Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting Brute-Force and Dictionary attacks

from [Greg Metcalfe] Network Security [Permanent Link]
Subject: Re: Detecting Brute-Force and Dictionary attacks
Date: Fri, 10 Nov 2006 15:41:56 -0800 
On Thursday 09 November 2006 10:45, fabio wrote:

The idea is simple and good, but there's a problem in its
implementation: usually modern systems doesn't compare the password you
write with the saved password; instead, they compare an hash of your
password attempt with the saved hash of your current password. By
design, two similar string have strongly different hashes. So you can't
compare two hashes and say if they correspond to two similar words.
Greets,
  Fabio

Sebastiaan Veenstra wrote:

Hi,

I didn't read the whole discussion about this issue but I came up with
an idea which might be usefull to detect brute force attempt. By
storing the passwords a certain user has used in the past along with
the current password you could be able to compare to password (by
pattern matching) used at the login attempts with the passwords list.
If the password used differs significantly (this excludes typos) from
the entries in the password list, there could be a possible brute
force attempt. The reason for storing the previous passwords is that
people tend to use every password they've used in the past when they
forgot their password. Maybe this idea can be used along with the
other methods of detecting brute force attempts. Anyway, it's just a
random thought.

Greets,

Sebastiaan

Most diplomatic of Fabio. Here's an example, using md5 hashing. Results will 
be similar, if any sort of valid crypto hash function is used.

# echo 12345678 | md5sum
23cdc18507b52418db7740cbb5543e54
# echo 12345679 | md5sum
0f4fd7804fbbcf67df5dc8ef8dc946fb

The difficulty still lies in whether you choose to use modified binaries to 
record the submitted password (and there are huge downsides to doing this in 
anything other than a lab environment) or take the decision that x number of 
failed logins constitutes an attack. That's generally a wise move, depending 
upon your weighting scheme (time, IP number, etc.) and threat model.

Even if you take the risky step of recording submitted passwords, you still 
have to write analysis software (and that's not nearly as simple as it 
sounds), and decide what to do with the results. There Are Issues.

Personally, I'm against the whole idea of authenticating via passwords, at 
least as corporate password policies are currently and commonly implemented. 
But that's all about dealing with a threat model that may have nothing to do 
with your situation.

Nothing said here constitutes good advice. Everything depends upon context. 
How you protect the Big Red Button will be far different than how you protect 
generic httpd logs. 

Regards,
-- 
Greg Metcalfe
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Detecting Brute-Force and Dictionary attacks, Christian Jonassen
Next by Date:  Re: Detecting Brute-Force and Dictionary attacks, Esteban RibiÄiÄ
Previous by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Esteban RibiÄiÄ
Next by Thread:  Re: Detecting Brute-Force and Dictionary attacks, John Hall
Indexes:  [Date] [Thread] [Top] [All Lists]