Added '-b' option to rotate through usernames

[syntrovert]

Added support for a -b or --backwards flag to rotate through usernames per password, which can sometimes help avoid account lockouts.

[R3dy]

Hi,

Thanks for your contribution! Before I can merge this branch I need to better understand your reasons for this code change.

What exactly do you mean by "rotate through usernames"?

You can already use the -U option to specify a list of usernames to iterate through.

[syntrovert]

Many enterprise environments have account lockout policies based on a number of failed passwords in a short amount of time for a user. For example, if Bob has 10 failed password attempts in 1 10-second timespan, lock out the account. But some enterprises might say to only lock out the accounts for a very short time, because we don't want to disrupt the user experience...

Instead of trying every password in our list for each user, another option is to try every username for each password.

Let's say our password list is:
Welcome1
passw0rd
Summer2017
Summer2018
password1
password2
password3
...

Normally we would try all of these in order for the first user, then move on to the next user.
Using something like the "backwards" method (because I can't think of a better name for it) we instead try the first password for each user, in order. Then we try the second password for each user...

As we increase the size of our userlist, we end up increasing the time between trying the same username twice in a row and in many cases, defeating poor lockout policies. Try it out!

Hydra has a similar option "-u" but for ciscobruter the "u" option is already taken.

[R3dy]

This functionality as I understand it is already present. Specify a password list with -P and a user list with -U and it will try all the passwords for user 1 and then all the passwords for user 2 etc. Is this not what you are describing?

[R3dy]

This functionality as I understand it is already present. Specify a password list with -P and a user list with -U and it will try all the passwords for user 1 and then all the passwords for user 2 etc. Is this not what you are describing?

[syntrovert]

No, I've had better results by trying all the users with password 1, then all the users with password 2 etc.
At the end, it's all the same: Each combination of username/password is tried. But by reversing the order of what we're iterating we may be able to avoid locking out a user for trying too many passwords in a short amount of time.

Here is an example that I think illustrates it:

Userlist.txt:
UserA
UserB
UserC
UserD

Passwordlist.txt:
Pass1
Pass2
Pass3
Pass4

Traditional method:
UserA/Pass1
UserA/Pass2
UserA/Pass3
UserA/Pass4
UserB/Pass1
UserB/Pass2
UserB/Pass3
UserB/Pass4
UserC/Pass1
UserC/Pass2
UserC/Pass3
UserC/Pass4
UserD/Pass1
UserD/Pass2
UserD/Pass3
UserD/Pass4

Backwards:
UserA/Pass1
UserB/Pass1
UserC/Pass1
UserD/Pass1
UserA/Pass2
UserB/Pass2
UserC/Pass2
UserD/Pass2
UserA/Pass3
UserB/Pass3
UserC/Pass3
UserD/Pass3
UserA/Pass4
UserB/Pass4
UserC/Pass4
UserD/Pass4

With only 4 users, it shouldn't make a difference. But when you have a few thousand users, and a situation where the lockout policy "resets" the failed password count after, say, 20 or 30 seconds, we may be able to avoid getting the accounts locked out. Unfortunately a lot of places have such silly lockout policies.

[R3dy]

Ah, now I get it. So your saying right now the script tries every password for user 1 before moving on to user 2? That's not as effective as the method you are describing. I will look into this further.