December 4, 2005
Hi all,
I am looking for a brute-force password cracker that
can be configured based on password policies. For
example, I am trying to audit a system that I know the
security policy on (min/max pw length, complexity
rules, etc) What I want is to only brute-force
passwords that fit that policy. Obviously, min and
max is not the issue, but I can not seem to find
anything that will only test passwords that meet
complexity requirements (lowercase alpha, uppercase
alpha, number). Something that generates this into a
rainbow table would be even better…..
Anyone aware of such a tool?
Thanks in advance,
Chris
- hydra from THC…
It even provides a tool called pw-inspector to modify your wordlists.
In the TODO is an entry that bf was added in the 5.x release (not
confirmed by me).
There Bugs in Hydra but it’s working..
Kind regards
- John the Ripper might have all you want, if you have a closer look at
the rules in john.conf and use bruteforce-mode only.
Be warned – fiddling around with johns ruleset might lead to anything
from sleepless nights to insanity.
cheers,
tom
- Dear Chris Costantino,
The Answer is (among others) : John the ripper.
Get used to write rules for it though.
- Hi Chris,
You can give Lepton’s Crack a try, depending on the algorithm you need
you’ll need either the main branch from http://usuarios.lycos.es/reinob/
or Piero Brunati’s version from http://www.nestonline.com/lcrack/. Both
versions support defining min/max pw length and charset, and they also
have a very powerful REGEX mode.
Lepton’s Crack currently doesn’t generate nor support rainbow tables,
but it comes with a small utility to produce precomputed “tables” that
are a slightly similar concept…
Cheers,
Miguel
- Rainbowcrack supports customized charsets, so you can easily create
your own character set and place it in the charset.txt file.
custom = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
(It’s useful to note that if you’re cracking LANMAN hashes, the
charset only needs to include uppercase alpha and not lowercase due to
how LM hashes are stored…)
Cain (http://www.oxid.it) can be configured to use a customized
character set for brute-force attacks and might even be a little bit
easier to use than John the Ripper…
- Depending upon the specific policies, you may not save a significant amount
of time by limiting the brute-force attack. For instance, consider a policy
that required at least one upper, one lower and one number in all passwords.
Let’s first assume that the possible character set for passwords is
upper/lower/number. For four character passwords, 19% of the possible
password checks can be eliminated due to the policy. For five character
passwords, only 9% would be eliminated and the percentage would continue to
drop as the length increases. If the possible character set included
upper/lower/number/special characters, the policy would only eliminate 3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords. Since the vast majority of the time for a brute-force attack is
spent on the largest length checked and since the number of tests that can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile for
some highly specific policies.
Also, most brute-force attacks are very fast. One would need to test the
speed of eliminating a password vs. the speed of testing a password. If you
needed code to determine whether a password passed the policy, the overhead
of this code on all passwords might eliminate any savings vs. just testing
all of the passwords. This would have to be benchmarked on a case-by-case
and policy-by-policy basis. Obviously, if the password testing is against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code. However, brute-force attacks against remote and slow
servers is not very practical to begin with.
Bob Weiss
Password Crackers, Inc.
Posted in Q & A 
No Comments »
December 4, 2005
HI All
I am looking for a tool that can ping mac address
The only tool that I found is arping from
http://freshmeat.net/projects/arping/
The only problem is that it can’t ping windows machine and is working only
for
machines which answer broadcast pings.
Is there anything like that or am I searching for something that doesn’t
exist.
Thanx In Advance For All The Help
- Dear Roni Bachar,
The Answer is (among others) : Cain (http://www.oxid.it)
Does all possible Broadcast options
- Hi,
you can try to use netdiscover :
http://nixgeneration.com/~jaime/netdiscover/
It works good .
cheers
- arpscan
- If you have a Cisco.com login you can download their free IP Setup Utility (IPSU) that allows you to enter a MAC address and it essentially pings that MAC and returns an IP address. If this is on a LAN I would also recommend using your DHCP server and finding its IP by looking for the MAC in your client lease list.
