Security Basics mailing list archives
Re: bruteforce attacks to GUI applications
From: m_r_welch () tiscali co uk
Date: Wed, 16 Nov 2005 19:14:49 +0000
I think we may mostly be in agreement here, and it's just a small difference in perspective. I offer my responses to these points below.
-- Original Message -- Date: Wed, 16 Nov 2005 08:10:09 -0500 From: Christopher Schaefer <disks86 () gmail com> To: "m_r_welch () tiscali co uk" <m_r_welch () tiscali co uk> Subject: Re: bruteforce attacks to GUI applications I don't recall him asking how likely it would be for someone to do that just how to do that.
I assumed that ework0 was familiar with brute-forcing command-line apps, but could not see how to apply brute-force techniques to a gui application. His example assumed that the GUI application has to be running before it could be attacked. You are right in saying that attacking the protocol or the executable is not strictly attacking the GUI, but it is how a GUI app would be compromised. This is why I thought these were relevant issues to be aware of in response to his question.
As far as what an attacker would do they look for the weak points. your examples would be right in most cases but if the protocols were really well constructed but the interface didn't have checks against brute force attacks then it would be easier for them to mess with the GUI.
Is it possible to automate interaction with a GUI app? If so this is an important option I am not familiar with, please supply me with references and links so I can read up on the principles & practice. I look forward to having some new bedtime reading :)
as far as decompiling that is allot of work and unless they are hardcore it would be a last resort.
Disassembling/decompiling a binary executable (such as one compiled from c/c++) is indeed very technically demanding, and would probably be a last resort. However, ework0 specifically mentioned Java, for which there are some very effective and easy-to-use decompilers. To my knowledge, methods for obfuscating Java class files have not been particularly effective, and therefore are not widely used. Therefore, decompiling is a simple and effective option against local Java apps. A Google search will easily turn up many java decompilers, cavaj being a freeware option that worked well for me.
On 11/11/05, m_r_welch () tiscali co uk <m_r_welch () tiscali co uk> wrote:Typically they don't. Either they attack the executable with a decompiler/dissembler and find where the password is stored, extract it and then bruteforce
the
encryption/hash directly, or if the gui sends the password across the
network,
they will aim to intercept the packets and then proceed as above, or alternatively write their own application to send brute-force forged requests againsttheserver that stores the password. The hollywood stereotype vision of usernames and passwords being automatically entered into the gui is just that -
a
hollywoodfiction.-- Original Message -- Date: Wed, 09 Nov 2005 03:59:11 -0600 From: ework0 <ework0 () gmail com> To: security-basics () securityfocus com Subject: bruteforce attacks to GUI applications hello, anyone know how can an intruder perform brute force attacks toa
GUI running application (ej: a password login) ? Let's assume the application is running on Java and the attacker is able to log in locally, run GUI the application, and perform the attack from the command shell with a wordlist, how is that possible? Thanks, ework0___________________________________________________________ Tiscali Broadband from 14.99 with free setup! http://www.tiscali.co.uk/products/broadband/-- Freedom is not the right to do what you want but the ability to do what needs to be done.
___________________________________________________________ Tiscali Broadband from 14.99 with free setup! http://www.tiscali.co.uk/products/broadband/
Current thread:
- bruteforce attacks to GUI applications ework0 (Nov 09)
- RE: bruteforce attacks to GUI applications m_r_welch (Nov 15)
- RE: bruteforce attacks to GUI applications Kenton Smith (Nov 16)
- Re: bruteforce attacks to GUI applications ascii (Nov 17)
- RE: bruteforce attacks to GUI applications Kenton Smith (Nov 16)
- <Possible follow-ups>
- Re: bruteforce attacks to GUI applications m_r_welch (Nov 16)
- Re: bruteforce attacks to GUI applications Disco Jonny (Nov 17)
- Re: bruteforce attacks to GUI applications m_r_welch (Nov 16)
- Re: bruteforce attacks to GUI applications ascii (Nov 17)
- Re: bruteforce attacks to GUI applications Alloishus BeauMains (Nov 17)
- Re: bruteforce attacks to GUI applications mike preston (Nov 28)
- RE: bruteforce attacks to GUI applications m_r_welch (Nov 15)