Date: Sat, 24 Apr 1999 21:33:05 -0500 (EST) From: Yasholomew Yashinski To: Yashy-Hack Subject: [yh] brute force logins Message-ID: Just something I thought should made me added to login daemons (telnet, ssh etc) is options for numerous passwords (2 or 3), as well as the option for "previous password success phrase". ie: Login: yashy password: xxxxxxxxxx password: xxxxxxxxxxxx Welcome. $ and then with ppsp: Login: yashy password: xxxxxxxxx good goat (specify a pass phrase unique to your network for success (or even user specified), and give a bogues phrase for non-sucess) password: xxxxxxxxxxxx great goat Welcome. $ I think this will be a good idea, as an attacker would have to know how many passphrases the system has, as well as the pspp to even have a CHANCE of a brute force attack. As I hope I have explained, this would greaten chances of brute force attack by +^3 which is quite signifigant. I also think that a configuration file for the amount of passwords, as well as if there is a ppsp, and if so, what it is/they are, should exist, so that each box/network is unique, unlike the 1 login, 1 password we have now. The reason I mention this is fairly weak, is due to explorations of port 25 (smtp), mainly the EXPN option. If a system as this enabled, you are laughing. telnet (or netcat) to your fav port 25: ($:~): telnet [friends DNS] 25 Trying [friends IP]... Connected to [friends DNS]. Escape character is '^]'. 220 [friends DNS] ESMTP Sendmail 8.8.7/8.8.7; Sat, 24 Apr 1999 22:07:59 -0400 EXPN etriaph 250 D.R.P. Charbonneau EXPN yashy 550 yashy... User unknown EXPN idcmp 250 JAmes Atwill EXPN root 250 root EXPN acerebral 250 In this case, friends on IRC, I connected to one of their boxes, on port 25. EXPN will tell me if that username exists. I can now try to brute force either root, idcmp, acerebral and/or etriaph, which shouldn't take long, if they have telnet open, and don't do anal logging like we all should. I probably wouldn't go for root, as most default setups no longer allow remote connection from root. You should also try the EXPN variable on your own smtp server, just to make sure it is shut off. Also make sure you have a really good logging system. Myself I use sentry in a hacked ANAL mode ;) As for telnet, by now you should not be using telnet, but ssh (Secure SHell) as it is well known that passwords can be sniffed in promisc mode (tcpdump etc). I should also suggest that you download "John the Ripper" which is bruteforce password cracker.. basically you run your /etc/shadow (if you don't have this file, but you SHOULD.) then use /etc/passwd and try to crack all of your users passwords. Within 4 minutes I had one of my users, and ~24 hours later I had over 5 of them cracked! (I disabled all accounts until adequate passwords were used). PortSentry - Real time port scan detection and response. http://www.psionic.com/abacus/portsentry/ SSH - Secure SHell http://www.ssh.fi/ ( http://crypto.yashy.com has SecureCRT and freessh.exe (M$) and linux clients mirrored). ..Yashy - logging is *fun* - Yashinski 'If Bill Gates had a dime for every time Windows crashed... ... Oh wait a minute, he already does...' - Anonymous _______ Yashy-Hack http://yashy.com/~monarc/ to unsubscribe: echo unsubscribe | mail yashy-hack-request@yashy.com