Is using Google Forms to share “passcode protected” information safe from brute force attacks?

I have recently seen many people use Google Forms as a way of sharing “passcode protected” information. They seem to have the first section of the form with a required field asking for a short piece of text (the “password”), and if the inputted text does not exactly match the required text, it gives you a custom error message telling you the “password” is incorrect. The second section of the form is the secret information, which you can’t see until you put in the correct “password” from the first form section. You don’t log in with a Google account either.

I’ve seen many schools use this as a way to share Zoom Meeting IDs and passwords with students. While it superficially seems to work well enough for most people, is this really a safe way of protecting private information? For example, are people who use Google forms to passcode protect information safe from things such as brute-force attacks? I’m fairly sure the “passwords” being used aren’t strong either.

brute force – How secure is getapassphrase.com?

getapassphrase.com is a website that generates passphrases. The user sets a complexity in bits, and the site spits out results like:

liberal panda and ill asp decline young suit in Kansas

or

rowdy whale and tired DJ build brown harp in Berlin

(For 64 bits, they all pretty much seem to follow the pattern of (adjective) (noun) and (adjective) (noun) (verb) (adjective) (noun) in (location))

I am not concerned at this point with security as it pertains to any specific implementation details of the site (i.e. does the website carelessly leak its results somehow over an insecure connection, can an attacker reproduce the PRNG state based on e.g. knowing the exact time a passphrase was generated…) – instead, I want to ask about the complexity of guessing passphrases which are generated following a particular pattern.

I am aware that focusing on making passphrases longer generally provides more security than focusing on introducing weird characters. However, if an attacker knows (or guesses¹) that my passphrase was generated using getapassphrase.com, does it typically become feasible for them to crack it by brute force?

¹ Probably a decent guess, given that I’m posting about it on a public forum…

Brute force a wallet.dat file

I have a wallet.dat file which is encrypted and I can remember that I have put only numbers as password(4 or 5 digits, not more, not less).
My friend suggested to do brute force on it using python.
I tried googling and unfortunately(poor programming) didn’t got any python script.
Can anyone help me please ?

brute force – How to secure MySQL against bruteforce attacks?

The most simple solution would be not to expose mysql. Usually, mysql server is accessed only from the same machine, in which case you can set it to listen only on a unix socket, or on a loopback interface.

If it indeed needs to be accessed from other machines, these are generally just a few ones, in which case you can firewall the port from any host but those that legitimately need access to it. (Moreover, if all mysql users are host-restricted, mysql itself won’t allow connecting from hosts different than those)

brute force – Find configured domains accepted by a reverse proxy

I am playing around with a machine from hack the box. I found what appears to be a squid v. 4.6 listening on port 3128. None of my requests works

< HTTP/1.1 400 Bad Request
< Server: squid/4.6
< Mime-Version: 1.0
< Date: Fri, 30 Oct 2020 23:27:28 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3505
< X-Squid-Error: ERR_INVALID_URL 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from unbalanced
< X-Cache-Lookup: NONE from unbalanced:3128
< Via: 1.1 unbalanced (squid/4.6)
< Connection: close

Among the possible reasons, the displayed error page mentions that Missing hostname is the most probable one. I am looking for a way to find this (these) domain name(s)

Since this machine is meant to be accessed with a VPN only, there is no point in using DNS crawlers such as dnsmap or dnsenum. There is no DNS server on this machine nor in this lab environment (that I know of).

There is no fail2ban nor any brute-force preventing mechanism so I thought about brute forcing the domain name. All the http fuzzers I know allow to fuzz nearly anything except domains. Do you know such a tool of do I need to script it myself?

Do you think of a more straightforward approach?

passwords – Javascript PDF Brute Forcing

I am trying to learn PDF Brute forcing with javascript.

