
Penetration Testing mailing list archives
RE: BruteForcing?
From: "Troy Fletcher" <troy () alvaka net>
Date: Tue, 17 Oct 2006 14:33:40 -0700
I would :) -Troy -----Original Message----- From: Hagen, Eric [mailto:hagene () DenverNewspaperAgency com] Sent: Tuesday, October 17, 2006 2:02 PM To: Troy Fletcher; 09sparky () gmail com; pen-test () securityfocus com Subject: RE: BruteForcing? My statement was directed at the fact that updated IOS has password locking and login delay features, however I've just realized Sparky mentioned IOS versions that are before those features were introduced... But on updated routers (as of mid-2004) that are properly configured with login delays, it would take 3-4 days to run a very small dictionary file attack. And newer routers with a "quiet period" feature and account lockout policies (except on the admin account) are even more work, so much as to make a full dictionary totally impractical. So, given the version number that Sparky reported, it seems a dictionary attack is substantially reasonable, but given newer routes that are properely secured, they seem to have too little ROI, time and resource wise to be useful. Would you agree, Troy? Thanks, Eric -----Original Message----- From: Troy Fletcher [mailto:troy () alvaka net] Sent: Tuesday, October 17, 2006 1:46 PM To: Hagen, Eric; 09sparky () gmail com; pen-test () securityfocus com Subject: RE: BruteForcing? Sparky, For brute forcing WebPages, I use Perl scripts combined with Linux tools like cURL and Wget. If you know any programming/scripting languages, I can point you in the right direction. To help see the traffic exchange for a WebPage login attempts I recommend using a proxy like WebScarab; once you see the POSTs or GETs automating attacks with cURL is easy. I don't know any _good_ pre-made WebPage bruteforce tools, but I'm sure that if someone else does; they'll share. Eric, I used to agree with your sentiment, and used a list of common passwords and passphrases, until I got burned on a router with "zebra" as the password. The customer wondered why I didn't even run a simple dictionary attack. I explained that the likelihood that the password was a dictionary word was very slim, and that my time was better spent pursuing other attack vectors. She reluctantly agreed, but we all know that kicking off an automated attack takes very little time, and very little continued management (if any). Now, I run my common list and a good sized dictionary attack for as long as they'll let me. The computer does all the work and (in most cases) you're free to manually manage other attacks while the automated ones run. Since then, I have only missed one dictionary word password that I know of (xenophile), but when I explained that the time constraints only allowed me to run a simplified dictionary attack the customer was fine. I think that running a dictionary attack, even when you know that it's unlikely it will work is just part of the job (and can pay off every once in a while). It's also a bit of insurance; should the customer try to test you as they did me, it shows diligence even if you missed it. -Troy -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hagen, Eric Sent: Monday, October 16, 2006 2:06 PM To: 09sparky () gmail com; pen-test () securityfocus com Subject: RE: BruteForcing? Anyone feel free to correct me if I'm wrong, but I don't believe a dictionary attack against modern IOS is practical because of the disconnect/timeout security features of the routers/switches. Try defaults, maybe a few dozen 'obvious' passwords "root" "enable" "admin" etc and move on to other vulnerabilities. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of 09sparky () gmail com Sent: Sunday, October 15, 2006 12:03 PM To: pen-test () securityfocus com Subject: BruteForcing? This is more of a general brute forcing question, but one which I could use some assistance. I am attempting to brute force some telnet sessions (Cisco Routers - CISCO IOS 12.2 and IOS 12.3(8), Cisco 1721 router). When telnet'ing in, it only prompts me for a PW (Not a username). It has a 3 attempts disconnect, so I get disconnected and have to reconnect. My question is: How and what tool should I use to try and brute force (dictionary attack) this session? I have tried Hydra, but when I get disconnected (after 3 attempts), it tells me it is "finished". Not sure if there is a way to make it reconnect. Is there a better tool or other techniques that would work better? Second question: Brute forcing also, but against WebPages. For example, a Cisco 3000 VPN Concentrator, I have the webpage asking for username/password. How would I attempt to dictionary attack this? Thanks, Sparky ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ This message has been scanned by Alvaka Network's MailWorX service. This message has been scanned by Alvaka Network's MailWorX service. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- BruteForcing? 09sparky (Oct 16)
- Re: BruteForcing? Fab (Oct 16)
- Re: BruteForcing? Jeremy Saintot (Oct 17)
- Re: BruteForcing? Christine Kronberg (Oct 17)
- <Possible follow-ups>
- RE: BruteForcing? Hagen, Eric (Oct 16)
- Re: BruteForcing? Paolo Scarabelli (Oct 17)
- RE: BruteForcing? Troy Fletcher (Oct 17)
- Re: BruteForcing? Rogan Dawes (Oct 18)
- RE: BruteForcing? Troy Fletcher (Oct 17)
- RE: BruteForcing? Hagen, Eric (Oct 17)