How to Brute Force- Tutorial

How to Brute Force a website which contains normal HTTP Login Form. That means it has an entry for a username and a password. We will do so by using a program called Brutus. In order to do so, you must find a website that 1) Contains only Username and Password fields, and 2) Allows unlimited attempts at guessing a specific password. In order to test if the website allows this, try multiple incorrect passwords for a random username and see what response you get after x amount of attempts. If you get no redirect page and you are not limited in the number of login attempt, chances are the website is vulnerable to Brute Forcing.

Before we get started you might be wondering what Brute Forcing is; it is simply testing a list of passwords to a list of usernames and hopefully you will have matched a username and password combination that is correct. There are many disadvantages in using this method to hack, such as time (you need to test thousands if not millions of combination) and most websites now have features that limit the number of incorrect guesses at one’s password, or make a human verification field mandatory when logging in. Let’s get started.

What You Will Need:

1) Download Brutus: http://www.hoobie.net/brutus/

2) Download Password List: http://area51archives.com/index.php?title=Ultimate_Password_List

3) You will need a proxy or VPN that changes your IP address for all programs, not just your web browser. I would suggest using CyberGhost VPN or Hot Spot Shield. They are pretty easy to use and are well documented so if you need help using them, please search or go to their websites.

Getting Started:

An example of a simple form Login is one as follows (which i just created in HTML as a means to demonstrate such) I am not going to give any real websites just to avoid any conflict. Once you have found a website that looks similar to that, test it a few times to makes sure it doesn’t limit how many times you type in an incorrect password. Once you have verified that it may be vulnerable to Brute Forcing, lets get started.

Step One: Start Brutus:

Leave the target field alone for the moment and where it says type choose HTTP (Form) You will see that below it a new option has appeared called “Modify Sequence.” Press this.

Step Two: Specifying Your Target:

Find the URL that links directly to the login page of the website. For example: http://www.website.com/login; Insert that URL into the Target Field. After doing so press learn from settings. You will now see something similar to the following screen:

As you see, On the left hand side it states “Field Name” that gives options such as username and password. Select the Username under the Field Name list and press the button that says Username. Do the same with the password and hit password. This lets Brutus now where to input its list. Press accept and it will return you to your previous screen. If, when you were testing you got a message that says, “Incorrect login” or something similar, copy it and paste it under the HTML Response boxes. Press Okay when your complete. We need to do one more thing before we start.

Step Three: Setting the Word lists

The Next step is fairly simple. Go to the option that says “User File” and select the text file that contains the usernames you would like to Brute Force. The beside under “Pass File” specify your password list. Before you hit Start make sure all the optional variables are set to your satisfaction (the default are usually fine); start your proxy, make sure your IP address is masked than hit Start. Allow the program to run for as long as you want or until it has completed and hopefully you have gotten some passwords!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s