Yeah I signed up for shodan, and I'm in no hurry to start (I still have to finish elearnsecurity) but I just wanted to make sure their e-mail didn't go to my spam.

How long should it take to hear from HackingDojo?  I signed up on Saturday and haven't gotten an e-mail yet  Maybe lots of people (like me) signed up before May 1 and they're backed up, but just thought I'd check.

Yeah, sorry I "enumerated" them  

Since I'm probably not going to bruteforce the passwords because obtaining the usernames scared the hell out of the rest of the people in the startup, I at least wanted to say that I bruteforced something... it sounds cooler than enumerating

Just thought I'd let everyone know that I was able to successfully bruteforce the usernames on the site I was testing.  I was able to get 8 out of the 10 names in an hour using a dictionary list I hacked together.  For the remaining 2, it took me around 16 hours testing all possible combinations to discover them.  Looking at the traffic, my attempts looked to be a normal load... except that I did it at night, during which there is normally not much traffic at all considering we're a start-up still trying to get the word out.

I e-mailed off my findings today and we'll see if they want me to bruteforce the passwords as well, or if they'll just take my word for it and enable account lockout.

This was all part of my plan when I started this thread

The server admin is going to give me access to their monitoring program, as well as past activity logs.  So I'm going to use those this week while testing on a local server to try to come up with a more normal traffic flow while bruteforcing before I try the actual test this weekend.

I'm actually a lot more cautious than I'm coming across here (In fact, I made sure to get things in writing even when told it wasn't necessary!)  I would rather be cautious and send one request every few minutes as opposed to sending hundreds per second.  I think for this weekend I'm just going to try some username enumeration (which shouldn't take too long, I already randomly guessed 2 of the 10 accounts) and then go from there.

Like I said, this is my first real pentesting job, so I really appreciate everyone's suggestions.

They don't have lockout enabled, so there's no chance of that happening.  That, combined with the fact that the web developer sent everything in plaintext, and that the error messages differ based on an incorrect username or password, thus allowing username enumeration does not give me much faith in the web developer they used.  Maybe it's my security background, but I find it hard to believe that any professional web developer would make all those mistakes.

I told them about these issues before they made the login system, but they seemed to ignore them, so I just want to bruteforce things to illustrate how serious not having lockout enabled is.

But yes, I have a contact who can reset the server, and I'm going to do it this weekend at night.  And I'll take your advice and try it on a VM webserver on my local network, that's a good idea.  Thanks.

So I got my first job as a website pentester for a small startup.   I already found one hole, the web developer sent the username and password in plaintext.  Now I think I can bruteforce their usernames and passwords.  I have permission to pentest the site, so I don’t need to be covert, but I don’t want to cause a DoS while I’m bruteforcing.  What’s a safe number of requests per second to ensure I don’t have a problem?  40 or 30?  Is there anything else I need to consider besides the number of requests per second?

Thanks.

Thanks dynamik.  This list of compatible hardware/systems will be a big help.

Thanks.  I have 3 old notebooks, unfortunately they're too old-- they can't do VMs, but I think I'll use them as attackers.  And then I'm getting the new Thinkpad X220 so I'll run VMs on it.  That should be good enough to start off with.

I’m planning on putting together a pentesting lab this summer (it’ll give me something to do after I finish eCPPT in June and before I start OSCP in September).  Physical space is limited so I was thinking about using rack machines (each running several VMs of course), but now I’m wondering if it wouldn’t just be simpler (and cheaper) to get a few cheap notebooks and run VMs on them.

I’ve never used racks before, so it’d probably be fun to play around with one, but considering I don’t plan on having my lab up 24-7, does anyone with more experience think notebooks would be a better way to go?  I’d like a lab that I can expand, meaning I’ll put more money into it over time, but I don’t see myself spending more than $800 initially.

Thanks for the help.

Got it and signed up, thanks!

Thanks, I'll contact him.

Hi guys, I'm ready and excited to start the eCPPT course, but how do I get the 5% discount for EH-Net members?

Thanks.