Added '-b' option to rotate through usernames

[syntrovert]

Added support for a -b or --backwards flag to rotate through usernames per password, which can sometimes help avoid account lockouts.

[R3dy]

Hi,

Thanks for your contribution! Before I can merge this branch I need to better understand your reasons for this code change.

What exactly do you mean by "rotate through usernames"?

You can already use the -U option to specify a list of usernames to iterate through.

[syntrovert]

Many enterprise environments have account lockout policies based on a number of failed passwords in a short amount of time for a user. For example, if Bob has 10 failed password attempts in 1 10-second timespan, lock out the account. But some enterprises might say to only lock out the accounts for a very short time, because we don't want to disrupt the user experience...

Instead of trying every password in our list for each user, another option is to try every username for each password.

Let's say our password list is: Welcome1 passw0rd Summer2017 Summer2018 password1 password2 password3 ...

Normally we would try all of these in order for the first user, then move on to the next user. Using something like the "backwards" method (because I can't think of a better name for it) we instead try the first password for each user, in order. Then we try the second password for each user...

As we increase the size of our userlist, we end up increasing the time between trying the same username twice in a row and in many cases, defeating poor lockout policies. Try it out!

Hydra has a similar option "-u" but for ciscobruter the "u" option is already taken.

[R3dy]

This functionality as I understand it is already present. Specify a password list with -P and a user list with -U and it will try all the passwords for user 1 and then all the passwords for user 2 etc. Is this not what you are describing?

[R3dy]

This functionality as I understand it is already present. Specify a password list with -P and a user list with -U and it will try all the passwords for user 1 and then all the passwords for user 2 etc. Is this not what you are describing?

[syntrovert]

No, I've had better results by trying all the users with password 1, then all the users with password 2 etc. At the end, it's all the same: Each combination of username/password is tried. But by reversing the order of what we're iterating we may be able to avoid locking out a user for trying too many passwords in a short amount of time.

Here is an example that I think illustrates it:

Userlist.txt: UserA UserB UserC UserD

Passwordlist.txt: Pass1 Pass2 Pass3 Pass4

Traditional method: UserA/Pass1 UserA/Pass2 UserA/Pass3 UserA/Pass4 UserB/Pass1 UserB/Pass2 UserB/Pass3 UserB/Pass4 UserC/Pass1 UserC/Pass2 UserC/Pass3 UserC/Pass4 UserD/Pass1 UserD/Pass2 UserD/Pass3 UserD/Pass4

Backwards: UserA/Pass1 UserB/Pass1 UserC/Pass1 UserD/Pass1 UserA/Pass2 UserB/Pass2 UserC/Pass2 UserD/Pass2 UserA/Pass3 UserB/Pass3 UserC/Pass3 UserD/Pass3 UserA/Pass4 UserB/Pass4 UserC/Pass4 UserD/Pass4

With only 4 users, it shouldn't make a difference. But when you have a few thousand users, and a situation where the lockout policy "resets" the failed password count after, say, 20 or 30 seconds, we may be able to avoid getting the accounts locked out. Unfortunately a lot of places have such silly lockout policies.

[R3dy]

Ah, now I get it. So your saying right now the script tries every password for user 1 before moving on to user 2? That's not as effective as the method you are describing. I will look into this further.