.

Bruteforcing Without Causing a DoS

<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Apr 09, 2011 4:39 pm

Re: Bruteforcing Without Causing a DoS

dynamik wrote:
Chris, I do want to make it clear that my response really wasn't directed at you specifically. I respect you a great deal, and that was just kind of a random trigger for getting on my soap box. I see a lot of people talking about being covert and stealthy simple because that's how they see an ideal attack, not because it's actually practical or beneficial to either party in the context of a professional service.



Dynamik, it's all good. I think we were actually complementing each others comments now. I'm saying don't go running through like a grain thresher through a field, you're saying don't take 3 months to do the test. :)

I just have confidence issues. Probably because I keep interviewing for Security based jobs, and end up not getting hired. But that's been par for the course of my carrier over the last 4 years. Interview, interview, interview. Have things said (You're our top choice, the job is yours, we don't want you for this job, but we have another we want you to do, etc), but end up getting called by HR / Head Hunter and told they went with someone else (or they drag their feet for 3 months).
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Apr 09, 2011 4:46 pm

Re: Bruteforcing Without Causing a DoS

That's OK, chrisj...  For a while, I've gotten a lot of the 'overqualified' line.  Makes me feel good, on one hand, as the ones that say that HAVE truthfully acknowledged they feel that way, and not just that I'm asking for too much $$, etc.  But on the other hand, makes it tough to find something...  I feel your pain/
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Apr 09, 2011 4:49 pm

Re: Bruteforcing Without Causing a DoS

hayabusa wrote:That's OK, chrisj...  For a while, I've gotten a lot of the 'overqualified' line.  Makes me feel good, on one hand, as the ones that say that HAVE truthfully acknowledged they feel that way, and not just that I'm asking for too much $$, etc.  But on the other hand, makes it tough to find something...  I feel your pain/


Really does make you feel like you're only choice after getting over 10 years IT related experience is to branch out and go you're own way. But that's not what I want to do.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Apr 09, 2011 8:19 pm

Re: Bruteforcing Without Causing a DoS

chrisj wrote:Dynamik, it's all good. I think we were actually complementing each others comments now. I'm saying don't go running through like a grain thresher through a field, you're saying don't take 3 months to do the test. :)


I totally agree; I just wanted to make sure nothing was misinterpretted.

Also, three months is fine as long as they're willing to pay for it ;D

Have you listened to the PaulDotCom interview with Joe McCray? They were talking about long-term penetration tests where the goal was not only to get in but keep active over the course of weeks/months while trying to avoid detection. Those types of engagements sound amazing...

chrisj wrote:I just have confidence issues. Probably because I keep interviewing for Security based jobs, and end up not getting hired. But that's been par for the course of my carrier over the last 4 years. Interview, interview, interview. Have things said (You're our top choice, the job is yours, we don't want you for this job, but we have another we want you to do, etc), but end up getting called by HR / Head Hunter and told they went with someone else (or they drag their feet for 3 months).


Do they give you a reason? Try and find out if they don't. You can address whatever (perceived) deficiencies once you have some direction.

Is the CISSP on your radar at all? It sounds like you'd qualify with your experience, and that might help give you a little extra momentum.

chrisj wrote:Really does make you feel like you're only choice after getting over 10 years IT related experience is to branch out and go you're own way. But that's not what I want to do.


That's the route I'm gravitating towards. I don't think I'm ever going to be genuinely happy working for someone else.

What doesn't appeal to you? Sales, business administration, etc.? Those aspects of such a proposition are certainly not appealing to me...
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Apr 09, 2011 8:43 pm

Re: Bruteforcing Without Causing a DoS

dynamik,

CISSIP is on my list. Just probably not for a year or so. Want to do some other things first. OSCP, CCNA Security, etc. I think part of it is lacking a four year college degree.


After I got burnt out on IT, while I was living off savings and going to school (other thread), I started my own business.  I specialized in networking, mostly SOHO networks and wireless networks, and Unix / Linux builds and troubleshooting. Mostly, I had people coming to me to remove viruses and the like from their windows boxes.

AS for working for myself. I hate charging customers when I can't get something to work, or over charging them more hours because I found other things that had to be fixed first before what I was hired for. Or having things go horribly wrong and taking longer than I said I would need.

I hate dealing with Quarterly Taxes, where you have to Estimate your income for the year. The lack of health insurance when you don't know how often you're going to have money to pay it, the dead beat clients you have to sue and still get nothing from.

I hate the rubbing of elbows, self marketing, always having to be professional, having the regular staff hate you fore being the hired gun / specialized troubleshooter etc.
OSWP, Sec+
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Mon Apr 11, 2011 6:59 pm

Re: Bruteforcing Without Causing a DoS

Just thought I'd let everyone know that I was able to successfully bruteforce the usernames on the site I was testing.  I was able to get 8 out of the 10 names in an hour using a dictionary list I hacked together.  For the remaining 2, it took me around 16 hours testing all possible combinations to discover them.  Looking at the traffic, my attempts looked to be a normal load... except that I did it at night, during which there is normally not much traffic at all considering we're a start-up still trying to get the word out.

I e-mailed off my findings today and we'll see if they want me to bruteforce the passwords as well, or if they'll just take my word for it and enable account lockout.
Sec+, eCPPT
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Apr 12, 2011 7:16 am

Re: Bruteforcing Without Causing a DoS

Thanks Seen for sharing your results with us, but when you say:
I was able to get 8 out of the 10 names in an hour using a dictionary list I hacked together.


It looks almost too good to me. How many requests were you making per second? How did you ensure that there was no DoS? Maybe the passwords were weak, but usually, getting 8 out of 10 passwords means something was wrong with the passwords...

A suggestion might be to tell the developers to implement strong password controls...

Anyway, if you didn't cause a DoS, congrats!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Tue Apr 12, 2011 11:42 am

Re: Bruteforcing Without Causing a DoS

hitmonkey-

he said he got the usernames, not the passwords.

...able to successfully bruteforce the usernames
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Apr 12, 2011 12:37 pm

Re: Bruteforcing Without Causing a DoS

Oups sorry...  :P

I guess I bruteforce passwords and I enumerate usernames...  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Tue Apr 12, 2011 6:57 pm

Re: Bruteforcing Without Causing a DoS

Yeah, sorry I "enumerated" them ;) 

Since I'm probably not going to bruteforce the passwords because obtaining the usernames scared the hell out of the rest of the people in the startup, I at least wanted to say that I bruteforced something... it sounds cooler than enumerating :)
Sec+, eCPPT
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Apr 13, 2011 7:27 am

Re: Bruteforcing Without Causing a DoS

obtaining the usernames scared the hell out of the rest of the people in the startup

Good job Seen!

It's usually quite hard to make people aware of security. It seems you just successfully did that!

Keep searching for other vulnerabilities on the web site. Even if you can't exploit them, it's always good to show you didn't stop at the first "victory".

Keep on the good work!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Previous

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software