ćšïŒäœ ä»Źć„œćïŒ
- = Hi How @re YOU Peopl3!
I hope you have a safe surf online!
Today, we will look at how easy it is to crack or brute-force files or accounts & why having at least a 2FA or Two-Factor Authenticator with a COMPLEX password can hold you away from myriad threats online in constant growth! First, we will examine some statistics & news linked to get the risks involved in certain habitsâŠ.. đ
OOSINT = Offensive OSINT
â-> For Educational purposes only <-â
Cracking Time & Passwords
Most people often think with something not sure if set on the upper side of the bodyâŠ..using the family pet name(usually the same one they always post online with tags), date of birth(thanking people on socials for birthdays wishes or Forgetting about Public CVâs & more..), along other very discussable ways of making passwords, forgetting about social media or online hunters(Hackers, Scammers, or co-workers).
đ-They all, live & love 100% - online.đ
What sees one sees the other & vice versa. Bear in mind that.
Indeed, those or similar ninja đ„·đ»techniques will only ease hunter jobs, which usually OSINT their target prior attack. On the other hand, we can use password managers ( as we will surely not be able to memorize more than 5 to 10 hard passwords) and choose wisely to avoid unpleasant incidents.
We should clean and tidy what we use and leave online, just as we do in offline.
Here are some news from around the world about password cracking & Time
If we head to Google, what will we find?
Will the answer be good or not? Here are some catchy posts and a few more that will make you think twice next Time you need to choose a password online. â
âââââââââââââââââââââ
The longer and more varied your password is, the harder it will be to crack it. A 12-character password that only uses numbers will take just a second to crack, but 14-character passwords that use numbers, symbols, upper case, and lower case letters can take millions of years.
- 14 July 2023
tech.co â https://tech.co âș Password Managers -
Can 90% of passwords be cracked in less than six hours?
-Fact #5: 90% of passwords can be cracked in less than six hours.
Think you have a strong password? Think again⊠Hackers are continuing to become more sophisticated and have a variety of ways in which they can crack your passwords to gain access to your online accounts.
â https://blog.entrustit.co.uk âș 6-facts-about-passwords-thatâŠ
Compromised passwords are involved in most breaches today.
In fact, Google Cloudâs 2023 Threat Horizons Report found that 86% of breaches leveraged stolen credentials. And, according to the IBM X-Force Threat Intelligence Index 2024, there was a 71% increase year over year in the volume of attacks using valid credentials. This reflects the trend of attackers shifting to identity-based attacks over traditional vulnerability exploits as the identity attack surface has multiplied and grown by leaps in complexity.
Here are some antivirus you pick your flavour
OR
About a good 2FA, I skip from recommend, but I will drop a list below which you can choose from, and if I can suggest, I often opt for multiplatform one, available for IOs, Android, Windows & Linux, along with a good history of low or no leaks along with good protection and back up all over different devices.
As there are countless options for a good password manager, Iâll add some options you can pick from. Again, choose wisely and never share your MASTER password with anyone.
We now have several options to give a hard time to bad actors at work, but now, we turn sides and see the pirate one.
đ Keep in mind itâs crucial to get proper authorization before using password-cracking tools for ethical security assessments.đ
đNever resort to using these tools for malicious purposes.
BKcrack
Itâs perfect for cracking legacy ZIP encryption with Biham and Kocherâs known plaintext attack. A known plaintext attack is a cryptanalysis method in which the attacker can access plaintext and its encrypted version, which can be used to reveal secret keys and codebooks. Bkcrack is a command-line tool that implements a known plaintext attack on legacy ZIP encryption.
Here are its main features:
- Recover Internal State: bkcrack can recover the internal state from ciphertext and plaintext.
- Change Password: It allows you to change a ZIP archiveâs password using the internal state.
- Recover Original Password: You can recover the original password from the internal state.
This tool helps crack ZIP archives encrypted with traditional PKWARE encryption (legacy encryption or ZipCrypto). The attack uses known plaintext to recover the encryption algorithmâs internal state, which can then be utilized to decrypt the entire archive or brute-force the password.
Here is some more info about Plaintext Attack
THC-Hydra
It is a versatile, powerful, password-cracking tool for penetration testing & security assessments. It supports various protocols & services, making it valuable for assessing network security & not only.
Protocol Support
Hydra can target a wide range of services and protocols, including:
- SSH (Secure Shell)
- FTP (File Transfer Protocol)
- HTTP (Hypertext Transfer Protocol)
- SMB (Server Message Block)
- RDP (Remote Desktop Protocol)
- Telnet
- MySQL
- PostgreSQL
- VNC (Virtual Network Computing)
& many more!
This flexibility empowers security experts to efficiently explore different attack strategies.
Attack Types:
Hydra supports two primary attack modes:
- Dictionary Attack: It uses a predefined list of potential passwords (a dictionary) to attempt authentication.
- Brute-Force Attack: It systematically tries all possible combinations of characters to crack the password.
Users can choose the appropriate attack mode based on their specific use case.
Usage Example:
Suppose you want to test the security of an SSH server.
