SV - DEV : automated forum bruteforce tester

[shamanvirtuel]

last night when playing with my password profiling module i built for ezpawn, i just have an idea

since my module parse all links recursively from a web page and find unik words

that means that if i pass the memberlist page from a forum

the module will follow all links in the page OR

there's the find all threads / find all posts by user .....

or the vcard files.....and anything that is linked under the profile of each members

it's currently running against a huge target and will finally produce a security alert report with a HUGE wordlist containing all unik words in the WHOLE forum.....

after that the module will start seeking for weak accounts ...... and report the pairs found ......

this will not be intended to crack forum, but to test your own forum in order to accurate your security policies.......

[Primey]

nicely done shaman!

that is a hell of a work you did there on EZ-Pawn

[shamanvirtuel]

this is useing ezpawn module script but will not be include in ezpawn beta... but only in final reliz wich will occur some times before bt3final...

[shamanvirtuel]

as it could take up to a whole day to parse a HUGE forum like this one....
i will add a stop / resume download function

here more details of what i plan to do

Language : Java Web
Style : FIREFOX EXTENSION
FUNCTIONS : DL & PARSE TARGET / CHECK ACCOUNTS / REPORT
USAGE : SIMPLY SURFING THE PAGE, TOOLS MENU OF FIREFOX, CHOOSE MODULE, CLICK THE FUNCTION DESIRED......

it's only the first brainstorming, and it will be the first firefox extension i design, so be patient

[anathema]

Great idea,
I run a forum with over 15000 members so it would be great to have something like that so I can advise users of their weak accounts which can put other forum members at risk.

Thanks SV

[dirtscience]

When you run a forum and you want to test it for weak accounts. Whats your obligations to the members of your forum? should you notify during sign up that you test accounts for weak passwords or just notify them individually when you find weak accounts. Personally I would not feel to good about someone checking my account for my password (Im sure it happens anyway, and ignorance is bliss.) When do you pass over ethical? Shaman Please in no way take this as me being critical of your work. I am a big fan of your work and was working on script for wget and all the sudden there you are popping one out before I can figure out how to remove temp directories. I even made a few modifications to passpro to allow a couple more variables at the beginning such as specifying minlen and maxlen. Again please take this as general discussion. I love your work, and Ideas.

[imported_wyze]

(silently edits every one of his posts of identity before he gets owned by some disgruntled RE forum user)

[shamanvirtuel]

LOL .... i think this MUST be clear in the rules.......

it's a question of ethics

passpro is only a dirty thing ive wrote in 5 minutes.... the final version will have more options , like lenghts, charset limit, i will also make it dl ONLY the TEXT PARTS, because actually just dl all

i need to add to a depth level param for the link parser.... because it follows too deep sometimes

thx 4 your words

[imported_wyze]

i need to add to a depth level param for the link parser.... because it follows too deep sometimes

Yeah, I can see how that could be a problem. There are a lot of scripts out there with that logic... auditmypc.com has a very similar bit of code and it used to be public on their site (but I can't seem to find the link anymore..?)

[shamanvirtuel]

i do not need anything else than wget .... you have such dept levels , and content filters, i will maybe get only the first level of depth,..