Checking for brute-force protection

[whiterabbit7500]

Does BT4 have any tools to test a server for protection from a brute-force attack? I have a good wordlist to use, but before I start running it, I want to be sure I'm not wasting my time doing it if the server will simply ignore all request after a certain number.

[peterpancake]

First, a brute-force attack does not use word lists. Read this article: https://www.infosecisland.com/blogvi...y-Attacks.html

For pure brute force attacks, all you need is the math about how many passwords you may be able to check in a certain time (check server restrictions here!) and the time it would then take to find a certain password of a certain length and contents. Use this: http://lastbit.com/pswcalc.asp

[whiterabbit7500]

thanks, but that has absolutly nothing to do with my question, regardless of what it's called. I simply called it a brute-force because i'm using wordlist with over 3,000,000 words.

My question, again, was if there is a way to check the target server for protection against brute-force attacks, such as timeouts, lockouts, etc.

[r083rt]

hydra or if you want the gui version hydra-gtk

[hhmatt]

Yeah, know what you are attacking and watch the traffic.

What you are doing is called a dictionary attack and you should know the difference before you even do it.