SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Wizard
    Join Date
    Jul 2006
    Location
    New Zealand
    Posts
    1,300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Php Brute Forcer Script

    I am trying to create a brute forcer script so i can test the strenght of my passwords i choose does anyone know any places or how i can go about creating one in php?

    Can anyone give me a hand please.

    Thank you.

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you are just wanting to test password strength:
    http://www.php.net/crack
    and im sure you can find some websites which offer a password strength checker if you google.

  3. #3
    SitePoint Wizard
    Join Date
    Jul 2006
    Location
    New Zealand
    Posts
    1,300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about the other kind?

    you enter a username and it goes through the entire dictionary of words to find a password that is possible to that useraname?

    is that illegal or legal?

  4. #4
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, you could build one yourself.

    get a word list

    use a loop to try each word as the password for the username you supply. the script stops when a match is found, or when it runs out of words.

    if you want to improve it, i suppose you could try also joining words and adding numbers to some words in likely positions.

    as for legality? i think your gut feeling gives you the proper answer.
    theres nothing wrong with cracking your own password on your own machine.
    but sending 10's of thousands of http requests to someones webserver to try to break in...dont even think about it unless you want to be to be a "fish".

  5. #5
    SitePoint Wizard
    Join Date
    Jul 2006
    Location
    New Zealand
    Posts
    1,300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean fish?

  6. #6
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  7. #7
    SitePoint Wizard
    Join Date
    Jul 2006
    Location
    New Zealand
    Posts
    1,300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So which one are you referring to?

  8. #8
    padawan silver trophybronze trophy markbrown4's Avatar
    Join Date
    Jul 2006
    Location
    Victoria, Australia
    Posts
    4,122
    Mentioned
    29 Post(s)
    Tagged
    2 Thread(s)
    Couldn't you secure against Brute force attacks by registering unsuccessful logins (if 10 in a minute, suspend the account) ?

    I wouldn't be trying to secure a password - I'd secure the login script itself.

  9. #9
    SitePoint Zealot
    Join Date
    Jul 2006
    Location
    Dundee, Scotland
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In all honesty why would you need a script to check your own passwords. If you want a secure password use a combination of random letters and numbers (use both upper and lower case for the letters) and have it say 10 chars long.

    If your intention is to check the passwords of any users that sign up on your site then this is certainly not the way to go as doing a dictionary check on the passwords would put alot of strain on the server and will infuriate customers at the length of time before accounts are created. An approach as mentioned before is probably the way to go ie suspending an account if x amount of attempts are made to login in x amount of time. Also if a login is unsuccessful then use an error message saying something like 'The details provided were incorrect'. If you tell them that the password or username were incorrect then that tells them that either the username exists and the password is wrong or that the username does not exists at all.

    Using a brute force script is not illegal as long as it is your own site you are using it to try and crack. If you do not have ownership of the server and are not in control of the bandwidth then the chances are your host will certainly have something to say about you trying this. If you have a dedicated server or vps then you could run it on the server and writing any matches to a local file as long as it did not call anything external as there would be no bandwidth overhead nor would there be any impact on other people using the server (as it is your server only).

    Do not under any circumstances create a script and use it on somebody elses site.

  10. #10
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by william232
    I am trying to create a brute forcer script
    Instead of following this idiotic logic just test the strength of the password. Set a minimum length. Set a minimum number of unique characters. i.e "aaaaaaa" counts as one. Make sure the password contains upper and lower case. Make sure it contains letters and numbers. To increase strength, increase the length, the number of unique charcters and the character set.

  11. #11
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by filth
    a dictionary check on the passwords would put alot of strain on the server and will infuriate customers at the length of time before accounts are created.
    That's not true. I wrote a script to do a dictionary attack against an MD5 and it runs 200,000 English words and names in under 2 seconds (check my signature).

  12. #12
    SitePoint Zealot
    Join Date
    Jul 2006
    Location
    Dundee, Scotland
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman
    That's not true. I wrote a script to do a dictionary attack against an MD5 and it runs 200,000 English words and names in under 2 seconds (check my signature).
    That is ok if you don't have any traffic or there are not many people signing up but as the site gets popular you will start to get problems.

  13. #13
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by filth
    That is ok if you don't have any traffic or there are not many people signing up but as the site gets popular you will start to get problems.
    My server has received 4.2 million requests so far this month and doesn't show any sign of being under strain.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •