Add brute force password guessing solution and project subject

author: Thomas Vanbesien <tvanbesi@proton.me> 2026-03-26 14:50:07 +0100
committer: Thomas Vanbesien <tvanbesi@proton.me> 2026-03-26 17:50:28 +0100
commit: 83728c1df429f6a53f1532566fde42fdf67f2c2c (patch)
tree: 9a095bcca30276d86054f569d77ad241c0ecf028 /Brute force password guessing/Resources/notes.md
download: darkly-83728c1df429f6a53f1532566fde42fdf67f2c2c.tar.gz
darkly-83728c1df429f6a53f1532566fde42fdf67f2c2c.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/Brute force password guessing/Resources/notes.md b/Brute force password guessing/Resources/notes.md
new file mode 100644
index 0000000..f13b4e4
--- /dev/null
+++ b/Brute force password guessing/Resources/notes.md
@@ -0,0 +1,16 @@
+## Exploit
+
+[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy](OWASP: Testing for weak password policy)
+
+1. Found an email in a hidden `<input>` tag in the **Recover Password** page: `webmaster@borntosec.com`
+1. Got a list of common passwords to test from [https://github.com/duyet/bruteforce-database/blob/master/38650-password-sktorrent.txt](here)
+1. Made a `brute_force.bash` script to brute force the login
+
+If you're getting false positives with `brute_force.bash` use a smaller `BATCH_SIZE`.
+
+## Fix
+
+- 2FA
+- Strong password policy
+- Forbid password reuse
+- Password aging
author	Thomas Vanbesien <tvanbesi@proton.me>	2026-03-26 14:50:07 +0100
committer	Thomas Vanbesien <tvanbesi@proton.me>	2026-03-26 17:50:28 +0100
commit	83728c1df429f6a53f1532566fde42fdf67f2c2c (patch)
tree	9a095bcca30276d86054f569d77ad241c0ecf028 /Brute force password guessing/Resources/notes.md
download	darkly-83728c1df429f6a53f1532566fde42fdf67f2c2c.tar.gz darkly-83728c1df429f6a53f1532566fde42fdf67f2c2c.zip