Security Basics mailing list archives
Re: bruteforce attacks to GUI applications
From: Alloishus BeauMains <all0i5hu5 () gmail com>
Date: Thu, 17 Nov 2005 08:04:16 -0600
It IS possible. No matter who wants to admit it or not. Ever since the dawn of programming could you do in/out redirects. Let's consider something else, chatbots that run through GUI chat applications like MSN Messenger, or AIM. These are programs that were created that can send text to the GUI from a database of items. It isn't that far fetched. Whether you use .NET or C++ or whatever programming language, generally, if the API is there to do so, then redirecting from a console program to a GUI is easy. The question is whether you are a good enough programmer to do so, and those who I would consider really good are those who can create their customized programs on the fly to do what they need (Yeah, this is hollywood stuff.....but, there are people that can do that!). So, the answer to the question that was originally asked is......They create a custom program to do so unless it is already out there. As to your response...sure anyone will take the path of least resistance. In the case of a web server, it is almost always easier to run attacks against the authentication mechanism itself rather than using Internet Explorer. That doesn't mean it does not happen that way. Next, I am not sure I would understand why someone would want to run it against the GUI in the situation you mentioned. If the application is purely in Java, authenticated with Java, and all of the personal information is Java based, then perhaps because there is no other real option. But really wouldn't it be better, and also easier to run the attacks against the database (Surely something like that would use a database as the backend to store information)? You can then take the information from the database and use it to authenticate to the GUI. I know you didn't ask that. I am just supplying different possibilities. On 11/16/05, m_r_welch () tiscali co uk <m_r_welch () tiscali co uk> wrote:
It doesn't look like that would be possible. See here: http://expect.nist.gov/FAQ.html#q23-- Original Message -- Date: Wed, 16 Nov 2005 14:23:04 +0000 From: mike preston <mike () technomonk com> To: m_r_welch () tiscali co uk Subject: Re: bruteforce attacks to GUI applications Can't something like expect http://expect.nist.gov be used to do this? I'm sure I've read somewhere about it being used for both windows and *nix including gui interfaces. Mike m_r_welch () tiscali co uk wrote:Typically they don't. Either they attack the executable with a decompiler/dissembler and find where the password is stored, extract it and then bruteforce the encryption/hash directly, or if the gui sends the password across the network, they will aim to intercept the packets and then proceed as above, or alternatively write their own application to send brute-force forged requests againsttheserver that stores the password. The hollywood stereotype vision of usernames and passwords being automatically entered into the gui is just that - ahollywoodfiction.-- Original Message -- Date: Wed, 09 Nov 2005 03:59:11 -0600 From: ework0 <ework0 () gmail com> To: security-basics () securityfocus com Subject: bruteforce attacks to GUI applications hello, anyone know how can an intruder perform brute force attacks toaGUI running application (ej: a password login) ? Let's assume the application is running on Java and the attacker is able to log in locally, run GUI the application, and perform the attack from the command shell with a wordlist, how is that possible? Thanks, ework0Attachment: smime.p7s___________________________________________________________ Tiscali Broadband from 14.99 with free setup! http://www.tiscali.co.uk/products/broadband/
Current thread:
- bruteforce attacks to GUI applications ework0 (Nov 09)
- RE: bruteforce attacks to GUI applications m_r_welch (Nov 15)
- RE: bruteforce attacks to GUI applications Kenton Smith (Nov 16)
- Re: bruteforce attacks to GUI applications ascii (Nov 17)
- RE: bruteforce attacks to GUI applications Kenton Smith (Nov 16)
- <Possible follow-ups>
- Re: bruteforce attacks to GUI applications m_r_welch (Nov 16)
- Re: bruteforce attacks to GUI applications Disco Jonny (Nov 17)
- Re: bruteforce attacks to GUI applications m_r_welch (Nov 16)
- Re: bruteforce attacks to GUI applications ascii (Nov 17)
- Re: bruteforce attacks to GUI applications Alloishus BeauMains (Nov 17)
- Re: bruteforce attacks to GUI applications mike preston (Nov 28)
- RE: bruteforce attacks to GUI applications m_r_welch (Nov 15)