Penetration Testing mailing list archives
Re: passw0rd trial limit
From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Sat, 24 Jun 2006 12:50:08 -0800
On 6/23/06, ceyhun wrote:
but the problem is when a user enters wrong paaw0rd more than five times he/she can only login for aboout 2 hours later
It probably violates your agreement with the site owner as a pen-tester to do this (and for good reason), but here's what you could do if your only goal were to get into the site (and what you may wish to warn your client about the possibility of): Write a script that keeps all the users locked out at all times by "attempting" to log in with an incorrect password. As your IP is banned, use another IP, progressively (you may or may not have the resources to do this). You have just DOSed their site, and they must modify the configuration to allow legitimate users to use the site again. They will probably simply remove the lockout (they'll do lots of other things too, but I mean in terms of changing their configuration)--then brute force the logins. This illustrates the problem with any system that allows any person in the world to deny access to any user, knowing the user's logon name. A better way to prevent brute force attacks is to have some password complexity requirements and progressively **slow down** response time for a user / from an IP as there are more failed login attempts for that user or from that IP. This prevents brute forcing, and makes it so that the worst an anonymous attacker can do to a user is to add an annoying several seconds to the time it takes to log in. By the way, for this application, no matter how you play it, you will probably be better off using a dictionary attack than a brute force attack, at least at first. -Eliah ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- passw0rd trial limit ceyhun (Jun 24)
- Re: passw0rd trial limit funkys0ul (Jun 24)
- Re: passw0rd trial limit AgentSmith15 (Jun 25)
- Re: passw0rd trial limit Alice Bryson (Jun 24)
- RE: passw0rd trial limit Andy Meyers (Jun 25)
- Re: passw0rd trial limit Eliah Kagan (Jun 25)
- RE: SPAM-LOW: passw0rd trial limit Mohsin Ahmed (Jun 27)
- Re: SPAM-LOW: passw0rd trial limit Christopher Schwardt (Jun 27)
- <Possible follow-ups>
- Re: passw0rd trial limit Zed Qyves (Jun 26)
- RE: passw0rd trial limit Beauford, Jason (Jun 26)
- Re: passw0rd trial limit Zed Qyves (Jun 27)
- Re: passw0rd trial limit funkys0ul (Jun 24)