đŸŒȘCrack a Zip

Bruteforce Attacks a closer look — OOSINT → 
..

Snooptz
11 min readMay 14, 2024
Credits: Bing AI + M3

ć—šïŒŒäœ ä»Źć„œć—ïŒŸ

  • = Hi How @re YOU Peopl3!

I hope you have a safe surf online!

Today, we will look at how easy it is to crack or brute-force files or accounts & why having at least a 2FA or Two-Factor Authenticator with a COMPLEX password can hold you away from myriad threats online in constant growth! First, we will examine some statistics & news linked to get the risks involved in certain habits
.. 😈

OOSINT = Offensive OSINT

“-> For Educational purposes only <-”

Cracking Time & Passwords

Most people often think with something not sure if set on the upper side of the body
..using the family pet name(usually the same one they always post online with tags), date of birth(thanking people on socials for birthdays wishes or Forgetting about Public CV’s & more..), along other very discussable ways of making passwords, forgetting about social media or online hunters(Hackers, Scammers, or co-workers).
😇-They all, live & love 100% - online.😈
What sees one sees the other & vice versa. Bear in mind that.
Indeed, those or similar ninja đŸ„·đŸ»techniques will only ease hunter jobs, which usually OSINT their target prior attack. On the other hand, we can use password managers ( as we will surely not be able to memorize more than 5 to 10 hard passwords) and choose wisely to avoid unpleasant incidents.

We should clean and tidy what we use and leave online, just as we do in offline.

Here are some news from around the world about password cracking & Time

If we head to Google, what will we find?
Will the answer be good or not? Here are some catchy posts and a few more that will make you think twice next Time you need to choose a password online. ☄

⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈⛈

The longer and more varied your password is, the harder it will be to crack it. A 12-character password that only uses numbers will take just a second to crack, but 14-character passwords that use numbers, symbols, upper case, and lower case letters can take millions of years.
- 14 July 2023

tech.co — https://tech.co â€ș Password Managers -

Can 90% of passwords be cracked in less than six hours?

-Fact #5: 90% of passwords can be cracked in less than six hours.
Think you have a strong password? Think again
 Hackers are continuing to become more sophisticated and have a variety of ways in which they can crack your passwords to gain access to your online accounts.

— https://blog.entrustit.co.uk â€ș 6-facts-about-passwords-that


Google +Me 4 Asking 🙉

Compromised passwords are involved in most breaches today.
In fact,
Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches leveraged stolen credentials. And, according to the IBM X-Force Threat Intelligence Index 2024, there was a 71% increase year over year in the volume of attacks using valid credentials. This reflects the trend of attackers shifting to identity-based attacks over traditional vulnerability exploits as the identity attack surface has multiplied and grown by leaps in complexity.

Here are some antivirus you pick your flavour

Credits: Bing AI

OR

About a good 2FA, I skip from recommend, but I will drop a list below which you can choose from, and if I can suggest, I often opt for multiplatform one, available for IOs, Android, Windows & Linux, along with a good history of low or no leaks along with good protection and back up all over different devices.

As there are countless options for a good password manager, I’ll add some options you can pick from. Again, choose wisely and never share your MASTER password with anyone.

We now have several options to give a hard time to bad actors at work, but now, we turn sides and see the pirate one.

🚀 Keep in mind it’s crucial to get proper authorization before using password-cracking tools for ethical security assessments.🚀

🚀Never resort to using these tools for malicious purposes.

BKcrack

It’s perfect for cracking legacy ZIP encryption with Biham and Kocher’s known plaintext attack. A known plaintext attack is a cryptanalysis method in which the attacker can access plaintext and its encrypted version, which can be used to reveal secret keys and codebooks. Bkcrack is a command-line tool that implements a known plaintext attack on legacy ZIP encryption.

Here are its main features:

  1. Recover Internal State: bkcrack can recover the internal state from ciphertext and plaintext.
  2. Change Password: It allows you to change a ZIP archive’s password using the internal state.
  3. Recover Original Password: You can recover the original password from the internal state.

This tool helps crack ZIP archives encrypted with traditional PKWARE encryption (legacy encryption or ZipCrypto). The attack uses known plaintext to recover the encryption algorithm’s internal state, which can then be utilized to decrypt the entire archive or brute-force the password.

Here is some more info about Plaintext Attack

https://tenor.com/view/cats-paw-cat-paw-attack-sneaky-gif-18461030

THC-Hydra

It is a versatile, powerful, password-cracking tool for penetration testing & security assessments. It supports various protocols & services, making it valuable for assessing network security & not only.

Protocol Support

Hydra can target a wide range of services and protocols, including:

  • SSH (Secure Shell)
  • FTP (File Transfer Protocol)
  • HTTP (Hypertext Transfer Protocol)
  • SMB (Server Message Block)
  • RDP (Remote Desktop Protocol)
  • Telnet
  • MySQL
  • PostgreSQL
  • VNC (Virtual Network Computing)

& many more!

This flexibility empowers security experts to efficiently explore different attack strategies.

Attack Types:

Hydra supports two primary attack modes:

  • Dictionary Attack: It uses a predefined list of potential passwords (a dictionary) to attempt authentication.
  • Brute-Force Attack: It systematically tries all possible combinations of characters to crack the password.

