Posts tagged: Brute Forcing Tool

Jan 20 2012

Patator – Multi-Purpose Brute Forcing Tool

Brute Force AttackPatator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Currently it supports the following modules:

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using the SMTP VRFY command
  • smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
  • http_fuzz : Brute-force HTTP/HTTPS
  • pop_passd : Brute-force poppassd (not POP3)
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  • dns_forward : Forward lookup subdomains
  • dns_reverse : Reverse lookup subnets
  • snmp_login : Brute-force SNMPv1/2 and SNMPv3
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files


Project Home:

Dec 29 2011

Reaver – WiFi Protected Setup Brute Force Attack Tool

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.

Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.

Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:

$ ./configure
$ make
# make install

To remove everything installed/created by Reaver:

# make distclean

Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:

# reaver -i mon0 -b 00:01:02:03:04:05

Download: reaver-1.3.tar.gz

Reaver Home:

Feb 02 2011

NiX – Linux Brute Forcer

NiX Brute Forcer is a tool that uses brute force in parallel to log into a system without having authentication credentials beforehand. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of NiX is to support a variety of services that allow remote authentication such as: MySQL, SSH, FTP, IMAP. It is based on NiX Proxy Checker.


  • Basic Authorization & FORM support in both standard and HTTPS (SSL) mode
  • HTTP/SOCKS 4 and 5 proxy support
  • FORM auto-detection & Manual FORM input configuration.
  • It is multi-threaded
  • Wordlist shuffling via macros
  • Auto-removal of dead or unreliable proxy and when site protection mechanism blocks the proxy
  • Integrated proxy randomization to defeat certain protection mechanisms
  • With Success and Failure Keys results are 99% accurate
  • Advanced coding and timeout settings makes it outperform any other brute forcer

Download: NIX_BruteForce.bz2

More Info:

Mar 17 2009

dnsmap 0.22 Released – Subdomain Bruteforcing Tool

dnsmap is a subdomain bruteforcer for stealth enumeration.

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.

Original Features of Version 0.1
* obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
* abort the bruteforcing process in case the target domain uses wildcards
* ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
* bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22
* saving the results in human-readable and CSV format for easy processing
* fixed bug that disallowed reading wordlists with DOS CRLF format
* improved built-in subdomains wordlist
* new bash script ( included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
* bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards


usage: dnsmap [options]

Download :