[fx () phenoelit de: Re: Making 'vncrack' useful once again?]

[FX <fx () phenoelit de>]

Resend due to issue with security-focus.com ;-)

----- Forwarded message from FX <fx () phenoelit de> -----

Hi Kevin, Hi list,

kadokev () msg net <kadokev () msg net> wrote in 1.8K bytes: 
> The current "too-many" mechanism in the VNC server is not an insurmountable
> obstacle.  Currently, the code only tracks authentication failures within
> a single TCP session.  If the brute-force program makes 5 tries, then
> closes and  uses a new TCP session for the next set of 5, the delay
> routines will never be triggered.
>
> This simple change significantly improve the usefulness of vncrack against
> servers with the current "brute-force resistance" algorithm.

if you look at line 210 of vncrack.c and line 332-334, you will notice that
indeed we close the connection every time we tried a password. So yes, this
idea was implemented right from the beginning and the VNC server tracks it by
IP address and not by connection.

> For example, it is simple to route a "/24" (Class-C) subnet to a single
> host, giving that machine 254+ possible source IP's that it can use when
> binding the local end of an outgoing TCP session.  If the attack software
> switches between source addresses whenever the remote server starts to
> return a 'too-many' error, then instead of slowing down the attack because
> I need to sleep() until the server is willing to talk to me again, I can
> just use a different TCp session with a new source IP for the next 5
> attempts, and so on.

This could work, but is (in my little opinion, whatever that's worth) of
limited use. The implementation is quite simple and you don't even have to
modify your network's router. Using the IP addresses and answering ARP
requests for it is enough. 
Now, taking into account what we are trying to do here (break into VNC), it
has some requirements beside the increased code complexity:
- You have to have a number of unused IP addresses in your local subnet
- You can not use it through a NAT device (reduces everything back to 1 addr)
- By the time your last IP address got blocked, the first one should be
  allowed again.

Now, my math is not very good, but from what I see, you have 253*5 attempts
free (= 1265) in an idial /24 network, which looks good. 
But 5 or 6 attempts take about 0.5 sec. That means, after 126.5 seconds 
(or 2 minutes) your first blocked IP address should be allowed again. 
Change the server code (or the config if supported in the future) to block 
for 5 minutes, and all the effort was wasted. 

I'm not saying this is a bad idea and I certainly appreciate that you think
about it, but I still believe it's simpler to grab the relevant Registry part
and decrypt this password (worked for many VNC users with lost passwords). If
you (or someone else) feels like trying this idea, the relevant code for
impersonating multiple IP addresses can be ripped off the ARP0c code
(http://www.phenoelit.de/arpoc/) or similar tools.

peace,
FX

----- End forwarded message -----

-- 
         FX           <fx () phenoelit de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564