Good IIS / ASP.NET Dictionary or Force Attack Software

Question

Good IIS / ASP.NET Dictionary or Force Attack Software

I am looking for something that uses the IIS / ASP.NET website, which uses forms authentication and tries repeatedly to log in with all possible passwords or passwords from the dictionary.

I probably can write something, but I wondered if there was something publicly available that would be better implemented.

+3

security asp.net forms-authentication

Brad Jun 08 '10 at 18:06

source share

3 answers

rook · Answer 1 · 2010-06-08T19:35:50+0000

For online forced entry systems, I recommend using THC-Hydra . I always use this tool in my penetration tests. In contrast, if you have a password hash or salted password hash lists, you should use John The Ripper to disable it offline, which is much faster.

After 3 unsuccessful logins, you must specify this IP address using captcha, for example reCaptcha .

Chad Levy · Answer 2 · 2010-06-08T19:45:46+0000

ASP.NET, passwordAttemptThreshold. . , , passwordAttemptThreshold, . , , .

, , . , , , , , , , , .

Thelq · Answer 3 · 2010-06-08T23:33:06+0000

Instead of attacking the site from the outside, I would recommend using hashes and cracking them offline.

The best approach is to create a password policy on the site, so you do not need to do this. In most cases, cracking passwords is tough and unnecessary.

Good IIS / ASP.NET Dictionary or Force Attack Software

More articles: