RE: penetrating web-based authentication if you know one of theusernames

From: David Corn (david@covetrix.com)
Date: Fri May 20 2005 - 14:10:01 EDT


I have played with AccessDiver on many occasions; it is a very nice tool. It is very capable at brute forcing web based authentication systems. I do recommend trying it out. But if a system is not performing login accounting they need to rethink there security for online authentication. There are a couple PAM modules for strength assessment, that test for upper and lower case length, Look at pam_passwd+.

David Corn
Security Consultant
Covetrix, IT Consulting Group
http://www.covetrix.com
Phone: 214-575-9583 x116
Fax: 214-575-9584
 

-----Original Message-----
From: Pablo Fernández [mailto:newsclient@teamq.info]
Sent: Wednesday, May 18, 2005 11:13 AM
To: Ĝlstad, Roger
Cc: pen-test@securityfocus.com
Subject: Re: penetrating web-based authentication if you know one of theusernames

First things first, on the disclosed username thing, as you say the only
attack that pops up to my head is a bruteforce attack (assuming that
your web isn't vulnerable to SQL injection). You can easily prevent a
bruteforce attack counting the number of login failures on a particular
user. Paypal does it, Hotmail does it, VNC >= 3.1 does it and many more
too, all you have to do is record the number of login failures since
last proper authentication, if that number reaches to 15 (or 90,
crackers should be reaaaly lucky to get in the first 100 tries) the
account should be blocked and manually reactivated once the user is
validated.

Anyway, don't think your system has been compromised just because a
username has been disclosed, I can also assume you have a username
Roger.Olstad in the host pax.priv.no, but there's not much to with that
(other than a bruteforce attack...).

Now, on the "web-server audit", yes, there's some software capable of
bruteforcing using thread modes, I just read a bit about it, but never
really tested it, it's called AccessDriver. Anyway an script in perl,
bash, php or whatever you want is reaaaally easy to make...

And on the password strength checking there're many ways to do it, you
could try to crack them with john the ripper and a basic dictionary (or
with the -incremental flag). I know PAM has some module for checking
strength too, you could do some research on that as well.

Well, that's it, I think I cover all the topics, just hope this helps a
bit.

Bye!
Pablo Fernández



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT