- This topic has 16 replies, 13 voices, and was last updated 11 years, 5 months ago by
.
-
Posts
-
-
I am just curious how many people actually have sucess with this? It is time consuming right? Plus I imagine that it is quite aggressive. Any system that has logging on it should pick it up right away, of course if you are doing it ethically they should probably expect it to be in their logs.
hmmm.. just found my self asking this question and thought I would throw it up on here.
Thanks!
-
-
-
brute forcing is also situation dependent. It is something that you should probably discuss in the planning stages and make sure that it is in the scope of your pen test. You also want to discuss during this session what types of security the network has on it so that you can know what the impact is. Having yourself black-holed by an IPS or locking out a whole lot of accounts during your engagement wouldn’t be awesome.
-
-
With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.
Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.
Hope this Helps
VJ
-
Greate posts everyone!! Thanks..
@vijay2 wrote:
With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.
Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.
Hope this Helps
VJ
Ya I would be affraid of the logging and locking of passwords. Is there a more passive way to do this?
Or does it even matter since all this would have been discussed up front?
-
@seVor wrote:
Or does it even matter since all this would have been discussed up front?
Thats a very important point. I always make it very clear what I will do and the possible repercussions there might be. Sometimes this might limit you and I make that very clear also. If they limit me too much I might not even take the gig. Make everything clear and the possible problems that might result so you are totally covered. I have found those that are really concerned with security are willing to give you a lot of rope. Hopefully not enough to just hang yourself ,lol!
-
I don’t ALWAYS recommend brute force.
Yes,you will recover the password but in how much time?
Just take this eg.
A 5 character password would be recovered instantly if we consider only lowercase letters but if there is a combination of both uppercase and lowercase it will take 12min to recover it.
A 7 character lowercase password will take 4 hrs. but a combination of uppercase and lowercase would devour 23 days of your life.
A 9 character lowercase takes 4 months and a combination of uppercase and lowercase would take 178 years to crack.
And I have not taken special characters in to consideration yet.So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.
-
@Xen wrote:
So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn’t crack the password in that time limit.
There are always rainbow tables……
-
Bruteforcing a waste of time? Can anyone say “Twitter”!!!
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
Syn
-
-
@KrisTeason wrote:
Hahaha, Wow I had no idea Twitter didn’t have a password policy to lock an account after so many failed attempts.
Supposedly they do now. They’ve also implemented a timeout. We’ll see.
-
-
If it’s good enough for Matasano, it’s good enough for me-
http://www.matasano.com/log/1342/my-pentest-secret-password-guessing/
-
Actual brute forcing for getting into a system remotely or during a pen-test, I do think is a waste of time. However, a dictionary attack against the resource (e.g. load up TSGrinder with a list of passwords and usernames) is not a waste of time. 9 times out of 10 I’ve been able to get in that way (against routers, ssh, etc).
The only time I’ve really used brute force is when I _had_ to crack something (It was an encrypted home directory on a mac that someone locked up data before they were fired – got paid well for it to 🙂 Just my $0.02. -AJC
-
It depends on the goal, sometimes part of the test *is* to trigger the logging and see if anyone is paying attention behind the curtain.
Building a dictionary and using that is very handy and is a good first pass. Straight up brute forcing over the network isn’t usually effective, but it does work sometimes. Obviously it is more effective (attempts per second) when you can hammer on it locally (e.g. file decryption).
The nice thing with brute forcing is that it doesn’t take a lot of babysitting. You can let that thing run and monitor it for success.
-
- You must be logged in to reply to this topic.
