Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 06-18-2014, 01:20 PM   #1
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
How Many Brute Force Attacks On Your Server?

http://en.wikipedia.org/wiki/Brute-force_attack

Ive read this through 100 times and it says the same thing.... A brute force attack is basically about "trying to guess someone's password".

If the server had anything of value it would have been well passworded and secure. So what is the point of even trying? Success rate must be one in a billion.

How many brute force attacks do you face per day on average and what kind?
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 01:25 PM   #2
Ran Ohm
So Fucking Banned
 
Industry Role:
Join Date: Jun 2014
Posts: 66
Do you mean trying to brute force the password of a site on a server?

They use software that can run though millions of password and username combos in seconds or literally try various combinaztions of letters until they get the tight one.
Ran Ohm is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 10:47 PM   #3
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 10:53 PM   #4
srockhard
Retired
 
srockhard's Avatar
 
Industry Role:
Join Date: Jul 2011
Location: PDXXX
Posts: 1,976
Quote:
Originally Posted by RummyBoy View Post
[url]Success rate must be one in a billion.
Yeah those are pretty good odds when key gen is running GHz
__________________
Piper Pines
srockhard is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:09 PM   #5
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
Quote:
Originally Posted by srockhard View Post
Yeah those are pretty good odds when key gen is running GHz
How is it good odds?

1 billion = 1,000,000,000

1,000,000,000 / 5 = 200,000,000 Hours

200,000,000 / 24 = 8,333,333 Days

8,333,333 / 365 = 22,831 Years

It could take upto 22,831 Years to find the correct solution.
The average human lives for upto 100 years maximum.

So the odds are not good unless I am missing something.
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:10 PM   #6
lezinterracial
Confirmed User
 
Industry Role:
Join Date: Jul 2012
Posts: 3,080
Quote:
Originally Posted by RummyBoy View Post
OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.
Correct me if I am wrong on any of the below.

I don't know much about this stuff. But I think instead of brute force, most probably use a dictionary attack (maybe that is a type of brute force, i don't know). Where the program uses a list of common passwords, usually a file of cracked passwords from something like rockyou. RockYou had a huge list of 32 million passwords that is now used to crack other sites.

I have played with OclHashcat plus. But you would need to have gotten the password hash offline somehow. Something like "x6NgPtRW4ua2" would take a long time. Depend on how many graphics cards you got running.

Many people try to use masks in OclHashCat Plus. Like before trying to brute force all possible passwords. They try all lower case five place ?l?l?l?l?l. Then all lower case 6 places. Then maybe an Upper Case followed by 4 lower case. And so on.
__________________
Live Sex Shows

Last edited by lezinterracial; 06-18-2014 at 11:12 PM..
lezinterracial is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:27 PM   #7
lezinterracial
Confirmed User
 
Industry Role:
Join Date: Jul 2012
Posts: 3,080
Here ya go. For just the password.
http://calc.opensecurityresearch.com/
__________________
Live Sex Shows
lezinterracial is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:41 PM   #8
srockhard
Retired
 
srockhard's Avatar
 
Industry Role:
Join Date: Jul 2011
Location: PDXXX
Posts: 1,976
Quote:
Originally Posted by RummyBoy View Post
How is it good odds?

1 billion = 1,000,000,000

1,000,000,000 / 5 = 200,000,000 Hours

200,000,000 / 24 = 8,333,333 Days

8,333,333 / 365 = 22,831 Years

It could take upto 22,831 Years to find the correct solution.
The average human lives for upto 100 years maximum.

So the odds are not good unless I am missing something.
Yeah you are missing it by a long shot. Not sure why you are dividing GHz by 5? And who knows how many machines are attacking? Passwords as we know them are fucking pointless.
__________________
Piper Pines
srockhard is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:41 PM   #9
Markul
Likes Pie
 
Markul's Avatar
 
Industry Role:
Join Date: Dec 2007
Location: The land that liberated porn
Posts: 12,401
Quote:
Originally Posted by lezinterracial View Post
Here ya go. For just the password.
http://calc.opensecurityresearch.com/
Yup, assuming nothing kicks in.

