Bugtraq mailing list archives
Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Tue, 15 Aug 2000 19:54:57 GMT
hi, every session agents from 3.0 to 4.1 (4.1 included, all plateforms ) are vulnerables to a brute force and dictionnary style password attack. while authenticating a user through his port 261, firewall modules send a "331 User:" string to the agent, wait for an answer, and then reply with a "220 User .... not found" directly followed by "530 NOTOK" if username doesn't match the user database If username exists, firewall will simply reply "331 *FireWall-1 password:" before waiting for a pass value. So the same weakness that on the old version of unix's login, we can know if a username is or isn't try #nc -l -p 261 on your workstation then connect to an outside service that need session authentication Because firewall-1 doesn't close the connection just after a mistaked username or password submission and seems to wait indefinitly for a correct entry, it should be really efficient to mount such an attack. usernames and passwords are up to 8 chars length and are usually built on some logical rules (typicaly based on first and last names for usernames and more generaly on dictionnaries words) A C or perl program with dictionnary trying permutations onto each word should be able to quickly recover many corporate accounts. This program would be a little daemon, and would have to send a spoofed request to outside before each connection, finally it should be able to accept a significant number of simultaneous connection to increase its chances of success. I don't have right now the time to make the code. Just verify your passwords are enough hard in the same way u already did it with your unix passwords. And for those who have a 4.1 firewall module, just use encryption. Have a nice day Gregory Duchemin ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack gregory duchemin (Aug 16)
- Re: Firewall-1 session agent 3.0 -> 4.1,dictionnary and brute force attack Nelson Brito (Aug 18)