.

Is brute forcing a waiste of time?

<<

seVor

User avatar

Newbie
Newbie

Posts: 8

Joined: Fri Jan 30, 2009 3:18 pm

Post Mon Feb 02, 2009 5:45 pm

Is brute forcing a waiste of time?

I am just curious how many people actually have sucess with this?  It is time consuming right? Plus I imagine that it is quite aggressive.  Any system that has logging on it should pick it up right away, of course if you are doing it ethically they should probably expect it to be in their logs. 

hmmm..  just found my self asking this question and thought I would throw it up on here.

Thanks!
“Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” - you should know!
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Feb 02, 2009 6:08 pm

Re: Is brute forcing a waiste of time?

No not a waste of time at all. I assume you mean brute forcing in a general context. Given the proper circumstances,you might be surprised how often I have the opportunity.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Mon Feb 02, 2009 6:21 pm

Re: Is brute forcing a waiste of time?

In general, it's not a waste of time. However, YMMV depending on the tools that you are using and what exactly it is that you are trying to brute force.
<<

apollo

User avatar

Full Member
Full Member

Posts: 147

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Feb 02, 2009 9:47 pm

Re: Is brute forcing a waiste of time?

brute forcing is also situation dependent.  It is something that you should probably discuss in the planning stages and make sure that it is in the scope of your pen test.  You also want to discuss during this session what types of security the network has on it so that you can know what the impact is.  Having yourself black-holed by an IPS or locking out a whole lot of accounts during your engagement wouldn't be awesome.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Tue Feb 03, 2009 8:45 am

Re: Is brute forcing a waiste of time?

If you can grab the shadow file and run, bruting may take some time, but you will find weak passwords quickly. This can also give you clues to settign up a custom dictionay for other systems on that network. But as others pointed out, you need to be careful about bruting over a network.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Tue Feb 03, 2009 9:06 am

Re: Is brute forcing a waiste of time?

With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.

Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.

Hope this Helps

VJ 
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

seVor

User avatar

Newbie
Newbie

Posts: 8

Joined: Fri Jan 30, 2009 3:18 pm

Post Tue Feb 03, 2009 1:57 pm

Re: Is brute forcing a waiste of time?

Greate posts everyone!! Thanks..

vijay2 wrote:With continued awareness about securing passowrds, I think burte forcing is becoming less attractive option. Agreed that brute forcing can give you really low hanging fruit, but you would get more out using options lile Social Engineering. pass the hash and others.

Also, with brute forcing you should remember that the attempts are logged and there is always a issue of locking out accounts.

Hope this Helps

VJ 



Ya I would be affraid of the logging and locking of passwords.  Is there a more passive way to do this? 

Or does it even matter since all this would have been discussed up front?
“Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering.” - you should know!
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Feb 03, 2009 2:21 pm

Re: Is brute forcing a waiste of time?

seVor wrote:
Or does it even matter since all this would have been discussed up front?


Thats a very important point. I always make it very clear what I will do and  the possible repercussions there might be. Sometimes this might limit you and I make that very clear also. If they limit me too much I might not even take the gig. Make everything clear and the possible problems that might result so you are totally covered. I have found those that are really concerned with security are willing to give you a lot of rope. Hopefully not enough to just hang yourself ,lol!
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Wed Feb 04, 2009 10:03 am

Re: Is brute forcing a waiste of time?

I don't ALWAYS recommend brute force.
Yes,you will recover the password but in how much time?
Just take this eg.
A 5 character password would be recovered instantly if we consider only lowercase letters but if there is a combination of both uppercase and lowercase it will take 12min to recover it.
A 7 character lowercase password will take 4 hrs. but a combination of uppercase and lowercase would devour 23 days of your life.
A 9 character lowercase takes 4 months and a combination of uppercase and lowercase would take 178 years to crack.
And I have not taken special characters in to consideration yet.

So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn't crack the password in that time limit.
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Wed Feb 04, 2009 11:28 am

Re: Is brute forcing a waiste of time?

Xen wrote:So according to me if you want to bruteforce choose a considerable amount of time and give it up if you couldn't crack the password in that time limit.


There are always rainbow tables......
Mike Conway
CISSP
CompTia Security +
C|EH
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Feb 04, 2009 3:42 pm

Re: Is brute forcing a waiste of time?

Bruteforcing a waste of time?  Can anyone say "Twitter"!!!

http://blog.wired.com/27bstroke6/2009/0 ... twitt.html

Syn
----------------------------------
http://synjunkie.blogspot.com
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 531

Joined: Sat Sep 08, 2007 7:48 pm

Post Wed Feb 04, 2009 3:55 pm

Re: Is brute forcing a waiste of time?

Hahaha, Wow I had no idea Twitter didn't have a password policy to lock an account after so many failed attempts. This is a good example / wake up call for people to enforce strong passwords, password was happiness, come on that's on everybody's dictionary list.
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Wed Feb 04, 2009 4:01 pm

Re: Is brute forcing a waiste of time?

KrisTeason wrote:Hahaha, Wow I had no idea Twitter didn't have a password policy to lock an account after so many failed attempts.


Supposedly they do now. They've also implemented a timeout. We'll see.
Reluctant CISSP, Certified ASS
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Feb 04, 2009 4:05 pm

Re: Is brute forcing a waiste of time?

from what i hear the timeout (i actually heard it was a capture???) acts differently depending on how you access the account, i.e the wbsite locks you out, fine you can get in using your blackberry! a little more work needs to done it would seem.
----------------------------------
http://synjunkie.blogspot.com
<<

ciscostu

Newbie
Newbie

Posts: 11

Joined: Sun Dec 16, 2007 8:54 pm

Post Thu Feb 05, 2009 11:59 am

Re: Is brute forcing a waiste of time?

If it's good enough for Matasano, it's good enough for me-

http://www.matasano.com/log/1342/my-pen ... -guessing/
PacketProtector- OpenWrt + FreeRADIUS + OpenVPN + Snort + DansGuardian + ClamAV
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software