Paid Advertising
web application security lab

Hacking Intranets Via Brute Force

I’ve been toying with Intranet hacking for a few years now, and I’ve always though there were more creative ways to do that. One of which was by using JavaScript. Another that is less sexy but no doubt dangerous is direct brute force. One of the major issues with Intranets is that companies don’t realize they need both an internal and an external DNS resolver. One for the public and one to hide the true IP address of their intranet applications. The obvious Intranet application that most companies have is an Intranet page. Usually it links the user to all the other wonderful applications that the company hosts.

Okay, well that’s great, so it would seem that the Intranet isn’t that interesting if it’s only got a bunch of links. Well that’s probably true except that knowing the links and knowing that the DNS resolver works for internal applications as well as external means that once you know the name you can start finding a lot more interesting websites on the internal site. Okay, so where do we find some vulnerable sites? Easy enough, let the Internet do some work for you. Let’s start with a big list of sites (the Alexa 500 will do). Now let’s scrape them and do a DNS lookup on each one looking for a few common key words “intranet” and “internal”. Now let’s do a reverse lookup and see what their IP address is. And here’s our list:

(Note: you aren’t seeing redundant listings, they actually have different names “internal” and “intranet” even though they point to the same IP). Wow… I thought I’d find one or two, but 162 examples in the Alexa 500 alone! The ones with non-routable IP space like the 10.* and 192.168.* ones may still be interesting for anti-DNS pinning but let’s ignore them for this conversation.

Now what are the chances all of those sites have secured their Intranets? Specifically how many do you think would shut down access to brute force attempts? We already know the usernames for those accounts, because they are almost always the NT domain usernames. Where would we find NT usernames out on the Internet? Well thankfully search engines have done the work for us here as they are almost always the same names as any public email addresses from those companies. IE: is almost always the same as the NTDomain. Using this we can now brute force the Intranet website, with relative ease.

13 Responses to “Hacking Intranets Via Brute Force”

  1. ChrisP Says:

    Yeah but I would think most of these sites are likely to be either unaccessible from the Internet (port 80 blocked) or 301/303 you to the public WWW server.

  2. RSnake Says:

    Instead of just guessing I wrote a tiny (but verrrry slow) script to connect to all those and parse out any 401 headers and sure enough there were some: 401 Authorization Required 401 Authorization Required 401 Authorization Required 401 Authorization Required 401 Authorization Required 401 Authorization Required

    Further you have others that are probably the same thing just not using basic auth (I didn’t spend much time looking for these):

    So seven confirmed examples in 500 domains. Not bad. That also doesn’t count the RFC1918 non-routables.

  3. ChrisP Says:

    Interesting indeed - now I wonder whether the admins of those sites were actually intending on providing “public” access to those sites (although with the credentials sent in clear text, one may wonder what they were thinking) or maybe they thought they were safe because nobody would find out about those hosts. They’re HIDDEN you see ;)

    Reminds of “google hacking” for WWW-enabled RDP hosts - the number of servers you can find is mind blowing.

  4. kuza55 Says:

    I wonder how many of those are flase positives.

    After going through a couple I’ve found a few separate different types of false positive:

    - Wildcard DNS records (some of these redirect to www subdomains, but others just work)
    - User created subdomains ilke like and
    - 404 Errors saying Virtual host not found (e.g.,

    And most of the sites I’ve checked fall into the Wildcard DNS category, so I think the 162 sites figure was a bit erroneous.

    Personally I think the more interesting sites were the ones with non-routable addresses, because they leak useful information which can greatly increase the chance of a targeted Anti-DNS Pinning attack working. And those ones are not likely to have authentication since they are meant to be non-routable.

  5. RSnake Says:

    Right, the 162 number was only which ones resolved. The 7 in the last comment I made are actual working examples. And yes, the RFC1918 addresses are interesting, but in a completely different way outside of what the topic was.

  6. web application security lab - Archive » Fierce Domain Scan Released Says:

    […] Some of you will remember that I wrote a tool to uncover “” and “” servers in the Alexa top 100. Well that was interesting, but it was only a precursor to Fierce. Fierce takes that same idea and magnifies it to over 300 requests. Further when it finds something on an IP it attempts to traverse up and down that IP range (within the class C) looking for other hosts that match your domain of interest using reverse DNS (or a supplemental pattern match that I added on top of it). […]

  7. Neo Says:

    Hi..can someone help me get started with this,I need to access via the Intranet…coz I am in a soup right now and need some help financially to get out of it.

  8. Fawad Says:

    Hi.. Someone one plz help me with to haccccck hi5 account… Jus wana see if someone is cheating on me……………………….thanksss

  9. n00b Says:

    @ Neo (did you really put that name?)
    I am pretty sure this is a white hat site, (me being a n00b I wouldn’t know) not some freaking black market to get people to help you hack your way out of trouble financial or not. Correct me if I am wrong, because I am the n00b

  10. EdSlick Says:

    Hey all,
    I have a user name and passwrod for an intranet but cannot get onto it from my computer. Is it possible to if so how? Cheers

  11. luca Says:

    hey guys liste some freak i knew hacked my msn and i had all my familys addys on there and ill never hear from them again if i dont get that password back soooo pleasee if somone knows how to hack a msn password please tell me

  12. Hoxxy Says:

    Bill Gates might know how to hack MSN lol

  13. b.tiger Says:

    help me to hack this intranet