Posts: 0
Threads: 0
Joined: Jul 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 05:51 AM)mothered Wrote: [To see links please register here]
Quote: (02-08-2019, 07:49 PM)zomgwtfbekjam Wrote: [To see links please register here] Also, any good programmer will create a system that detects bruteforcing regardless of different ip addresses.
All that's required, Is to Implement a CAPTCHA service with "every login".
Yes, that would work. However it's not very user friendly of course.
Also it depends on what kind of captcha you are using. Some captchas can be easily 'decoded'. Spam programs such as Xrumer can defeat most captchas quite easily.
|
Posts: 0
Threads: 0
Joined: Jan 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 12:57 PM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 11:11 AM)UplayAlts Wrote: [To see links please register here]
Quote: (02-08-2019, 07:49 PM)zomgwtfbekjam Wrote: [To see links please register here] That's why I said: "Unless your program uses random ip addresses".
Also, any good programmer will create a system that detects bruteforcing regardless of different ip addresses. If someone tries 1000s of attempts on one account and they don't get banned it's time to fire the developer. There are loads of ways to stop bruteforcing, an effective way is to let the program hang for a second before sending a response back. Usually I just set a 1 second delay making bruteforcing practically worthless.
Well, cracking still works on almost every big service, and you cannot simply put a 1 second delay of logging in when hundres of people log into it every couple of seconds.
Yes, you can. The 1 second delay is used on the connection where the user failed to login. Why would you think that, that would affect other users? Are you familiar with writing web applications?
Yea so how are they going to track you when you connect it to thousands of proxies?
|
Posts: 0
Threads: 0
Joined: Mar 2021
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 01:05 PM)UplayAlts Wrote: [To see links please register here]
Quote: (02-09-2019, 12:57 PM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 11:11 AM)UplayAlts Wrote: [To see links please register here] Well, cracking still works on almost every big service, and you cannot simply put a 1 second delay of logging in when hundres of people log into it every couple of seconds.
Yes, you can. The 1 second delay is used on the connection where the user failed to login. Why would you think that, that would affect other users? Are you familiar with writing web applications?
Yea so how are they going to track you when you connect it to thousands of proxies?
Everyone can ultimately be tracked if law enforcers want to put the effort into it, but what does this have to do with our discussion earlier?
|
Posts: 0
Threads: 0
Joined: Mar 2017
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 01:00 PM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 05:51 AM)mothered Wrote: [To see links please register here]
Quote: (02-08-2019, 07:49 PM)zomgwtfbekjam Wrote: [To see links please register here] Also, any good programmer will create a system that detects bruteforcing regardless of different ip addresses.
All that's required, Is to Implement a CAPTCHA service with "every login".
Yes, that would work. However it's not very user friendly of course.
Also it depends on what kind of captcha you are using. Some captchas can be easily 'decoded'. Spam programs such as Xrumer can defeat most captchas quite easily.
In terms of bruteforcing, It'll certainly be of help.
I agree with the CAPTCHA type- some are extremely simple to bypass.
|
Posts: 0
Threads: 0
Joined: Feb 2018
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 01:58 PM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 01:05 PM)UplayAlts Wrote: [To see links please register here]
Quote: (02-09-2019, 12:57 PM)zomgwtfbekjam Wrote: [To see links please register here] Yes, you can. The 1 second delay is used on the connection where the user failed to login. Why would you think that, that would affect other users? Are you familiar with writing web applications?
Yea so how are they going to track you when you connect it to thousands of proxies?
Everyone can ultimately be tracked if law enforcers want to put the effort into it, but what does this have to do with our discussion earlier?
I honestly don't know if you are trolling or not, the point is that cracking still works on almost every service and cannot be easily patched by adding some delay.
|
Posts: 0
Threads: 0
Joined: Jun 2017
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-10-2019, 09:44 AM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 03:16 PM)UplayAlts Wrote: [To see links please register here]
Quote: (02-09-2019, 01:58 PM)zomgwtfbekjam Wrote: [To see links please register here] Everyone can ultimately be tracked if law enforcers want to put the effort into it, but what does this have to do with our discussion earlier?
I honestly don't know if you are trolling or not, the point is that cracking still works on almost every service and cannot be easily patched by adding some delay.
