mailing list archives
Re: [PEN-TEST] War Dialers, Brute Force, etc.
From: "Dawes, Rogan" <rdawes () DELOITTE CO ZA>
Date: Mon, 4 Sep 2000 14:09:27 +0200
One such tool is brutus.
It allows you to design your own chat script that you can use to perform the
brute force attack. It comes with predefined scripts for telnet, POP, imap,
smb, ftp, etc, I recall.
From: Vanja Hrustic [mailto:vanja () RELAYGROUP COM]
Sent: Sunday, September 03, 2000 5:42 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] War Dialers, Brute Force, etc.
On Fri, 1 Sep 2000, Todd Beebe wrote:
Toneloc is good for finding modems. But, the value of the
products (both TeleSweep Secure and PhoneSweep) is the
guessing (read vulnerability testing).
Now that you mention this...
I wonder if there are any commercial tools that enable you to do
'extensive' (I don't know if this is the good word :) brute
remote systems? I'm not talking about "dial a modem and gues
only. I'm talking about brute-force against various services (POP3,
telnet, etc.), finding valid users (finger, SMTP using expn
or 'rcpt to:',
using '~username' on web servers, etc.), 'bouncing'...
During the test, you manage to get into a switch that was
you can use it to connect to systems behind the firewall (I'm not
inventing this, so no flames, please :).
Now, in order to do brute force, you *must* connect through
that switch -
you can't connect directly. Are there any commercial tools
'features' like this, where one needs to establish 1 or more
remote host(s) before actually running brute force?
Or, you dial into some terminal server (or whatever), and
from there you
can connect to the remote system in order to perform brute-force.
Or, in there is badly configured proxy server that will let
you connect to
'internal' systems using CONNECT (or GET), and from there you
Simply, are there any tools that can take advantage of all the
'misconfigurations' on the remote network, or all the tools
you will just brute-force the 1st system you connect to?
Also, how do all those 'commercial' (well, let's say
"proprietary" - it
doesn't have to be commercial, but important thing is that you can't
modify it easily) tools determine what kind of dictionary
they should use?
Does person who run the tool need to choose before the brute
or ... ? Tool chooses it based on banners maybe? I ask that for silly
reason - I've used to modify /bin/login (for fun only, long ago, but I
know that some people are still doing things like this :) so
that when you
connect to the UNIX box and try to login, you'll see
something like (and
hear a 'beep' as well ;):
Welcome to VAX/VMS 5.5 on node WHATEVER
User authorization failure
What would 'automated' tool to in this case? (try to send
CTRL+Z first? ;)
My (well, I should say "our" :) 'choice' for all
brute-forcing tools is -
Perl (plus IO::Socket and few other modules, when/if needed).
for me it's more important "what dictionary I'm using" than
"what tool I'm
I wonder what other people are using :)
The Relay Group
- Re: [PEN-TEST] War Dialers, Brute Force, etc. Dawes, Rogan (Sep 04)