John Tavares
Posted in Q & A No Comments »
December 4, 2005
Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution
http://www.exploitx.com/forum/azbb.php?1133649937
PHP-Fusion v6.00.109 SQL Injection and Info. Disclosure
http://www.exploitx.com/forum/azbb.php?1133650018
DMA[2005-1202a] – ’sobexsrv – Scripting/Secure OBEX Server format string vulnerability’
http://www.exploitx.com/forum/azbb.php?1133650100
[Updated] [FLSA-2005:166943] Updated php packages fix security issues
http://www.exploitx.com/forum/azbb.php?1133650166
eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities
http://www.exploitx.com/forum/azbb.php?1133650298
MDKSA-2005:223 – Updated webmin package fixes format string vulnerability
http://www.exploitx.com/forum/azbb.php?1133650370
[OpenPKG-SA-2005.027] OpenPKG Security Advisory (php)
http://www.exploitx.com/forum/azbb.php?1133650418
MDKSA-2005:222 – Updated mailman packages fix various vulnerabilities
http://www.exploitx.com/forum/azbb.php?1133650461
[OpenPKG-SA-2005.026] OpenPKG Security Advisory (lynx)
http://www.exploitx.com/forum/azbb.php?1133650529
Posted in Exploits and Bugs No Comments »
December 3, 2005
This bug has already been corrected, that’s why it’s been published.
In this manual you will see step by step how to exploit Gmail’s
vulnerability, that gave you access to any account, reported by
Anelkaos, colaborator of elhacker.net’s forum and patched by Google by
October 18. Due to the bug’s gravity (that allowed in a few simple steps
to login in any Gmail account), it was decided not to publish this
document while the bug was still active. Motives are more than obvious
because ALL Gmail accounts were vulnerable to the bug.
Google hasn’t declared definitively this topic, and they seem to have no
intention of publishing the bug. The veracity of the failure was
demonstrated to the editors of the Magazine “Seguridad0″, logging into
an account created for that purpose, just as described in
http://www.elistas.net/lista/informativos/archivo/indice/61/msg/79/.
They also “dared” to publish this news in CyruxNET and PCWorld.
The bug was discovered in October 14 and it was patched in October 18
because ANELKAOS decided to conctact GMail instead of publishing the bug
in a list of security, and lamentably we couldn’t do more demos in other
sites that we sent the news, and because we’re not HBX Networks, all the
people claimed for a “hacking’ test”. Thanks to heaven, we have saved
all the mails where Google recognize the failure. 
.
Unlike the reported by HBX and published by BetaNews last year, this bug
doesn’t require cookie robbery, and because of that, the bug’s danger
was considerably higher.
*PROCEDURE*
This is the way Sirdarckcat (EHN’s user) developed the exploit, although
the original method is easier, the concept is the same one.
Due to the fact that this demonstration was realized against another’s
person account, all data that could bring legal consequences have been
hiden. In AUTH variable goes the ciphered address of the mail’s
propetary, and although we don’t know how to decipher it, we’ve
preferred to hide its values, in case “someone else” could 
.
First of all, we need two sessions. For that we’ve chosen to use
Internet Explorer and Mozilla. We start the session normally… for
example, in Mozilla..
If we pay attention, we notice that the login screen is now different.
It doesn’t just ask if you’ve forgotten your password, it also asks now
for the user. Too much casualty, isn’t it? That soon and coinciding with
the publishing of the bug’s existence it has changed the authentication
is too much coincidence, isn’t it? We’re talking about 10 days ago .
Well, let’s continue. Now we need some data we’ll modify. For that we
will also iniciate an Internet Explorer session, but we stop the browser
as soon as it says “Loading…”.
We simply look at the source code and we save the value of the “ver”
variable, that we will need later.
Then we allow the page to continue loading, and we look the direction of
the inbox, that we can see by pressing right clicking, and then Properties.
We will need the “zx” variable, and we save it.
Now we go to ‘mail/?username=victim&zx=[zx Variable]‘
And we stop the charging of the page just when it stops Loading,
getting inside:
We stop again the browser, and we look at the source code.
Here we have the code of AUTH that we need to initiate session as our
victim, but our cookie disagree (not the same).
We take a look inside the cookie, and we change the value of “ID” for
the one we got in the “ver” variable we got before, this what surprising
does is to return a valid value! It doesn’t have related information,
why does that happen? Who knows…
GMail confirms that it’s well ciphered, and completes correctly all the
rules. Nevertheless, even the content is not related, it doesn’t return
an error.
Once modified the cookie, in the Explorer session, we enter into the
following page:
http://mail.google.com/mail?gxlu=victim&zx=[zx Variable]
In this moment we haven’t already started the session, we’ve just
associated with the victim’s account.
So we go to: www.google.com/accounts/ServiceLoginAuth
.
And it sends you to:
mail.google.com/mail/?auth= [CODIGO auth]
At this point all we have to do is to modify the values of the cookie
that will expire… At least we give it 1 minute of life.
We enter mail.google.com/mail/?&&rm=false&null=Entrar&continue
We stop the loading because if we don’t, Google is going to close our
session, so we write:
javascript:document.cookie+=”;expires=Thu,%2001%20Jan%202070%2000:00:00%20GMT”;
Once extended the cookie’s life, we enter
http://mail.google.com/mail/?auth=[AUTH Code]
And we start the session as the victim.
Complete access, of course .
*GOODBYE AND CLOSE.*
OK, it’s a Beta version, and they don’t have to report anything. But if
they would have recognized it and published a thank you note, this
information wouldn’t had been published. We have 3 ways to get to the
same result, the others 2 are quite easier, and because of that easily
we can deduce that it’s a multibug, and a design error. With all these
clues, they will not take too much to discover new methods.
Source
http://www.indian-hackers.net
Related hyperlinks
http://www.elistas.net/lista/informativos/archivo/indice/61/msg/79/
Posted in Email Systems 2 Comments »
December 1, 2005
Title: Google Talk Beta Messenger cleartext credentials in process memory
Affected versions: 1.0.0.64 (this version is believed to be the first one released to the public)
Vendor contacted: 25/08/05
Patched version released: 29/08/05
Advisory released: 28/11/05
Author: pagvac (Adrian Pastor)
Homepage: www.ikwt.com – In Knowledge We Trust
Advisory URL: www.adrianpv.com/projects/google-talk-cleartext-credentials-in-process-memory.txt
Description
Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005 (two days after the release of Google Talk) and has already been patched by Google.
This issue would occur regardless of whether the “Save Password” feature was enabled or not.
It was noticed that the Google Talk client was loading all the credentials unencrypted in the memory of the process “googletalk.exe”. It was possible to recover the password by dumping the process memory to a file with PMDump and which could then examined with a hex editor.
The vulnerability would allow anyone with access to the client system to obtain the username and password of the current user. This vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process “googletalk.exe” and then parse the credentials and finally send them to the attacker.
It is also worth mentioning that sometimes, no direct user interaction is required for the execution of malicious code. Crackers often exploit vulnerabilities in web browsers and email clients that allow them to execute malicious code on the victim’s machine without requiring the victim to manually execute the trojaned executable. This means that given the right scenario, this vulnerability could have been exploited in such a way.
References
PMDump – http://ntsecurity.nu/toolbox/pmdump/
Free Hex Editor – http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm
Google Talk – http://www.google.com/talk/
Posted in Exploits and Bugs No Comments »
December 1, 2005
Hello Lists,
I am using Cisco pix 525. I have got problem with PIX firewall 525,
Interfaces ( inside, outside)
continuously “up-down” when I use with large traffic ( about 10Mb), but It
works fine when traffic less then 10 mb. Is any one has anyidea.
Any Suggestion are most welcome !!!
Regards,
NAVTEJ KOHLI
* I’ve seen this before…
Make sure all ur interfaces are set to the right speed and duplexity, 100 full duplex including switches and routers..
Also check buffers on the pix may have to increase. Them a litle.
* I would go out and get MRTG (google it). You can use it to monitor
the ram, cpu, traffic passed on the interface. Then you can see what
kind of corolation between the three. You may also want to upgrade to
the latest IOS (assuming you are not on it already).
* If you can afford it , get Solarwinds Suite , www.solarwinds.net.
There’s a utility within called Network Performance Monitor which would
help you on your traffic assessment.
If I am not wrong you can download an evalutation from their site.
Posted in Q & A No Comments »
Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers, Recent readers,