The Ethical Hacker Network - Is brute forcing a waiste of time?

seVor

Newbie

Offline

Posts: 8

Padawan looking for Jedi Master.

Is brute forcing a waiste of time?

« on: February 02, 2009, 04:45:24 PM »

I am just curious how many people actually have sucess with this? It is time consuming right? Plus I imagine that it is quite aggressive. Any system that has logging on it should pick it up right away, of course if you are doing it ethically they should probably expect it to be in their logs.

hmmm.. just found my self asking this question and thought I would throw it up on here.

Thanks!


	Logged

“Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” - you should know!

Kev

Sr. Member

Offline

Posts: 428

Re: Is brute forcing a waiste of time?

« Reply #1 on: February 02, 2009, 05:08:55 PM »

No not a waste of time at all. I assume you mean brute forcing in a general context. Given the proper circumstances,you might be surprised how often I have the opportunity.


	Logged

jason

Hero Member

Offline

Posts: 945

Re: Is brute forcing a waiste of time?

« Reply #2 on: February 02, 2009, 05:21:31 PM »

In general, it's not a waste of time. However, YMMV depending on the tools that you are using and what exactly it is that you are trying to brute force.


	Logged

apollo

Full Member

Offline

Posts: 142

Re: Is brute forcing a waiste of time?

« Reply #3 on: February 02, 2009, 08:47:07 PM »

brute forcing is also situation dependent. It is something that you should probably discuss in the planning stages and make sure that it is in the scope of your pen test. You also want to discuss during this session what types of security the network has on it so that you can know what the impact is. Having yourself black-holed by an IPS or locking out a whole lot of accounts during your engagement wouldn't be awesome.


	Logged

CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Is brute forcing a waiste of time?

« Reply #4 on: February 03, 2009, 07:45:05 AM »

If you can grab the shadow file and run, bruting may take some time, but you will find weak passwords quickly. This can also give you clues to settign up a custom dictionay for other systems on that network. But as others pointed out, you need to be careful about bruting over a network.


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

vijay2

Full Member

Offline

Posts: 220

Re: Is brute forcing a waiste of time?

« Reply #5 on: February 03, 2009, 08:06:34 AM »

With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.

Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.

Hope this Helps

VJ


	Logged

GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+

seVor

Newbie

Offline

Posts: 8

Padawan looking for Jedi Master.

Re: Is brute forcing a waiste of time?

« Reply #6 on: February 03, 2009, 12:57:53 PM »

Greate posts everyone!! Thanks..

Quote from: vijay2 on February 03, 2009, 08:06:34 AM

Ya I would be affraid of the logging and locking of passwords. Is there a more passive way to do this?

Or does it even matter since all this would have been discussed up front?


	Logged

“Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” - you should know!

Kev

Sr. Member

Offline

Posts: 428

Re: Is brute forcing a waiste of time?

« Reply #7 on: February 03, 2009, 01:21:00 PM »

Quote from: seVor on February 03, 2009, 12:57:53 PM

Or does it even matter since all this would have been discussed up front?

Thats a very important point. I always make it very clear what I will do and the possible repercussions there might be. Sometimes this might limit you and I make that very clear also. If they limit me too much I might not even take the gig. Make everything clear and the possible problems that might result so you are totally covered. I have found those that are really concerned with security are willing to give you a lot of rope. Hopefully not enough to just hang yourself ,lol!


	Logged

Equix3n-

Sr. Member

Offline

Posts: 379

Re: Is brute forcing a waiste of time?

« Reply #8 on: February 04, 2009, 09:03:58 AM »

I don't ALWAYS recommend brute force.
Yes,you will recover the password but in how much time?
Just take this eg.
A 5 character password would be recovered instantly if we consider only lowercase letters but if there is a combination of both uppercase and lowercase it will take 12min to recover it.
A 7 character lowercase password will take 4 hrs. but a combination of uppercase and lowercase would devour 23 days of your life.
A 9 character lowercase takes 4 months and a combination of uppercase and lowercase would take 178 years to crack.
And I have not taken special characters in to consideration yet.

So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn't crack the password in that time limit.


	Logged

sgt_mjc

Sr. Member

Offline

Posts: 294

Re: Is brute forcing a waiste of time?

« Reply #9 on: February 04, 2009, 10:28:50 AM »

Quote from: Xen on February 04, 2009, 09:03:58 AM

So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn't crack the password in that time limit.

There are always rainbow tables......


	Logged

Mike Conway
CISSP
CompTia Security +
C|EH

SynJunkie

Jr. Member

Offline

Posts: 71

Re: Is brute forcing a waiste of time?

« Reply #10 on: February 04, 2009, 02:42:24 PM »

Bruteforcing a waste of time? Can anyone say "Twitter"!!!

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

Syn


	Logged

----------------------------------
http://synjunkie.blogspot.com

xXxKrisxXx

Sr. Member

Offline

Posts: 491

Re: Is brute forcing a waiste of time?

« Reply #11 on: February 04, 2009, 02:55:04 PM »

Hahaha, Wow I had no idea Twitter didn't have a password policy to lock an account after so many failed attempts. This is a good example / wake up call for people to enforce strong passwords, password was happiness, come on that's on everybody's dictionary list.


	Logged

OSCP, OWSP, eCPPT

oneeyedcarmen

Full Member

Offline

Posts: 233

Klaatu, Borada,Necktie?

Re: Is brute forcing a waiste of time?

« Reply #12 on: February 04, 2009, 03:01:13 PM »

Quote from: KrisTeason on February 04, 2009, 02:55:04 PM

Hahaha, Wow I had no idea Twitter didn't have a password policy to lock an account after so many failed attempts.

Supposedly they do now. They've also implemented a timeout. We'll see.


	Logged

Reluctant CISSP, Certified ASS

SynJunkie

Jr. Member

Offline

Posts: 71

Re: Is brute forcing a waiste of time?

« Reply #13 on: February 04, 2009, 03:05:32 PM »

from what i hear the timeout (i actually heard it was a capture???) acts differently depending on how you access the account, i.e the wbsite locks you out, fine you can get in using your blackberry! a little more work needs to done it would seem.


	Logged

----------------------------------
http://synjunkie.blogspot.com

ciscostu

Newbie

Offline

Posts: 11

Re: Is brute forcing a waiste of time?

« Reply #14 on: February 05, 2009, 10:59:31 AM »

If it's good enough for Matasano, it's good enough for me-

http://www.matasano.com/log/1342/my-pentest-secret-password-guessing/


	Logged

PacketProtector- OpenWrt + FreeRADIUS + OpenVPN + Snort + DansGuardian + ClamAV

Pages: [1] 2 Go Up

« previous next »