28th January 2000
Changes in release AET2 :
1 – All user specified server response strings are converted to lowercase now as are the actual server responses.
2 – Fixed the problem encountered whilst trying to change the timeout during operation.
3 – Fixed problem with the default POP3 settings (related to fix 1above.)
4 – Added brute force password generation
5 – Added save current session
6 – Added auto-save current session
7 – Added restore saved session
8 – Added save custom service
9 – Added load custom service
10 – Added password permutations
11 – Added word list creation functions
12 – Fixed update problems in the Auth. Seq. Definition window
13 – Added pause/resume functions
14 – Addedsemi-automatic 'learn' function for HTML form/CGI based services
15 – Added skip user on multiple password prompt failures
16 – Added 'use updated form fields' option to HTML form based services to enable attacks against services which use one time values in HTML form fields.
17 – Created a few example services, Netbus, IMAP, Cisc0 console, Cisc0 enable etc….only tested NetBus.
18 – Completed the'view authentication sequence' display.
19 - Added SMB authentication for Windows and Samba servers (Only uses API at the moment so is very sloow)
What does it do?
This component of Brutus is capable of authenticating against a wide range of character based application protocols. This is used to facilitate dictionary based user/password attacks against various network applications. Thisrelease comes with the following built-in network applications :
HTTP - Basic authentication
HTTP - CGI application authentication (typically used with HTML forms)
There is also a custom facility which allows you to create your own authentication sequences tailored to your target in addition to being able to modify the built in applications. Using the custom faciltyfor instance it is possible to authenticate against IMAP, NNTP, IRC or nearly anything that uses plaintext user/password negotiation.
Using the pre-authentication option gives you the ability to perform some quite twisted dictionary attacks, for instance :
You can define an authentication sequence that will connect via some public SOCKS proxy to a UNIX server on 192.168.1.10 offering telnet.Brutus can then log in to the UNIX server and then issue commands such as 'telnet 172.16.10.10', Brutus will then run the dictionary attack against the target at 172.16.10.10. What you have now is a 3 node hop online dictionary attack.
A simpler example of using a pre-authentication sequence might be to have Brutus connect to the target, again a UNIX server running telnet, and perhaps log in asan unprivileged user. It is then possible to have Brutus run a dictionary attack using su in an attempt to obtain the root password. At all times Brutus will maintain the 'conduit' telnet session which improves performance.
• Support for up to 60 simultaneous sessions
• Fully multi-threaded
• Highly customisable authentication sequences
• Single user mode, UserList mode, User/Pass combo mode, Password only mode
• Brute force password mode
• Word list creation/generation/processing
• Import/Export custom services
• Load/Save position
• SOCKS support (with optional authentication)
• Capable of 2500+ authentications/second over high speed connections
What is happening?
Brutus is still under development as is this component(the authentication engine). When Brutus is eventually finished, it will be made available, I have no idea when that will be. However, the next release (barring bug-fix releases) will contain my own SMB authentication routines which are much faster than using the WNet API, initially Protocols up to and including LANMAN2 will be available. I am also working on getting SSL support in without...