Showing posts with label Password Guessing. Show all posts
Showing posts with label Password Guessing. Show all posts

Thursday, 28 April 2011

Password guessing Countermeasures

Password guessing Countermeasures
•Block access to TCP and UDP ports 135–139.
•Disable bindings to Wins client on any adapter.
•Use complex passwords
•Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff
Monitoring Event Viewer Logs
•Logging is of no use if no one ever analyzes the logs
•VisualLast from http://www.foundstone.com/ formats the event logs visually
VisualLast is considered as the advanced version of NTLast with a number of additional and sophisticated features. The program is designed to allow network administrators to view and report individual users log on and log off times and these events can be searched by time frames. This is an invaluable feature to security analysts looking for intrusion details.
Posted by at No comments:
Labels:

Password Guessing




  • Password guessing attacks can be carried out manually or via automated tools.





  • Password guessing can be performed against all types of Web Authentication





    • The common passwords used are:
    root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username]
    Passwords are the principal means of authenticating users on the Web today. It is imperative that any Web site guard the passwords of its users carefully. This is especially important since users, when faced with many Web sites requiring passwords; tend to reuse passwords across sites. Compromise of a password completely compromises a user.


    		 Attack Methods
    Often Web sites advise users to choose memorable passwords such as birthdays, names of friends or family, or social security numbers. This is extremely poor advice, as such passwords are easily guessed by an attacker who knows the user. The most common way an attacker will try to obtain a password is through the dictionary attack'. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is the require password. This can be automated with programs which can guess hundreds or thousands of words per second. This makes it easy for attackers to try variations: word backwards, different capitalization, adding a digit to the end, and popular passwords.

    Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Often people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "site"; second month password is "site2"; third month password is "site2"; and so on. A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password.

    Hacking Tool: WebCracker


    • WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.

    • lt keys on "HTTP 302 Object Moved" response to indicate successful guess.

    • lt will find all successful guesses given in a username/password.
    Webcracker allows the user to test a restricted-access website by testing id and password combinations on the web site.This program exploits a rather large hole in web site authentication methods. Password protected websites may be easily brute-force hacked, if there is no set limit on the number of times an incorrect password or User ID can be tried.WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.

    • It keys on "HTTP 302 Object Moved" response to indicate successful guess.

    • It will find all successful username/password given in the list.
    Hacking Tool: Brutus


    http://www.hoobie.net/brutus/

    • Brutus is a generic password guessing tool that cracks various authentication.

    • Brutus can perform both dictionary attacks and brute-force attacks where passwords are randomly generated from a given character.

    • Brutus can crack the following authentication types:

    • HTTP (Basic authentication, HTML Form/CGI); POP3; FTP; SMB; Telnet

    Brutus is an online or remote password cracker. More specifically it is a remote interactive authentication agent. Brutus is used to recover valid access tokens (usually a username and password) for a given target system. Examples of a supported target system might be an FTP server, a password protected web page, a router console a POP3 server etc. It is used primarily in two ways:

    • To obtain the valid access tokens for a particular user on a particular target.

    • To obtain any valid access tokens on a particular target where only target penetration is required.
    Brutus does very weak target verification before starting; in fact all it does is connect to the target on the specified port. In the context of Brutus, the target usually provides a service that allows a remote client to authenticate against the target using client supplied credentials. The user can define the form structure to Brutus of any given HTML form. This will include the various form fields, any cookies to be submitted in requests, the HTTP referrer field to send (if any) and of course the authentication response strings that Brutus uses to determine the outcome of an authentication attempt.

    If Brutus can successfully read forms of the fetched HTML page then each form will be interpreted and the relevant fields for each form will be displayed. Any cookies received during the request will also be logged here. Brutus handles each authentication attempt as a series of stages, as each stage is completed the authentication attempt is progressed until either a positive or negative authentication result is returned at which point Brutus can either disconnect and retry or loop back to some stage within the authentication sequence.

    Hacking Tool: ObiWan


    http://www.phenoelit.de/obiwan/docu.html

    • ObiWan is a powerful Web password cracking tool. It can work through a proxy.

    • ObiWan uses wordlists and alternations of numeric or alpha-numeric characters as possible as passwords.

    • Since Webservers allow unlimited requests it is a question of time and bandwidth to break into a server system.
    ObiWaN stands for "Operation burning insecure Web server against Netscape". It is called Project 2086 now, after 2068 the number of the RFC which describes the HTTP/1.1 protocol. 11.1 is the section which describes the basic authentication scheme. This is the mostly used authentication scheme for web server and used by ObiWaN.

