- This topic has 16 replies, 13 voices, and was last updated 12 years ago by
timmedin.
-
AuthorPosts
-
-
February 2, 2009 at 10:45 pm #3274
seVor
ParticipantI am just curious how many people actually have sucess with this? It is time consuming right? Plus I imagine that it is quite aggressive. Any system that has logging on it should pick it up right away, of course if you are doing it ethically they should probably expect it to be in their logs.
hmmm.. just found my self asking this question and thought I would throw it up on here.
Thanks!
-
February 2, 2009 at 11:08 pm #21699
Kev
ParticipantNo not a waste of time at all. I assume you mean brute forcing in a general context. Given the proper circumstances,you might be surprised how often I have the opportunity.
-
February 2, 2009 at 11:21 pm #21700
jason
ParticipantIn general, it’s not a waste of time. However, YMMV depending on the tools that you are using and what exactly it is that you are trying to brute force.
-
February 3, 2009 at 2:47 am #21701
apollo
Participantbrute forcing is also situation dependent. It is something that you should probably discuss in the planning stages and make sure that it is in the scope of your pen test. You also want to discuss during this session what types of security the network has on it so that you can know what the impact is. Having yourself black-holed by an IPS or locking out a whole lot of accounts during your engagement wouldn’t be awesome.
-
February 3, 2009 at 1:45 pm #21702
Michael J. Conway
ParticipantIf you can grab the shadow file and run, bruting may take some time, but you will find weak passwords quickly. This can also give you clues to settign up a custom dictionay for other systems on that network. But as others pointed out, you need to be careful about bruting over a network.
-
February 3, 2009 at 2:06 pm #21703
vijay2
ParticipantWith continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.
Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.
Hope this Helps
VJ
-
February 3, 2009 at 6:57 pm #21704
seVor
ParticipantGreate posts everyone!! Thanks..
@vijay2 wrote:
With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.
Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.
Hope this Helps
VJ
Ya I would be affraid of the logging and locking of passwords. Is there a more passive way to do this?
Or does it even matter since all this would have been discussed up front?
-
February 3, 2009 at 7:21 pm #21705
Kev
Participant@seVor wrote:
Or does it even matter since all this would have been discussed up front?
Thats a very important point. I always make it very clear what I will do and the possible repercussions there might be. Sometimes this might limit you and I make that very clear also. If they limit me too much I might not even take the gig. Make everything clear and the possible problems that might result so you are totally covered. I have found those that are really concerned with security are willing to give you a lot of rope. Hopefully not enough to just hang yourself ,lol!
-
February 4, 2009 at 3:03 pm #21706
Xen
ParticipantI don’t ALWAYS recommend brute force.
Yes,you will recover the password but in how much time?
Just take this eg.
A 5 character password would be recovered instantly if we consider only lowercase letters but if there is a combination of both uppercase and lowercase it will take 12min to recover it.
A 7 character lowercase password will take 4 hrs. but a combination of uppercase and lowercase would devour 23 days of your life.
A 9 character lowercase takes 4 months and a combination of uppercase and lowercase would take 178 years to crack.
And I have not taken special characters in to consideration yet.So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.
-
February 4, 2009 at 4:28 pm #21707
Michael J. Conway
Participant@Xen wrote:
So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.
There are always rainbow tables……
-
February 4, 2009 at 8:42 pm #21708
SynJunkie
ParticipantBruteforcing a waste of time? Can anyone say “Twitter”!!!
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
Syn
-
February 4, 2009 at 8:55 pm #21709
KrisTeason
ParticipantHahaha, Wow I had no idea Twitter didn’t have a password policy to lock an account after so many failed attempts. This is a good example / wake up call for people to enforce strong passwords, password was happiness, come on that’s on everybody’s dictionary list.
-
February 4, 2009 at 9:01 pm #21710
oneeyedcarmen
Participant@KrisTeason wrote:
Hahaha, Wow I had no idea Twitter didn’t have a password policy to lock an account after so many failed attempts.
Supposedly they do now. They’ve also implemented a timeout. We’ll see.
-
February 4, 2009 at 9:05 pm #21711
SynJunkie
Participantfrom what i hear the timeout (i actually heard it was a capture???) acts differently depending on how you access the account, i.e the wbsite locks you out, fine you can get in using your blackberry! a little more work needs to done it would seem.
-
February 5, 2009 at 4:59 pm #21712
ciscostu
ParticipantIf it’s good enough for Matasano, it’s good enough for me-
http://www.matasano.com/log/1342/my-pentest-secret-password-guessing/
-
February 6, 2009 at 3:23 am #21713
acj
ParticipantActual brute forcing for getting into a system remotely or during a pen-test, I do think is a waste of time. However, a dictionary attack against the resource (e.g. load up TSGrinder with a list of passwords and usernames) is not a waste of time. 9 times out of 10 I’ve been able to get in that way (against routers, ssh, etc).
The only time I’ve really used brute force is when I _had_ to crack something (It was an encrypted home directory on a mac that someone locked up data before they were fired – got paid well for it to 🙂 Just my $0.02. -AJC
-
February 14, 2009 at 1:08 am #21714
timmedin
ParticipantIt depends on the goal, sometimes part of the test *is* to trigger the logging and see if anyone is paying attention behind the curtain.
Building a dictionary and using that is very handy and is a good first pass. Straight up brute forcing over the network isn’t usually effective, but it does work sometimes. Obviously it is more effective (attempts per second) when you can hammer on it locally (e.g. file decryption).
The nice thing with brute forcing is that it doesn’t take a lot of babysitting. You can let that thing run and monitor it for success.
-
-
AuthorPosts
- You must be logged in to reply to this topic.