From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Mon Feb 20 2006 - 02:39:26 EST
Grumble: It really should be a requirement than any post passing through
a SecurityFocus mailing-list gets that mailing-list as a CC: address, at least.
From: alias@securityfocus.com
> Now we are trying to brute-force the server with Hydra but
> surprisingly Hydra does not support guessing technique but
> only dictionary attack.
This type of password guessing needs preparation.
And guessing is tricky business ... what's right for one situation
tends to be wrong for another. For remote password guessing
(as different from password hash cracking) you need to know
what passwords can be expected to be in common use: you very
rarely have time for a *real* brute force attack. That
changes very quickly ... and you very often learn about those
changes by cracking password hashes. These days, Harry Potter-related
passwords are fairly high on the list, some years back Babylon, Star Trek
and Tolkien-related passwords were most popular. Cars, football and
artists are always high.
You also need to know what passwords variations appear: that
appending digits to the end (secret00) is far more common that
putting them at the head (00secret), and that some combinations of
these digits are more common than others. It's useless to have
a guessing algorithm that begins with guessing '00xyz', and works
it's way through all combinations before it produces 'xyz00', which
of course is the more likely combination. Same thing with special
characters: some are very usual, others very rarely appear.
If you have a basic password list, it's easy enough to create
rewritten passwords. I like using john the ripper (JtR), as
'john --wordlist=<file> --rules --stdout' after enabling all relevant
rules in the config file. 'john --incremental --stdout', after priming
the .chr files with appropriate statistics is also useful, even though
it tends to produce more passwords than can easily be handled ...
but this list is better than plain enumeration. (I'd use plain password
lists first, go on to variations of them (--rules), then --incremental
list for a while before deciding if time allows for real brute force.
That's when you do full dictionaries over various subsets of
passwords (all 1-4 character passwords, all printable 5 character
passwords, all alphanumerical 6 character passwords, all alphanumerical
with digits at the end only for lengths 7 and up, for example.) As you know
what system you are testing, you also know what passwords it allows --
perhaps you can do only upper-case letters. These are simple enough to generate
by program. And again, if you already know the password rules
(at least one alphabetical, one numerical and one special), you
can easily produce such lists by program or by one of several
passwords-generating utilities that can be found (isnt't there already
one in the THC set?) or even by tweaking the JtR config file suitably,
Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:33 EDT