Notice the difference in time for a 6 char password versus a 12 char password. One is:
38 minutes 12 seconds

the other is:
1610348 years 65 days 23 hours 45 minutes and 21 seconds

Markul is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:43 PM   #10
srockhard
Retired
 
srockhard's Avatar
 
Industry Role:
Join Date: Jul 2011
Location: PDXXX
Posts: 1,976
As the tech gets faster the password gets longer ...LOL ;) at this rate you'll need 1000 char pass by 2025!
__________________
Piper Pines
srockhard is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:45 PM   #11
klinton
So Fucking Banned
 
Industry Role:
Join Date: Apr 2003
Location: online
Posts: 8,766
Quote:
Originally Posted by Markul View Post
Notice the difference in time for a 6 char password versus a 12 char password. One is:
38 minutes 12 seconds

the other is:
1610348 years 65 days 23 hours 45 minutes and 21 seconds

but but but... you told that encryption doesnt work !
klinton is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:53 PM   #12
Markul
Likes Pie
 
Markul's Avatar
 
Industry Role:
Join Date: Dec 2007
Location: The land that liberated porn
Posts: 12,401
Quote:
Originally Posted by klinton View Post
but but but... you told that encryption doesnt work !
No I said that if you think you can hide from intelligence agencies with encryption, you might want to reconsider ;)
Markul is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-18-2014, 11:53 PM   #13
lezinterracial
Confirmed User
 
Industry Role:
Join Date: Jul 2012
Posts: 3,080
Quote:
Originally Posted by srockhard View Post
As the tech gets faster the password gets longer ...LOL ;) at this rate you'll need 1000 char pass by 2025!
Yea, If all virtual currencies we have are deemed useless. What are people gonna use all that processing for?

The bad thing about wireless is the password just flies through the air, Waiting to be picked up.
__________________
Live Sex Shows

Last edited by lezinterracial; 06-18-2014 at 11:54 PM..
lezinterracial is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 12:19 AM   #14
klinton
So Fucking Banned
 
Industry Role:
Join Date: Apr 2003
Location: online
Posts: 8,766
Quote:
Originally Posted by Markul View Post
No I said that if you think you can hide from intelligence agencies with encryption, you might want to reconsider ;)
if you are specific target, it will be very hard...if you are normal user (among others milions users who use encryption) - you are free to go and it works
klinton is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 03:37 AM   #15
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
How many of you have been a victim of government surveillance. I guess not.

Even if you are a specific target, encryption works if you are talking about man in the middle, it is very difficult to defeat good encryption. Snowden himself has said the same thing, except that he did stress that intelligence agencies (NSA & GCHQ) are making major inroads into cracking encryption.

On the whole, however, it still works and it still protects your privacy so go ahead and use it if you wish to.

Last edited by RummyBoy; 06-19-2014 at 03:39 AM..
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 03:41 AM   #16
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
Quote:
Originally Posted by srockhard View Post
Yeah you are missing it by a long shot. Not sure why you are dividing GHz by 5? And who knows how many machines are attacking? Passwords as we know them are fucking pointless.
Im assuming its one machine but sure if its more then its a different issue.

Dividing by 5 due to my assumption above that only 5 attempts can be made before the login is locked and the IP s banned for at least one hour. So therefore 5 attempts per hour. Anyway, it wasn't scientific, its just a rough idea of how many calculations need to be done and how time consuming it will be if those kind of restraints exist.
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 03:44 AM   #17
bigwebenterprises
So Fucking Banned
 
Join Date: Feb 2007
Posts: 131
Any good hacker will pull your /etc/shadow file through your webserver and then use rainbow tables.
bigwebenterprises is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 04:03 AM   #18
lucas131
¯\_(ツ)_/¯
 
Industry Role:
Join Date: Aug 2004
Posts: 11,475
depends on. in the past bruteforce was good for admins and other high targetted accounts, but now, when everyone is warned about how easy is to bruteforce password, so everyone who needs to secure data is choosing hard to bruteforce passwords, bruteforce is now just wasting bandwidth of your hosting. most of the hacks are done by real hackers and programmers and security gurus, not by kids, so nothing to worry about another thing is bruteforce/combo bruteforce paid users, not that hard, as paid users dont care about your content have luck and stay safe
lucas131 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 07:31 AM   #19
freecartoonporn
Confirmed User
 
freecartoonporn's Avatar
 
Industry Role:
Join Date: Jan 2012
Location: NC
Posts: 7,683
there are 2 types of hackers one with specific targets and others without any targets.
freecartoonporn is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 07:51 AM   #20
rowan
Too lazy to set a custom title
 
Join Date: Mar 2002
Location: Australia
Posts: 17,393
Quote:
Originally Posted by RummyBoy View Post
OK lets say:

Username: Antwerp (6 characters)

Password: x6NgPtRW4ua2 (12 characters)


Roughly how long to crack it, considering:

(1) You have to know both.
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(3) Password may change before you find the solution.
(4) There's a good chance if over zealous, your IP is permanently blocked.
The article in your OP is about decrypting an encrypted password, by brute forcing multiple combinations, trying to arrive at the same result as the encrypted password.

The encrypted password is obtained by some other means, so all brute forcing happens locally. It's not the same as brute force login attempts to a remote server.
rowan is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-19-2014, 09:07 AM   #21
ladida
Confirmed User
 
ladida's Avatar
 
Join Date: Nov 2005
Posts: 2,167
You lack basic understanding to understand how it works. Let people that are trained in security do that for you.
__________________
agentGFY *at* gmail.com
ladida is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 09:16 AM   #22
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
Quote:
Originally Posted by ladida View Post
You lack basic understanding to understand how it works. Let people that are trained in security do that for you.
So you say I should quit trying to understand and learn about it? If I took that approach, Id be nowhere and broke......

The point I am making is that most of these attempts are a waste of effort and its only a script kiddie who should be dumb enough to imagine that he's going to get anywhere.

Last edited by RummyBoy; 06-22-2014 at 09:23 AM..
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 09:30 AM   #23
Best-In-BC
Confirmed User
 
Best-In-BC's Avatar
 
Join Date: Jun 2002
Posts: 9,506
Christians, lol
__________________
Vacares - Web Hosting, Domains, O365, Security & More
Unparked domains burning a hole in your pocket? 5 Simple Ways to Make Easy $$$ from Unused Domains
Best-In-BC is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 09:30 AM   #24
blackmonsters
Making PHP work
 
blackmonsters's Avatar
 
Industry Role:
Join Date: Nov 2002
Location: 🌎🌅🌈🌇
Posts: 20,589
Quote:
Originally Posted by lezinterracial View Post
Correct me if I am wrong on any of the below.

I don't know much about this stuff. But I think instead of brute force, most probably use a dictionary attack (maybe that is a type of brute force, i don't know). Where the program uses a list of common passwords, usually a file of cracked passwords from something like rockyou. RockYou had a huge list of 32 million passwords that is now used to crack other sites.

I have played with OclHashcat plus. But you would need to have gotten the password hash offline somehow. Something like "x6NgPtRW4ua2" would take a long time. Depend on how many graphics cards you got running.

Many people try to use masks in OclHashCat Plus. Like before trying to brute force all possible passwords. They try all lower case five place ?l?l?l?l?l. Then all lower case 6 places. Then maybe an Upper Case followed by 4 lower case. And so on.
Yeah, I'm pretty sure any good hacker is going to do it the way you say.

The first sign of brute force is probably someone trying to login with : admin/imgod

blackmonsters is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 10:43 AM   #25
CurrentlySober
Too lazy to wipe my ass
 
CurrentlySober's Avatar
 
Industry Role:
Join Date: Aug 2002
Location: A Public Bathroom
Posts: 38,646
i kunt a4d a server...
__________________


👁️ 👍️ 💩
CurrentlySober is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 10:51 AM   #26
brassmonkey
Pay It Forward
 
brassmonkey's Avatar
 
Industry Role:
Join Date: Sep 2005
Location: Yo Mama House
Posts: 77,238
/dydytdy36447/admin.php
__________________
TRUMP 2025 KEKAW!!! - The Laken Riley Act Is Law!
DACA ENDED - SUPPORT AZ HCR 2060 52R - email: brassballz-at-techie.com
brassmonkey is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 11:16 AM   #27
ianmoone332000
Confirmed User
 
ianmoone332000's Avatar
 
Industry Role:
Join Date: Jun 2014
Location: Scotland
Posts: 1,706
I used to be into hacking before i got into all this. They just use a bruteforce tool called sentry. Load it up with thousand and thousands of proxies plus thousands of logins (combos). If your sites have really good secuirity it doesnt really matter. They just extract the logins from similar sites which security is not so good and run them against your site. People are too lazy to use different passwords etc on each site and this is what bruteforcers prey on. Works 90% of the time. You wanna avoid it then generate people a login when they signup and dont let them pick there own
ianmoone332000 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 11:28 AM   #28
Naughty-Pages
Confirmed User
 
Naughty-Pages's Avatar
 
Industry Role:
Join Date: Oct 2006
Location: SWFL
Posts: 4,533
Quote:
Originally Posted by RummyBoy View Post
O
(2) You may only have 5 attempts per hour (assuming IP block and Account block kick in).
(4) There's a good chance if over zealous, your IP is permanently blocked.
When you brute force you use a list of proxy servers.. with a good enough list you can throw countless combinations per minute at your target. If you do it right and set it to rotate the ip's correctly, you can go forever.

It's pretty easy to bruteforce, especially with the free software out there to do it. Even programs that use OCR to read captcha's, perform form logins, etc..

It's relatively easy to get passwords to several servers and a few dozen members areas on top of that in just an hour or so.
Naughty-Pages is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 11:30 AM   #29
mikesouth
Confirmed User
 
mikesouth's Avatar
 
Industry Role:
Join Date: Jun 2003
Location: My High Horse
Posts: 6,334
Quote:
Originally Posted by ianmoone332000 View Post
I used to be into hacking before i got into all this. They just use a bruteforce tool called sentry. Load it up with thousand and thousands of proxies plus thousands of logins (combos). If your sites have really good secuirity it doesnt really matter. They just extract the logins from similar sites which security is not so good and run them against your site. People are too lazy to use different passwords etc on each site and this is what bruteforcers prey on. Works 90% of the time. You wanna avoid it then generate people a login when they signup and dont let them pick there own
Exactly right!
__________________
Mike South

It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.
mikesouth is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 01:08 PM   #30
ladida
Confirmed User
 
ladida's Avatar
 
Join Date: Nov 2005
Posts: 2,167
Quote:
Originally Posted by RummyBoy View Post
So you say I should quit trying to understand and learn about it? If I took that approach, Id be nowhere and broke......
Based on your conclusions it's clear how far off the target you are that you should stop now as it's just a waste of time for you.
Quote:
The point I am making is that most of these attempts are a waste of effort and its only a script kiddie who should be dumb enough to imagine that he's going to get anywhere.
Exactly my point. You lack basic understanding about something that makes no sense to you, so you're, based on your very limited knowledge, trying to draw conclusions for everyone.

Stick to what you do.
__________________
agentGFY *at* gmail.com
ladida is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-22-2014, 09:19 PM   #31
RummyBoy
Confirmed User
 
Join Date: Dec 2009
Posts: 2,157
Quote:
Originally Posted by ladida View Post

Exactly my point. You lack basic understanding about something that makes no sense to you, so you're, based on your very limited knowledge, trying to draw conclusions for everyone.
I am not trying to draw conclusions at all - I am simply giving my opinion.

Incidently and I should have specified that im talking more about attacks on the admin side like trying to gain access in Root, SSH, Cpanel, WHM, FTP etc using brute force attacks. Which to my mind, is generally hopeless using that specific method. Im not talking about a vulnerability like heartbleed etc.

Any admin with sense would have chosen a smart unknown login and a min 10 character password with upper, lower casings, multi character, alpha numeric etc.
RummyBoy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.