Login Brute Forcing Skills Assessment Part 1

danielem · October 16, 2024, 1:47pm

Looks like this module got updated so I don’t see any posts about the changed skills assessment and I am stuck on the first question:

“What is the password for the basic auth login?”

They give two wordlists for usernames and passwords. When using either hydra or medusa for brute forcing http basic auth the estimated time to completion is far longer than the life of my pwnbox. When running hydra with the two word lists provided and 64 threads it’s still an estimated 10+ hours to complete.

The only thing I can think of is that I need to shorten the word lists by removing any less than 6 characters, any without numbers, etc. however, I don’t know of any password policies associated with http basic auth by default and couldn’t find anything through google.

please push me in the right direction, thanks.

theklisstef98 · October 17, 2024, 12:11pm

Are you using ‘wget [link]’ to download the username and password files? If so, keep in mind that these links point to the GitHub repository page rather than the raw content of the file itself. Make sure you are using the ‘raw’ link instead

danielem · October 17, 2024, 3:44pm

Thank you very much. I was using wget without realizing this was a link to a github.