How do I hack my website??

[gabemcg]

Hi,

I have a website at which my clients access video interviews of candidates. It's password protected, but some of my clients have raised concerns of brute force attacks.

I know that alot of websites that are more well-funded than mine (namely pr0n) are succeptable to brute-force attcks.

Where is a good resource to find ways to attack my own site to test it's security?

 

[Yanagi]

I work 6PM-4AM and requires free pizza, MMORPG brakes and 100 US and hour.

 

[Descartes]

Depends on how it's "password protected." Is it a simple form, NTLM, htaccess or something else? I have a tool that I wrote a few years back that performs dictionary attacks against sites that use forms for password submissions.

 

[pontifex]

sure, its your website...riiight. and i'm santa claus...

 

[DeviousTrap]

The more complex the password, the harder it is to brute force, plain and simple. With enough effort (and time) you can brute force anything, but with proper usernames and password it's pretty much ineffective.

 

[Reel]

Look up hydra. I think it may be thc-hydra. Be careful of trojans and I recommend testing it on a test environment before production. Protect against brute force by using IP-based and account-based lockouts.

 

[harobikes333]

lol thats what I was thinkin^ ^ no offense or anything

 

[Pepsi90919]

MMORPG brakes

 

[DaiShan]

Originally posted by: DeviousTrap
The more complex the password, the harder it is to brute force, plain and simple. With enough effort (and time) you can brute force anything, but with proper usernames and password it's pretty much ineffective.

??? If you aren't locking users out after 3-5 incorrect tries you should probably re-think your security plan. For instance on my SSHD, I wrote a script that scans the logs, then adds a firewall rule to drop connections from users that fail more than three times. Not reject, drop, it's much more evil

 

[MercenaryForHire]

Biggest vulnerability is probably the users setting weak passwords.

What auth mechanism, webserver running, what OS?

pontifex - It's not like he posted a random IP and said ZOMG H4X0R 4 ME PLZ. If it's not his site, running a brute-force attack against it will get his ass handed to him by the admin in about five seconds.

Edit - And why is this in OT? Software or network.

- M4H

 

[MercenaryForHire]

Originally posted by: DaiShan

Originally posted by: DeviousTrap
The more complex the password, the harder it is to brute force, plain and simple. With enough effort (and time) you can brute force anything, but with proper usernames and password it's pretty much ineffective.

??? If you aren't locking users out after 3-5 incorrect tries you should probably re-think your security plan. For instance on my SSHD, I wrote a script that scans the logs, then adds a firewall rule to drop connections from users that fail more than three times. Not reject, drop, it's much more evil

Start with an IP block, upgrade to a /24 with their info posted as the reason everyone else can't get in, and go from there.

- M4H

 

[DeviousTrap]

Originally posted by: DaiShan

Originally posted by: DeviousTrap
The more complex the password, the harder it is to brute force, plain and simple. With enough effort (and time) you can brute force anything, but with proper usernames and password it's pretty much ineffective.

??? If you aren't locking users out after 3-5 incorrect tries you should probably re-think your security plan. For instance on my SSHD, I wrote a script that scans the logs, then adds a firewall rule to drop connections from users that fail more than three times. Not reject, drop, it's much more evil

I was just talking about bruteforcing in general, not in referrence to web servers. It's a lot easier to explain to a client that bruteforcing is ineffective, rather than try to prove to them that there website is no succeptable to it because of a firewall block. All of my servers do lock out people after a certain amount of incorrect attempts (10 for http pages, 4 for ssh and ftp).