Why would I be trolling? If you're developer you know exactly why things work or don't. It's simple:
1- attacker sends post request to login handler
2- handler matches with database records
3- server sends response back (fail/success)
4- program analyzes response
5- attacker tries again
Usually the response only takes some milliseconds, which yes would allow bruteforcing to be possible.
If you're a developer with more than half a brain though, you could do this to stop bf-ing:
At step 4 the program waits for the response, after all the program needs to know whether the login was successful or not. Right?
Good! Look at this pseudo code:
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
Instead of getting the response back in several ms, your bruteforcer has to wait for more than 1 second, this would totally destroy the effectiveness of your bruteforce program.
It's nothing but simple logic, I can write you a sample code if you still don't believe me.
The reason why some sites can be bruteforced is that not every programmer is a good programmer, hence I said if bf-ing works on your site it's time to fire the developer.
This wouldn't work because every attempt is on a different ip adress. Because of the proxies...
|
Posts: 0
Threads: 0
Joined: Nov 2018
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-09-2019, 03:16 PM)UplayAlts Wrote: [To see links please register here]
Quote: (02-09-2019, 01:58 PM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 01:05 PM)UplayAlts Wrote: [To see links please register here] Yea so how are they going to track you when you connect it to thousands of proxies?
Everyone can ultimately be tracked if law enforcers want to put the effort into it, but what does this have to do with our discussion earlier?
I honestly don't know if you are trolling or not, the point is that cracking still works on almost every service and cannot be easily patched by adding some delay.
Why would I be trolling? If you're developer you know exactly why things work or don't. It's simple:
1- attacker sends post request to login handler
2- handler matches with database records
3- server sends response back (fail/success)
4- program analyzes response
5- attacker tries again
Usually the response only takes some milliseconds, which yes would allow bruteforcing to be possible.
If you're a developer with more than half a brain though, you could do this to stop bf-ing:
At step 4 the program waits for the response, after all the program needs to know whether the login was successful or not. Right?
Good! Look at this pseudo code:
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
Instead of getting the response back in several ms, your bruteforcer has to wait for more than 1 second, this would totally destroy the effectiveness of your bruteforce program.
It's nothing but simple logic, I can write you a sample code if you still don't believe me.
The reason why some sites can be bruteforced is that not every programmer is a good programmer, hence I said if bf-ing works on your site it's time to fire the developer.
|
Posts: 0
Threads: 0
Joined: May 2019
Reputation:
0
Level: inf []
Total Points: inf
Rank nan / 1
100% to upload Level
Activity inf / 1
99% to upload your Rank
Experience nan
100% to upload Experience
Points: 50
|
Quote:(02-10-2019, 09:56 AM)UplayAlts Wrote: [To see links please register here]
Quote: (02-10-2019, 09:44 AM)zomgwtfbekjam Wrote: [To see links please register here]
Quote: (02-09-2019, 03:16 PM)UplayAlts Wrote: [To see links please register here] I honestly don't know if you are trolling or not, the point is that cracking still works on almost every service and cannot be easily patched by adding some delay.
Why would I be trolling? If you're developer you know exactly why things work or don't. It's simple:
1- attacker sends post request to login handler
2- handler matches with database records
3- server sends response back (fail/success)
4- program analyzes response
5- attacker tries again
Usually the response only takes some milliseconds, which yes would allow bruteforcing to be possible.
If you're a developer with more than half a brain though, you could do this to stop bf-ing:
At step 4 the program waits for the response, after all the program needs to know whether the login was successful or not. Right?
Good! Look at this pseudo code:
Hidden Content
You must [To see links please register here] or [To see links please register here] to view this content.
Instead of getting the response back in several ms, your bruteforcer has to wait for more than 1 second, this would totally destroy the effectiveness of your bruteforce program.
It's nothing but simple logic, I can write you a sample code if you still don't believe me.
The reason why some sites can be bruteforced is that not every programmer is a good programmer, hence I said if bf-ing works on your site it's time to fire the developer.
This wouldn't work because every attempt is on a different ip adress. Because of the proxies...
What does that have to do with it?
Your program waits for a response and my method WILL make it wait before the program makes another attempt, it's simple as that. I'm not going to explain it even more.
|
|