I’ve read about encryption algorithm of PDF 1.4 documentation here https://www.adobe.com/content/dam/acom/en/devnet/pdf/pdf_reference_archive/PDFReference.pdf

I’ve extracted the hash using pdf2john.pl and the hash is:

myProtectedFile.pdf:$pdf$4*4*128*-1852*1*16*d2064e199731d635312c43ce33697274*32*0e3d2167a5d07df7b2e33f47650e427b00000000000000000000000000000000*32*1c60bb862ad233261c5147c52e26888857a8dd82c56a0d4af8524742a2cf447b

and this is the code i’ve reached so far:

// function for looping hashes
function loophash(s) {
  var currentHash = s;
  for (let index = 0; index < 50; index++) {
    let s = crypto.createHash('md5').update(currentHash).digest('hex');
    currentHash = s;
  }
  return currentHash;
}

// PaddedPassword as in the guidline of PDF 1.4 rivision 3 Says 
// Pad the user password out to 32 bytes, using a hardcoded 32-byte string:
// 28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
// 2E 2E 00 B6 D0 68 3E 80 2F 0C A9 FE 64 53 69 7A
var paddedPassword = '0101197728BF4E5E4E758A4164004E56'; //01011977 (from left handside) is the real pass and rest the hardcodestring

// MD5 Hash 50 times
var FinalMD5Hash = loophash(paddedPassword); 

the hash final hash does not match at all in the extracted hash using pdf2john.

What i am missing ? How generate the hash properly ?

can’t use JTR as i need to use this in cloud functions. Where i need to return the password but as JTR works it is hard to maintain there.

denial of service – Will brute force attack exhaust web server, resulting in DOS

I used to own a shared hosting business and, while being at a party on a weekend night, I received an automated notification caused by a resource exhaustion. I immediately left to the office and when I arrived I found out a bruteforce attack against a client’s WordPress admin panel was the cause of it.

Always make sure your firewall rulesets are up to date and that a service can’t take others’ resources in case of an anomalous event (containerization is your friend here).

How can I brute force guess the passphrase for a Bitcoin Wallet (Andreas Schildbach) backup file?

I have a 2013-2014 240-byte wallet backup file from Bitcoin Wallet (by )Andreas Schildbach).

How can I use hashcat or similar to brute force guess the wallet encryption phrase?

python http.client dvwa brute forcer

I have a simple python script where I am trying to brute force the brute force page on DVWA (damn vulnerable web app). Im trying to do this using HTTP.client but the response I read always returns the base page without any error message on it. I believe I have set the headers based on what is sent on a normal request and everything else seems to be correct, does anyone know why it doesn’t return the page with the updated page ?

(I am aware it can be done with requests but id like to know how to do it with http.client)

import http.client
import urllib.parse

username_file = open('usernames.txt')
password_file = open('passwords.txt')

user_list = username_file.readlines()
pwd_list = password_file.readlines()

for user in user_list:
    user = user.rstrip()
    for pwd in pwd_list:
        pwd = pwd.rstrip()
        
        post_parameters = urllib.parse.urlencode({'username': user, 'password': pwd,'Login': "Login"})
        headers = {"Host": "192.168.1.1", "Connection": "keep-alive", "Upgrade-Insecure-Requests": "1",
                    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
                    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
                    "Referer": "http://10.10.77.43/vulnerabilities/brute/",  "Accept-Language": "en-US,en;q=0.9",
                    "Cookie": "PHPSESSID=5utuc1d5i48ss2v1mesmtd9fc1; security=low"}

        conn = http.client.HTTPConnection("10.10.77.43", 80)
        conn.request("POST", "/vulnerabilities/brute/?", post_parameters, headers)
        response = conn.getresponse()

        print (response.read().decode())

brute force – Hydra from username part to password

I was looking for help on this page, but Schroeder deleted all my publications. I already found a way to do the script, I’ll leave it here in case someone needs hydra to enter a user with their respective password to the time.

file=open('test.txt','r')
read_file= file.readlines()
file.close()

file2=open('text2.txt','r')
read_file2= file2.readlines()
file2.close()

for x,i in zip(read_file,read_file2):
    print("hydra -l",x.strip('n'),"-p",i.strip('n '),"###.###.### http-post-form '/index.asp:txtUser=^USER^&txtPass=^PASS^:F=Access Denied!.' -vV -I")