From: Hagen, Eric (hagene@DenverNewspaperAgency.com)
Date: Tue Oct 17 2006 - 17:02:28 EDT
My statement was directed at the fact that updated IOS has password locking and login delay features, however I've just realized Sparky mentioned IOS versions that are before those features were introduced...
But on updated routers (as of mid-2004) that are properly configured with login delays, it would take 3-4 days to run a very small dictionary file attack. And newer routers with a "quiet period" feature and account lockout policies (except on the admin account) are even more work, so much as to make a full dictionary totally impractical.
So, given the version number that Sparky reported, it seems a dictionary attack is substantially reasonable, but given newer routes that are properely secured, they seem to have too little ROI, time and resource wise to be useful.
Would you agree, Troy?
Thanks,
Eric
-----Original Message-----
From: Troy Fletcher [mailto:troy@alvaka.net]
Sent: Tuesday, October 17, 2006 1:46 PM
To: Hagen, Eric; 09sparky@gmail.com; pen-test@securityfocus.com
Subject: RE: BruteForcing?
Sparky,
For brute forcing WebPages, I use Perl scripts combined with Linux tools
like cURL and Wget. If you know any programming/scripting languages, I
can point you in the right direction. To help see the traffic exchange
for a WebPage login attempts I recommend using a proxy like WebScarab;
once you see the POSTs or GETs automating attacks with cURL is easy. I
don't know any _good_ pre-made WebPage bruteforce tools, but I'm sure
that if someone else does; they'll share.
Eric,
I used to agree with your sentiment, and used a list of common passwords
and passphrases, until I got burned on a router with "zebra" as the
password. The customer wondered why I didn't even run a simple
dictionary attack. I explained that the likelihood that the password was
a dictionary word was very slim, and that my time was better spent
pursuing other attack vectors. She reluctantly agreed, but we all know
that kicking off an automated attack takes very little time, and very
little continued management (if any).
Now, I run my common list and a good sized dictionary attack for as long
as they'll let me. The computer does all the work and (in most cases)
you're free to manually manage other attacks while the automated ones
run. Since then, I have only missed one dictionary word password that I
know of (xenophile), but when I explained that the time constraints only
allowed me to run a simplified dictionary attack the customer was fine.
I think that running a dictionary attack, even when you know that it's
unlikely it will work is just part of the job (and can pay off every
once in a while). It's also a bit of insurance; should the customer try
to test you as they did me, it shows diligence even if you missed it.
-Troy
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Hagen, Eric
Sent: Monday, October 16, 2006 2:06 PM
To: 09sparky@gmail.com; pen-test@securityfocus.com
Subject: RE: BruteForcing?
Anyone feel free to correct me if I'm wrong, but I don't believe a
dictionary attack against modern IOS is practical because of the
disconnect/timeout security features of the routers/switches. Try
defaults, maybe a few dozen 'obvious' passwords "root" "enable" "admin"
etc and move on to other vulnerabilities.
Eric
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of 09sparky@gmail.com
Sent: Sunday, October 15, 2006 12:03 PM
To: pen-test@securityfocus.com
Subject: BruteForcing?
This is more of a general brute forcing question, but one which I could
use some assistance.
I am attempting to brute force some telnet sessions (Cisco Routers -
CISCO IOS 12.2 and IOS 12.3(8), Cisco 1721 router). When telnet'ing in,
it only prompts me for a PW (Not a username). It has a 3 attempts
disconnect, so I get disconnected and have to reconnect.
My question is:
How and what tool should I use to try and brute force (dictionary
attack) this session?
I have tried Hydra, but when I get disconnected (after 3 attempts), it
tells me it is "finished". Not sure if there is a way to make it
reconnect. Is there a better tool or other techniques that would work
better?
Second question: Brute forcing also, but against WebPages. For example,
a Cisco 3000 VPN Concentrator, I have the webpage asking for
username/password. How would I attempt to dictionary attack this?
Thanks,
Sparky
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
This message has been scanned by Alvaka Network's MailWorX service.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT