Re: bruteforce attacks to GUI applications

[Alloishus BeauMains <all0i5hu5 () gmail com>]

It IS possible. No matter who wants to admit it or not.

Ever since the dawn of programming could you do in/out redirects.

Let's consider something else, chatbots that run through GUI chat
applications like MSN Messenger, or AIM. These are programs that were
created that can send text to the GUI from a database of items. It
isn't that far fetched.

Whether you use .NET or C++ or whatever programming language,
generally, if the API is there to do so, then redirecting from a
console program to a GUI is easy. The question is whether you are a
good enough programmer to do so, and those who I would consider really
good are those who can create their customized programs on the fly to
do what they need (Yeah, this is hollywood stuff.....but, there are
people that can do that!).

So, the answer to the question that was originally asked is......They
create a custom program to do so unless it is already out there. As to
your response...sure anyone will take the path of least resistance. In
the case of a web server, it is almost always easier to run attacks
against the authentication mechanism itself rather than using Internet
Explorer. That doesn't mean it does not happen that way.

Next, I am not sure I would understand why someone would want to run
it against the GUI in the situation you mentioned. If the application
is purely in Java, authenticated with Java, and all of the personal
information is Java based, then perhaps because there is no other real
option. But really wouldn't it be better, and also easier to run the
attacks against the database (Surely something like that would use a
database as the backend to store information)?

You can then take the information from the database and use it to
authenticate to the GUI.

I know you didn't ask that. I am just supplying different possibilities.

On 11/16/05, m_r_welch () tiscali co uk <m_r_welch () tiscali co uk> wrote:
> It doesn't look like that would be possible. See here:
>
> http://expect.nist.gov/FAQ.html#q23
>
> > -- Original Message --
> > Date: Wed, 16 Nov 2005 14:23:04 +0000
> > From: mike preston <mike () technomonk com>
> > To:  m_r_welch () tiscali co uk
> > Subject: Re: bruteforce attacks to GUI applications
> >
> >
> > Can't something like expect http://expect.nist.gov be used to do this?
> >
> > I'm sure I've read somewhere about it being used for both windows and
> > *nix including gui interfaces.
> >
> > Mike
> >
> > m_r_welch () tiscali co uk wrote:
> >
> > > Typically they don't. Either they attack the executable with a decompiler/dissembler
> > > and find where the password is stored, extract it and then bruteforce the
> > > encryption/hash directly, or if the gui sends the password across the network,
> > > they will aim to intercept the packets and then proceed as above, or alternatively
> > > write their own application to send brute-force forged requests against
> > the
> > > server that stores the password. The hollywood stereotype vision of usernames
> > > and passwords being automatically entered into the gui is just that - a
> > hollywood
> > > fiction.
> > >
> > >
> > >
> > > > -- Original Message --
> > > > Date: Wed, 09 Nov 2005 03:59:11 -0600
> > > > From: ework0 <ework0 () gmail com>
> > > > To: security-basics () securityfocus com
> > > > Subject: bruteforce attacks to GUI applications
> > > >
> > > >
> > > > hello, anyone know how can an intruder perform brute force attacks to
> a
> > > > GUI running application (ej: a password login) ?
> > > >
> > > > Let's assume the application is running on Java and the attacker is able
> > > > to log in locally, run GUI the application, and perform the attack from
> > > > the command shell with a wordlist, how is that possible?
> > > >
> > > > Thanks,
> > > >
> > > > ework0
> >
> > Attachment: smime.p7s
>
>
> ___________________________________________________________
>
> Tiscali Broadband from 14.99 with free setup!
> http://www.tiscali.co.uk/products/broadband/