https://www.cirt.net/passwords https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv https://academy.hackthebox.com/storage/modules/80/scripts/basic_bruteforce_py.txt https://academy.hackthebox.com/storage/modules/80/scripts/rate_limit_check_py.txt
Brute Force script basic_bruteforce_py
Read the source
rate_limit_check.py
Update header X-Forwarded-For: 127.0.0.1
https://github.com/danielmiessler/SecLists/tree/master/Usernames
wfuzz -c -z file,/opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -d "Username=FUZZ&Password=dummypass" --hs "Unknown username" http://test.test.test/user_unknown.php
https://academy.hackthebox.com/storage/modules/80/scripts/timing_py.txt
timing.py Depending on application's code, the valid response could take longer than invalid response. Use the above code to verify.
python3 timing.py /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt
Python algorithm to test scrypt, bcrypt or PBKDF
import scrypt
import bcrypt
import datetime
import hashlib
rounds = 100
salt = bcrypt.gensalt()
t0 = datetime.datetime.now()
for x in range(rounds):
scrypt.hash(str(x).encode(), salt)
t1 = datetime.datetime.now()
for x in range(rounds):
hashlib.sha1(str(x).encode())
t2 = datetime.datetime.now()
for x in range(rounds):
bcrypt.hashpw(str(x).encode(), salt)
t3 = datetime.datetime.now()
print("sha1: {}\nscrypt: {}\nbcrypt: {}".format(t2-t1,t1-t0,t3-t2))Sometimes applications message could reveal wheather username is valid or not.
The registration will reveal whether the username is exist or not.
Caveat: Loud