• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

My limited experience/time effectiveness of Access methods

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Sun Jan 05, 2003 1:14 am    Post subject: My limited experience/time effectiveness of Access methods Reply with quote

With my very limited experience in gaining sys access via various apps it seems the following is true but please comment on any points:

Conditions: All the following assume no ip restrictions and are open for dual token (usr/pwd) access with no crypto. Also that you have not root'd the machine.

FTP Access, unless your using a packet sniffer and catching the cleartext pwd, ftp is too slow in response to try a brute force and unless the admin used a actual word, a dictionary access is a waste of time. Comments?

Telnet Access, same as above.

HTTP Basic Auth. Access, 10 times the number of auth req. for each ftp req. i.e Much faster for dictionary or brute force access. But like ftp/telnet if the admin used a strong pwd it takes too long without reading the cleartext data.

As of this post, I have a test running using a good usr name and alpha/numeric pwd with no special characters. So all it needs is the password since I gave it a correct usrname. Still running at over 5 hours with under 600K pwd combinations. The password is just 8 characters long (since I made it).

I have not tested sites that used java for security via pwd/usr since I don't know the config of the site. Any Comments?

SSH Access, since most/all use crypto I don't bother. Same for digest auth for http. Crypto is not my thing.

POP/SMTP access, I just havn't got to it.
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Sun Jan 05, 2003 2:36 pm    Post subject: Reply with quote

Obviously the fastest methods appear the most attractive.

The think to watch out for is any sort of "lockout" policy. This could occur with any of the methods you described, including, if i understood correctly the java application. If anything, i would say brute-forcing a custom built java application may attract less attention, unless the company / developer that built it has lots of time / money to devote to the project.

Why?

In a rush to meet a deadline, critical security features like lockout policy are often put to the side.

One of my favourite ways to obtain access to some sites, it SQL injection. You can fool vulnerable systems into letting you in as you re-write the SQL query that checks the username and password combination.

- J -
Back to top
View user's profile Send private message Send e-mail
max_blakk
Just Arrived
Just Arrived


Joined: 29 Oct 2002
Posts: 0
Location: South Wales UK

Offline

PostPosted: Sun Jan 05, 2003 3:13 pm    Post subject: Reply with quote

Agree with you on all of the points fastlanwan, If I found a sys with unfiltered ports I would try the obvious user/passwords, if they dont work I would just leave it. (Unless there are some really easy holes, NetBIOS, NFS shares etc)

The best way is if you have huge amounts of info at hand, about the target system/company/workers... and then you can make educated attempts at exploits/vulnerabilities user/password combos...

I guess it boils down to how bad you want access to the system, then you have a reason to keep knocking on the door... (Kinda like programming, as I'm finding out... Confused)
Back to top
View user's profile Send private message MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sun Jan 05, 2003 6:31 pm    Post subject: Reply with quote

Brute force is the very last way to get in..

If there are all those tasty services running and none are exploitable, that would be somewhat unusual.

After that plain brute forcing is kinda tought.

root occasionally has a lame password (root, god, companyname, asdfa etc)

Best to do some data diving and profile a couple of employees, then access via them, or work on some social engineering.

Always best to make as little noise as possible..

FTP brute can be pretty fast depending on yours and their connection and the latency between.

It can be the fastest....along with telnet.

SSH is the same as bruting telnet, just it has harsher lockout policies usually by default and it's slightly slower.

HTTP same, wwwhack is good for that and pop3 (Good for getting news feed accounts Twisted Evil )
Back to top
View user's profile Send private message Visit poster's website
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Sun Jan 05, 2003 7:20 pm    Post subject: Reply with quote

I read a file somewhere on gaining access to the system throught unicode vulnerability in IIS. How does this work exactly?
What I got out of it is that once you can send commands throught the URL bar as query string you are able to create a batch file in DOS. And then make it connect to you system, on your system you have to be running netcat (I think) and in a certain mode that when computers connect to you it lets you open a program on their computer. So after you would execute the script throught unicode the server would connect to you and you would get access to their MS-DOS virtual machine. Is this possible or like what? Looking for some feedback.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
igir3dsk1
Just Arrived
Just Arrived


Joined: 28 Sep 2002
Posts: 4
Location: 7h3 !n73rn37 :)

Offline

PostPosted: Sun Jan 05, 2003 7:54 pm    Post subject: Reply with quote

ST;wwwhack,I got like 20 ftp accounts in diferent servers last time I used it(2001).It was version 4.0.I dont know whats the last version.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
vlad902
Just Arrived
Just Arrived


Joined: 04 Jan 2003
Posts: 0


Offline

PostPosted: Sun Jan 05, 2003 8:22 pm    Post subject: Reply with quote

delete852 wrote:
I read a file somewhere on gaining access to the system throught unicode vulnerability in IIS. How does this work exactly?
What I got out of it is that once you can send commands throught the URL bar as query string you are able to create a batch file in DOS. And then make it connect to you system, on your system you have to be running netcat (I think) and in a certain mode that when computers connect to you it lets you open a program on their computer. So after you would execute the script throught unicode the server would connect to you and you would get access to their MS-DOS virtual machine. Is this possible or like what? Looking for some feedback.


Yes, the way NIMDA spread is through using different UNICODE vulnerabilities in IIS servers, the UNICODE just fools the webserver not to show them C:\wwwroot but C:\ So you can access DOS and screw them over! Smile. I believe were you read that is new order?
Back to top
View user's profile Send private message
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Sun Jan 05, 2003 9:07 pm    Post subject: Reply with quote

yea I did. THey have some great articles there sometimes.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
vlad902
Just Arrived
Just Arrived


Joined: 04 Jan 2003
Posts: 0


Offline

PostPosted: Sun Jan 05, 2003 9:15 pm    Post subject: Reply with quote

Key word, sometimes Wink
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register