to triy X-thousends of password combinations and got in...

Of course... unless the client wants it... I don't start a penetration test with a brute forcer.

By the way... I often have to perform a security audit. Most of the time I use scans like Nessus or OpenVAS. Very, very often I can perform such a scan without being blocked. That says a lot about their security.

[darkcast]

Hi everybody,

The past 2 days I've been busy creating a python SSH Brute Force testing tool and I need some experienced Linux users to test it.

Self I'm to limited with machines I'm allowed to test on. I hope to find some 'White Hat' testers over here who have more target machines they can use.

Below I'll copy the introduction text from bitbucket. If you read it and don't know what the hell it all means, don't go any further. Don't start testing it.

Code:

************************************************
||           CLEVERIDGE SSH SCANNER           ||
************************************************
||  IMPORTANT:                                ||
||  This tool is for ethical testing purpose  ||
||  only.                                     ||
||  Cleveridge and its owners can't be held   ||
||  responsible for misuse by users.          ||
||  Users have to act as permitted by local   ||
||  law rules.                                ||
************************************************
||     Cleveridge - Ethical Hacking Lab       ||
||               cleveridge.org               ||
************************************************

What is the Cleveridge SSH Scanner
**********************************
The Cleveridge SSH Scanner is a SSH Brute Force tool written in python.
The tool tries to get access to machines (IPv4) on the SSH port (22).
When the machines is accesable on port 22, the tool brute forces the ssh login with the most common default user names and passwords.

The tool offers you the options to attack
- one IP
- a range of IP's (e.g. 192.168.0.1-25)
- IP's listed in a file

!!! The tool works only in combination with Tor, Proxychains and Python !!!

Tested
******
At this moment the Cleveridge SSH Scanner is only tested in a Linux Kali environment with Python 2.7, Proxychains (http://proxychains.sourceforge.net/) and Tor (https://www.torproject.org/) installed.

How to use in Linux
*******************
1. Be sure you have tor and proxychains installed.
if you have problems installing these programs there is enough documentation available online.

2. Edit your proxychains configuration file:
Most of the time you will find this file at /etc/proxychains.conf
What to change...
1st : uncomment 'dynamic_chain' (remove the # in front of it)
2nd : comment 'strict_chain' and 'ramdom chain' (add a # in front of it)
3th : Below [ProxyList], add your Tor Listener settings, this could be
      socks4 127.0.0.1 9050
More info : http://www.shellhacks.com/en/Anonymous-Port-Scanning-Nmap-Tor-ProxyChains

3. Download the Cleveridge SSH Scanner files into a directory of your choise and chmod it so you are allowed to execute it.

4. Edit the 'cl_ssh_scan.py' file. On +/- line 27 change my_ip into your own real IP.

5. In Terminal, go to the Cleveridge SSH Scanner directory and execute:
   proxychains ./cl_ssh_scan.py

You can find the files on github : https://github.com/Cleveridge/cleveridge-ssh-scanner/

Looks awesome.

[redN00ws]

Looks awesome.

Thanks, Darkcast

[Dismas]

@"phyrrus9" @"Reiko" @"roger_smith"

Why do I get the feeling this was used on our server?

Spoiler:

Joking, of course.

[phyrrus9]

@"phyrrus9" @"Reiko" @"roger_smith"

Why do I get the feeling this was used on our server?

Spoiler:

Joking, of course.

Something of a similar design may have been used, but it looks like what was used was a little more complex. So many requests in a little time with a lot of variation indicate either threading or multi machine.