Vulnerability Development mailing list archives
[fx () phenoelit de: Re: Making 'vncrack' useful once again?]
From: FX <fx () phenoelit de>
Date: Fri, 20 Sep 2002 11:28:04 +0200
Resend due to issue with security-focus.com ;-) ----- Forwarded message from FX <fx () phenoelit de> ----- Hi Kevin, Hi list, kadokev () msg net <kadokev () msg net> wrote in 1.8K bytes:
The current "too-many" mechanism in the VNC server is not an insurmountable obstacle. Currently, the code only tracks authentication failures within a single TCP session. If the brute-force program makes 5 tries, then closes and uses a new TCP session for the next set of 5, the delay routines will never be triggered. This simple change significantly improve the usefulness of vncrack against servers with the current "brute-force resistance" algorithm.
if you look at line 210 of vncrack.c and line 332-334, you will notice that indeed we close the connection every time we tried a password. So yes, this idea was implemented right from the beginning and the VNC server tracks it by IP address and not by connection.
For example, it is simple to route a "/24" (Class-C) subnet to a single host, giving that machine 254+ possible source IP's that it can use when binding the local end of an outgoing TCP session. If the attack software switches between source addresses whenever the remote server starts to return a 'too-many' error, then instead of slowing down the attack because I need to sleep() until the server is willing to talk to me again, I can just use a different TCp session with a new source IP for the next 5 attempts, and so on.
This could work, but is (in my little opinion, whatever that's worth) of limited use. The implementation is quite simple and you don't even have to modify your network's router. Using the IP addresses and answering ARP requests for it is enough. Now, taking into account what we are trying to do here (break into VNC), it has some requirements beside the increased code complexity: - You have to have a number of unused IP addresses in your local subnet - You can not use it through a NAT device (reduces everything back to 1 addr) - By the time your last IP address got blocked, the first one should be allowed again. Now, my math is not very good, but from what I see, you have 253*5 attempts free (= 1265) in an idial /24 network, which looks good. But 5 or 6 attempts take about 0.5 sec. That means, after 126.5 seconds (or 2 minutes) your first blocked IP address should be allowed again. Change the server code (or the config if supported in the future) to block for 5 minutes, and all the effort was wasted. I'm not saying this is a bad idea and I certainly appreciate that you think about it, but I still believe it's simpler to grab the relevant Registry part and decrypt this password (worked for many VNC users with lost passwords). If you (or someone else) feels like trying this idea, the relevant code for impersonating multiple IP addresses can be ripped off the ARP0c code (http://www.phenoelit.de/arpoc/) or similar tools. peace, FX ----- End forwarded message ----- -- FX <fx () phenoelit de> Phenoelit (http://www.phenoelit.de) 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
Current thread:
- [fx () phenoelit de: Re: Making 'vncrack' useful once again?] FX (Sep 20)