Re: bruteforce attacks to GUI applications

[m_r_welch () tiscali co uk]

I think we may mostly be in agreement here, and it's just a small difference
in perspective. I offer my responses to these points below.

> -- Original Message --
> Date: Wed, 16 Nov 2005 08:10:09 -0500
> From: Christopher Schaefer <disks86 () gmail com>
> To: "m_r_welch () tiscali co uk" <m_r_welch () tiscali co uk>
> Subject: Re: bruteforce attacks to GUI applications
>
>
> I don't recall him asking how likely it would  be for someone to do
> that just how to do that.

I assumed that ework0 was familiar with brute-forcing command-line apps,
but could not see how to apply brute-force techniques to a gui application.
His example assumed that the GUI application has to be running before it
could be attacked. You are right in saying that attacking the protocol or
the executable is not strictly attacking the GUI, but it is how a GUI app
would be compromised. This is why I thought these were relevant issues to
be aware of in response to his question.

> As far as what an attacker would do they
> look for the weak points. your examples would be right in most cases
> but if the protocols were really well constructed but the interface
> didn't have checks against brute force attacks then it would be easier
> for them to mess with the GUI.

Is it possible to automate interaction with a GUI app? If so this is an important
option I am not familiar with, please supply me with references and links
so I can read up on the principles & practice. I look forward to having some
new bedtime reading :)

> as far as decompiling that is allot of
> work and unless they are hardcore it would be a last resort.

Disassembling/decompiling a binary executable (such as one compiled from
c/c++) is indeed very technically demanding, and would probably be a last
resort. However, ework0 specifically mentioned Java, for which there are
some very effective and easy-to-use decompilers. To my knowledge, methods
for obfuscating Java class files have not been particularly effective, and
therefore are not widely used. Therefore, decompiling is a simple and effective
option against local Java apps. A Google search will easily turn up many
java decompilers, cavaj being a freeware option that worked well for me.

> On 11/11/05, m_r_welch () tiscali co uk <m_r_welch () tiscali co uk> wrote:
> > Typically they don't. Either they attack the executable with a decompiler/dissembler
> > and find where the password is stored, extract it and then bruteforce
the
> > encryption/hash directly, or if the gui sends the password across the
network,
> > they will aim to intercept the packets and then proceed as above, or alternatively
> > write their own application to send brute-force forged requests against
> the
> > server that stores the password. The hollywood stereotype vision of usernames
> > and passwords being automatically entered into the gui is just that -
a
> hollywood
> > fiction.
> >
> > > -- Original Message --
> > > Date: Wed, 09 Nov 2005 03:59:11 -0600
> > > From: ework0 <ework0 () gmail com>
> > > To: security-basics () securityfocus com
> > > Subject: bruteforce attacks to GUI applications
> > >
> > >
> > > hello, anyone know how can an intruder perform brute force attacks to
> a

> > > GUI running application (ej: a password login) ?
> > >
> > > Let's assume the application is running on Java and the attacker is able
> > > to log in locally, run GUI the application, and perform the attack from
> > > the command shell with a wordlist, how is that possible?
> > >
> > > Thanks,
> > >
> > > ework0
> >
> >
> > ___________________________________________________________
> >
> > Tiscali Broadband from 14.99 with free setup!
> > http://www.tiscali.co.uk/products/broadband/
>
>
> --
> Freedom is not the right to do what you want but the ability to do
> what needs to be done.



___________________________________________________________

Tiscali Broadband from 14.99 with free setup!
http://www.tiscali.co.uk/products/broadband/