    Web servers with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she like it. This allows the attacker to prod the system as long as he wants to.
    Like other programs for UNIX system passwords (crack) or NT passwords (lophtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since web servers allow unlimited requests it is a question of time and bandwidth to break in a server system. The first way is to run ObiWaN more than once. The following example tries to crack username eccouncil on the intranet.
    ./ObiWaN -h intranet -a eccouncil -w list.txt
    To run it with alphanumeric variation with a depth of 2
    ./ObiWaN -h intranet -a eccouncil -w list.txt -A 2
    To run it in brute force loop mode
    ./ObiWaN -h intranet -a eccouncil -w list.txt -b 6 -B 8

    Hacking Tool: Munga Bunga

    Munga Bunga's HTTP Brute Forcer is a utility utilizing the HTTP protocol to brute force into any login mechanism/system that requires a username and password, on a web page (or HTML form). To recap - A password usually only contains letters. In such a case the quantity of characters in a charset is 26 or 52, depending on usage of registers - both of them or just one. Some systems (Windows, for example) don't make any difference between lower-case and uppercase letters. With an 8-characters' long password the difference would amount to 256 times, which is really significant.

    Brute force method can sometimes be very effective when it is combined with the functionality of the program. Munga Bunga is a tool which can be used for breaking into emails, affiliate programs, web sites, any web based accounts, launching DoS attacks, flooding emails, flooding forms, flooding databases and much more; though DoS attacks and flooding activity are not supported or documented in the documentation. Apart from this, the attacker can write definition files. These are files ending in the .def extension, and contain information about a particular server, and the data to submit to it. They are used to extend the power and capability of the program, based on the user's own definitions. The software comes bundled with some definition

    The tool claims to be capable of brute forcing, any thing that can be entered via a HTML form with a password and username. The attack methodology goes as follows: The attacker uses a password file in order for the program to attempt and enter the account(s), with the specified passwords. In addition, he can write a definition file for the form he wants to crack into.

    Hacking Tool: PassList


    Passlist is another character based password generator.
    Passlist is a character based password generator that implements a small routine which automates the task of creating a "passlist.txt" file for any brute force tool. The program does not require much information to work. The tool allows the user to specify the generation of passwords based on any given parameter. For instance, if the user knows that the target system's password starts with a particular phrase or number, he can specify this. This makes the list more meaningful to the user and easier for the brute forcer. He can also specify the length required such as the maximum number of random characters per password, apart from the maximum number of random

    A partial list is given below.

    • Refiner is used to generate a wordlist containing all possible combinations of a partial password, which an attacker may have obtained by other means. Refiner will then generate a text file containing all possible combinations.

    • WeirdWordz allows the user to just select an input file and as an output file, makes all sorts of combinations of the lines/words in the input file.

    • Raptor 1.4.6 - creates words using many different filters from html files to create a wordlist.

    • PASS-PARSE V1.2 - Pass-parse will take any file and turn all the words into a standard type password list, while stripping anything that's not alphanumeric. The main idea behind it is that while trying to crack the password of a personal website, the password may appear on the site when the person describes their interests. This will parse through an html file and create a list of words from that page to try as passwords.
    Posted by at No comments:
    Labels:

    Administrator Password Guessing

    Administrator Password Guessing


    •Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
    •Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.
    •Default Admin$, C$, %Systemdrive% shares are good starting point.
    One common security lapse seen is to leave in the built-in Administrator account with a null password. Password guessing appeals to the attacker because complicated passwords are difficult to remember and hence users tend to choose easiest password possible. It is often seen that users choose something that is easy to remember like birthday, pet's name, kid's name etc. Examples of these common user/password combinations can be downloaded all over the Internet.
    One can categorize password guessing attacks by the amount of interaction they require with an authentication system. They are considered to be on-line attacks when the perpetrator must make use of an authentication system to check each guess of a password. On the other hand, offline attacks sees an attacker obtaining information (e.g. password hash) that will allow him to check password guesses on his own, without any further access to the system. On-line attacks are generally considered slower than off-line ones.
    Automated password attacks can be divided into two basic categories, dictionary attacks and brute force attacks.
    •A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as LophtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is.
    •The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration.
    •A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers.
    Legion automates the locating and connecting of Windows-based shares. The software depends on the user not protecting their shares with passwords before connecting to the Internet. The software also has a brute-force password cracking plug-in that can be used to find passwords for shares that are protected.
    Legion polls wide range of IP addresses to check for availability of shared folders. The application broadcasts a NetBIOS request across the LAN to find all computers that have NetBIOS services. The application then searches each polled computer for available shares, and displays the results. Once these shares are known, there is little to do on the administrator's part to detect or deter brute force password guessing. The commercial version of Legion has an option to brute force crack any shares that were identified as shared, but password protected. The vulnerable system can have its drive mapped to the attacker's system and he can use this point of access for further nefarious activities such as installing Trojans, stealing information and even corrupting the system - thereby resulting in a denial of service. The most obvious countermeasure is to make sure that File and Print Sharing is disabled. If this is required, it must be password protected and allowed only to specific IP addresses because DNS names can be spoofed. The system must also restrict null sessions.
    NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.
    NTInfoScan (now Cerberus internet scanner) is a vulnerability scanner designed by David Litchfield specifically to address the security concerns of Windows NT 4.0 operating system. It still works with Windows 2000 and The HTML based report highlights the security issues found on the target system along with further information. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS for share security and User account security.
    Posted by at No comments:
    Labels:
    Subscribe to: Posts (Atom)