Users can choose the appropriate attack mode based on their specific use case.

Usage Example:

Suppose you want to test the security of an SSH server.
You can use Hydra with a dictionary file containing potential passwords:

hydra -l username -P /path/to/passwords.txt ssh://target_ip

Replace username, /path/to/passwords.txt, and target_ip with the appropriate values.

Android-PIN-Bruteforce

This powerful tool allows you to unlock an Android phone (or device) by brute-forcing the lock screen PIN. It is a very effective tool that is easy to set up and use if you are familiar with it. For medium-experienced professionals or students, it is thus possible to learn, as it was made by humans for humans.

https://github.com/urbanadventurer/Android-PIN-Bruteforce

Here are the key details:

How It Works:

Android-PIN-Bruteforce uses a USB OTG cable to connect the locked phone to a Nethunter device.

Requirements:

  • A locked Android phone.
  • A Nethunter phone (or any rooted Android device with HID kernel support).
  • USB OTG cable/adapter (USB male Micro-B to female USB A) and a standard charging cable (USB male Micro-B to male A).

Benefits:

  • Turn your NetHunter phone into an Android PIN-cracking machine.
  • No need for ADB or USB debugging on the locked phone.
  • The locked Android phone doesn’t need to be rooted.

No special hardware is required (e.g., Rubber Ducky, Teensy, etc.).

Features:

  • Crack PINs of any length (1 to 10 digits).
  • Use config files to support different phone models.
  • Optimized PIN lists for 3, 4, 5, and 6-digit PINs.
  • Bypass phone pop-ups (including Low Power warnings).
  • Detect unplugged or powered-off phones and wait while retrying.

SocialBox-Termux

Is a powerful Bruteforce Attack Framework created to target Facebook, Gmail, Instagram, and Twitter accounts. This framework was initially developed by Belahsan Ouerghi and later modified by Samsung to be compatible with Termux, an Android terminal emulator. If you’re interested in installing and running it, here are the steps to do so:

Installation

Open Termux on your Android device.

  • Run the following commands:
apt-get update
apt-get install git
git clone https://github.com/samsesh/SocialBox-Termux.git
cd SocialBox-Termux
chmod +x install-sb.sh
./install-sb.sh

Usage

  • Execute the tool:
./SocialBox.sh

select your preferred platform, choose your target, and provide the necessary information, such as the target username.

SSB

SSB (Secure Shell Bruteforcer) is a specialized tool created to streamline the process of conducting brute-force attacks on SSH servers. It is designed to enhance the speed and efficiency of these attacks, making them more straightforward and accessible for users.

Here’s how you can use it:

Installation from Binary

Download a pre-built binary from the, unpack it, and run it.
Alternatively, you can use this command:

(sudo) curl -sSfL 'https://git.io/kitabisa-ssb' | sh -s - -b /usr/local/bin

Installation from Source

Ensure you have the go1.14+ compiler installed and configured.

  • Run:
GO111MODULE=on go get ktbs. dev/SSB

Usage

  • Execute SSB with the following options:
ssb [-p port] [-w wordlist.txt] [-t timeout] [-c concurrent] [-r retries] [-o output] [user@]hostname

-p port: Port to connect to the remote host (default 22).

-w wordlist: Path to the wordlist file.

-t timeout: Connection timeout (default 30s).

-c concurrent: Concurrency/threads level (default 100).

-r retries: Specify the connection retries (default 1).

-o output: Save valid passwords to a file.

-v: Verbose mode.

License

SSB is free software distributed under the terms of the Apache license. Copyright © by Dwi Siswanto 2020.

Plutus 💰

A powerful tool designed for one purpose: to brute-force random Bitcoin wallet addresses. But what does that mean? Let’s break it down:

Bitcoin Wallets

A Bitcoin wallet is like a digital treasure chest. It holds your private keys, essentially secret codes, and allows you to control your Bitcoin balance.

Each wallet has a unique address (a long string of characters).

  • Plutus sets out on a daring adventure, generating random private keys and converting them into wallet addresses.
  • It then checks if any of these addresses have a positive balance (i.e., contain Bitcoin).

The Brute-Forcing Process

  • Plutus is lightning-fast. It can brute-force a single Bitcoin address in just 0.002 seconds!
  • It uses multiprocessing to tackle multiple addresses simultaneously.

The goal? To randomly stumble upon a funded wallet among the unfathomable 2Âč⁶⁰ possible wallets.

Installation & Usage

git clone https://github.com/Isaacdelly/Plutus.git
cd Plutus
pip3 install -r requirements.txt
python3 plutus.py

License & Credits

Plutus is free software distributed under the terms of the Apache license. Copyright © by Dwi Siswanto 2020.

Here’s some more info about brute-forcing

https://github.com/duyet/bruteforce-database

You now have a solid grasp of what a Brute-Force Attack entails, the vulnerabilities associated with weak passwords, and the resources available to fortify your defences against such attacks.

The threat landscape is in a constant state of flux.

New tools are sprouting up globally at an unprecedented pace, and nefarious actors, leveraging the power of AI and cutting-edge technologies, are continuously amplifying their capabilities while shrouding the genuine danger they pose.

> Stay Tuned 4 Mor3 + Share 4 ALL! <<


.See you s0on
.

--

--