Monday, February 18, 2008

Web-Based Password Cracking

Web-Based Password Cracking This is for educational purpose only.

Password cracking doesn’t have to involve sophisticated tools; many times password guessing works well. It can be a tedious process, although human intuition can beat automated tools.

The basic types of password attacks include:

(1) Dictionary attacks – A text file full of dictionary words is loaded into a password program and then run against user accounts located by the application. If simple passwords have been used, this might be enough to crack the code.
(2) Hybid attacks – Similar to a dictionary attack, except that hybrid attacks add numbers or symbols to the dictionary words. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: First month’s password is Mike; second month’s password is Mike2; third month’s password is Mike3; and so on.
(3) Bruce force attacks – The most comprehensive form of attack and the most potentially time-consuming. Brute force attacks can take weeks, depending on the length and complexity of the password.

Some of these password cracking tools are:

(1) WebCracker – A simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement basic authentication password guessing.
(2) Brutus – Brutus can perform dictionary or brute force attacks against Telnet, FTP, SMTP, and web servers.
(3) ObiWan – Another web password cracking tool.

With logging enabled, you should be able to detect such tools. Following are a few entries from the Winnt/system32/Logfiles\W3SVC1 folder. They should look familiar:

192.168.13.3 sa HEAD /test/basic - 401 Mozilla/4.0+ (Compatible);Brutus/AET
192.168.13.3 administration HEAD /test/basic -
401 Moazilla/4.0+ (Compatible) ; Brutus/AET
192.168.13.3 admin HEAD /test/basic –
401 Moazilla/4.0+ (Compatible) ; Brutus/AET

Finding log information that leads directly to an attacker is not always so easy. Sometimes attackers will practice URL obfuscation. This allows the attacker to attempt to hide his IP address. Attackers will also attempt to use cookies to further their hold on a system.



Note: You can search in Google for Password cracking tools..........