Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] War Dialers, Brute Force, etc.

From: Greg <greg () HOOBIE NET>
Date: Wed, 6 Sep 2000 15:28:46 +0100
I started to add MS RAS brute forcing in the first version of Brutus but
never finished it. Seemed to have limited usefulness.

As far as other dial up bruting goes, I suppose the actual chat script would
work the same for COM ports as it would for a TCP port e.g.

+Open COM1
wait for 'OK'
send ATDT xxx xxxxxxx
wait for 'CONNECT'
send CRLF
wait for 'ogin:'
send USERNAME
wait for 'assword:'
send PASSWORD
wait for 'welcome' else goto send username
+Success!

So it wouldn't be big grief to add such functionality...

...One day

G

----- Original Message -----
From: "iNature - David Martin" <david () INATURE COM AU>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Saturday, May 06, 2000 2:39 AM
Subject: Re: [PEN-TEST] War Dialers, Brute Force, etc.



If i remember correctly i think it deos but i dont use
that aspect of it mainly i do network testing I cant check
right now but there is a version two out right now which is
impressive and i do belive it does have that functionality,
I havent been home for a few days (occupational hazzard :)).

but yeah a version 2 is out

Dave

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Meritt, Jim
Sent: Tuesday, September 05, 2000 8:56 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers, Brute Force, etc.


The Brutus I have doesn't perform dial-ups.  Well, If it does I don't know
how.  Is there a way to make it do it/is there a version out now that

does?


Thanks!

Jim
_______________________
The opinions expressed above are my own.  The facts simply are and belong

to

none.
James W. Meritt, CISSP, CISA
Senior Information Systems Security and Audit Analyst, Information

Assurance

Center of Excellence
Wang Government Services, Inc.


-----Original Message-----
From: iNature - David Martin [mailto:david () INATURE COM AU]
Sent: Thursday, June 15, 2000 8:51 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: War Dialers, Brute Force, etc.


Burtus is a great piece of software.
It has thread control and single and multiple user mode.
I use it alot. It is a work in progress and has a few bugs
but generally its great
the url is www.hoobie.net/brutus (i think)

Dave

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Dawes, Rogan
Sent: Monday, September 04, 2000 8:09 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] War Dialers, Brute Force, etc.


One such tool is brutus.

It allows you to design your own chat script that you can use to perform

the

brute force attack.  It comes with predefined scripts for telnet, POP,

imap,

smb, ftp, etc, I recall.

Seems OK.

Rogan


-----Original Message-----
From: Vanja Hrustic [mailto:vanja () RELAYGROUP COM]
Sent: Sunday, September 03, 2000 5:42 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] War Dialers, Brute Force, etc.


On Fri, 1 Sep 2000, Todd Beebe wrote:


Toneloc is good for finding modems.  But, the value of the

commercial

products (both TeleSweep Secure and PhoneSweep) is the

username/password

guessing (read vulnerability testing).


Now that you mention this...

I wonder if there are any commercial tools that enable you to do
'extensive' (I don't know if this is the good word :) brute
force against
remote systems? I'm not talking about "dial a modem and gues
user/pass"
only. I'm talking about brute-force against various services (POP3,
telnet, etc.), finding valid users (finger, SMTP using expn
or 'rcpt to:',
using '~username' on web servers, etc.), 'bouncing'...

For example:

During the test, you manage to get into a switch that was
'forgotten', and
you can use it to connect to systems behind the firewall (I'm not
inventing this, so no flames, please :).

Now, in order to do brute force, you *must* connect through
that switch -
you can't connect directly. Are there any commercial tools
that provide
'features' like this, where one needs to establish 1 or more
sessions to
remote host(s) before actually running brute force?

Or, you dial into some terminal server (or whatever), and
from there you
can connect to the remote system in order to perform brute-force.

Or, in there is badly configured proxy server that will let
you connect to
'internal' systems using CONNECT (or GET), and from there you
can start
brute force.

Simply, are there any tools that can take advantage of all the
'misconfigurations' on the remote network, or all the tools
assume that
you will just brute-force the 1st system you connect to?

Also, how do all those 'commercial' (well, let's say
"proprietary" - it
doesn't have to be commercial, but important thing is that you can't
modify it easily) tools determine what kind of dictionary
they should use?
Does person who run the tool need to choose before the brute
force starts,
or ... ? Tool chooses it based on banners maybe? I ask that for silly
reason - I've used to modify /bin/login (for fun only, long ago, but I
know that some people are still doing things like this :) so
that when you
connect to the UNIX box and try to login, you'll see
something like (and
hear a 'beep' as well ;):

Welcome to VAX/VMS 5.5 on node WHATEVER

Username: TEST
Password:
User authorization failure
Username:
etc...

What would 'automated' tool to in this case? (try to send
CTRL+Z first? ;)

My (well, I should say "our" :) 'choice' for all
brute-forcing tools is -
Perl (plus IO::Socket and few other modules, when/if needed).
But again,
for me it's more important "what dictionary I'm using" than
"what tool I'm
using" :)

I wonder what other people are using :)

Thanks.

Vanja Hrustic
The Relay Group
http://relaygroup.com
Previous By Date Next
Previous By Thread Next

Current thread: