Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: RE: looking for a webapp bruteforce video for non-techies

RE: RE: looking for a webapp bruteforce video for non-techies

From: <admin_at_systemstates.net>
Date: Tue, 03 Jun 2008 09:38:50 -0700

> -------- Original Message --------
> Subject: RE: looking for a webapp bruteforce video for
> non-techies
> From: "Martin O'Neal" <martin.oneal_at_corsaire.com>
> Date: Tue, June 03, 2008 5:01 pm
> To: "Robin Wood" <dninja_at_gmail.com>, <webappsec_at_securityfocus.com>,
> "pen-test" <pen-test_at_securityfocus.com>
>
> > It didn't help that the password was only 5
> > characters!
>
> That may not actually be such a bad password (on balance and in
> context). Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used). However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

I saw one setup where I could recover three quarters (about four thousand) of one set of passwords on a Celeron 2GHz in under an hour. Another set of passwords were forced to 4-digits (insane, I know), and due to the number of users, each would share his/her password with about 4 other people.

The point is here, you wouldn't necessarily break any per-user lockout limits, because you could take thirty minutes looping over the entire userbase with the same password, then start again and still get a good number of cracks.

So, definitely depends on the size of your userbase and whether they can be effectively enumerated. Even so, I wouldn't regard any dictionary word with one character tweaked as secure these days.

cheers, 

-- 
www.systemstates.net - penetration test / IDS / incident response
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jun 03 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]