You can use Hydra with a dictionary file containing potential passwords:
hydra -l username -P /path/to/passwords.txt ssh://target_ipReplace username, /path/to/passwords.txt, and target_ip with the appropriate values.
Android-PIN-Bruteforce
This powerful tool allows you to unlock an Android phone (or device) by brute-forcing the lock screen PIN. It is a very effective tool that is easy to set up and use if you are familiar with it. For medium-experienced professionals or students, it is thus possible to learn, as it was made by humans for humans.
Here are the key details:
How It Works:
Android-PIN-Bruteforce uses a USB OTG cable to connect the locked phone to a Nethunter device.
- It emulates a keyboard, automatically trying different PINs and waiting after too many incorrect guesses.
- The Nethunter device acts like you plugged in a keyboard and pressed keys on the locked phone.
- https://en.m.wikipedia.org/wiki/File:USB-OTG-Adapters.jpg
Requirements:
- A locked Android phone.
- A Nethunter phone (or any rooted Android device with HID kernel support).
- USB OTG cable/adapter (USB male Micro-B to female USB A) and a standard charging cable (USB male Micro-B to male A).
Benefits:
- Turn your NetHunter phone into an Android PIN-cracking machine.
- No need for ADB or USB debugging on the locked phone.
- The locked Android phone doesnât need to be rooted.
No special hardware is required (e.g., Rubber Ducky, Teensy, etc.).
Features:
- Crack PINs of any length (1 to 10 digits).
- Use config files to support different phone models.
- Optimized PIN lists for 3, 4, 5, and 6-digit PINs.
- Bypass phone pop-ups (including Low Power warnings).
- Detect unplugged or powered-off phones and wait while retrying.
SocialBox-Termux
Is a powerful Bruteforce Attack Framework created to target Facebook, Gmail, Instagram, and Twitter accounts. This framework was initially developed by Belahsan Ouerghi and later modified by Samsung to be compatible with Termux, an Android terminal emulator. If youâre interested in installing and running it, here are the steps to do so:
Installation
Open Termux on your Android device.
- Run the following commands:
apt-get update
apt-get install git
git clone https://github.com/samsesh/SocialBox-Termux.git
cd SocialBox-Termux
chmod +x install-sb.sh
./install-sb.shUsage
- Execute the tool:
./SocialBox.shselect your preferred platform, choose your target, and provide the necessary information, such as the target username.
SSB
SSB (Secure Shell Bruteforcer) is a specialized tool created to streamline the process of conducting brute-force attacks on SSH servers. It is designed to enhance the speed and efficiency of these attacks, making them more straightforward and accessible for users.
Hereâs how you can use it:
Installation from Binary
Download a pre-built binary from the, unpack it, and run it.
Alternatively, you can use this command:
(sudo) curl -sSfL 'https://git.io/kitabisa-ssb' | sh -s - -b /usr/local/binInstallation from Source
Ensure you have the go1.14+ compiler installed and configured.
- Run:
GO111MODULE=on go get ktbs. dev/SSBUsage
- Execute SSB with the following options:
ssb [-p port] [-w wordlist.txt] [-t timeout] [-c concurrent] [-r retries] [-o output] [user@]hostname
-p port: Port to connect to the remote host (default 22).
-w wordlist: Path to the wordlist file.
-t timeout: Connection timeout (default 30s).
-c concurrent: Concurrency/threads level (default 100).
-r retries: Specify the connection retries (default 1).
-o output: Save valid passwords to a file.
-v: Verbose mode.
License
SSB is free software distributed under the terms of the Apache license. Copyright © by Dwi Siswanto 2020.
Plutus đ°
A powerful tool designed for one purpose: to brute-force random Bitcoin wallet addresses. But what does that mean? Letâs break it down:
Bitcoin Wallets
A Bitcoin wallet is like a digital treasure chest. It holds your private keys, essentially secret codes, and allows you to control your Bitcoin balance.
Each wallet has a unique address (a long string of characters).
- Plutus sets out on a daring adventure, generating random private keys and converting them into wallet addresses.
- It then checks if any of these addresses have a positive balance (i.e., contain Bitcoin).
The Brute-Forcing Process
- Plutus is lightning-fast. It can brute-force a single Bitcoin address in just 0.002 seconds!
- It uses multiprocessing to tackle multiple addresses simultaneously.
The goal? To randomly stumble upon a funded wallet among the unfathomable 2Âčâ¶â° possible wallets.
Installation & Usage
git clone https://github.com/Isaacdelly/Plutus.git
cd Plutus
pip3 install -r requirements.txt
python3 plutus.pyLicense & Credits
Plutus is free software distributed under the terms of the Apache license. Copyright © by Dwi Siswanto 2020.
Hereâs some more info about brute-forcing
You now have a solid grasp of what a Brute-Force Attack entails, the vulnerabilities associated with weak passwords, and the resources available to fortify your defences against such attacks.
The threat landscape is in a constant state of flux.
New tools are sprouting up globally at an unprecedented pace, and nefarious actors, leveraging the power of AI and cutting-edge technologies, are continuously amplifying their capabilities while shrouding the genuine danger they pose.
> Stay Tuned 4 Mor3 + Share 4 ALL! <<
âŠ.See you s0onâŠ.
