Re: bruteforce attacks to GUI applications

[m_r_welch () tiscali co uk]

It doesn't look like that would be possible. See here:

http://expect.nist.gov/FAQ.html#q23

> -- Original Message --
> Date: Wed, 16 Nov 2005 14:23:04 +0000
> From: mike preston <mike () technomonk com>
> To:  m_r_welch () tiscali co uk
> Subject: Re: bruteforce attacks to GUI applications
>
>
> Can't something like expect http://expect.nist.gov be used to do this?
>
> I'm sure I've read somewhere about it being used for both windows and
> *nix including gui interfaces.
>
> Mike
>
> m_r_welch () tiscali co uk wrote:
>
> > Typically they don't. Either they attack the executable with a decompiler/dissembler
> > and find where the password is stored, extract it and then bruteforce the
> > encryption/hash directly, or if the gui sends the password across the network,
> > they will aim to intercept the packets and then proceed as above, or alternatively
> > write their own application to send brute-force forged requests against
> the
> > server that stores the password. The hollywood stereotype vision of usernames
> > and passwords being automatically entered into the gui is just that - a
> hollywood
> > fiction.
> >
> >
> >
> > > -- Original Message --
> > > Date: Wed, 09 Nov 2005 03:59:11 -0600
> > > From: ework0 <ework0 () gmail com>
> > > To: security-basics () securityfocus com
> > > Subject: bruteforce attacks to GUI applications
> > >
> > >
> > > hello, anyone know how can an intruder perform brute force attacks to
a
> > > GUI running application (ej: a password login) ?
> > >
> > > Let's assume the application is running on Java and the attacker is able
> > > to log in locally, run GUI the application, and perform the attack from
> > > the command shell with a wordlist, how is that possible?
> > >
> > > Thanks,
> > >
> > > ework0
>
> Attachment: smime.p7s


___________________________________________________________

Tiscali Broadband from 14.99 with free setup!
http://www.tiscali.co.uk/products/broadband/