lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Jul 2013 16:23:06 -0400
From: Jason Hellenthal <jhellenthal@...aix.net>
To: Curesec Research Team <crt@...esec.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: OpenSSH User Enumeration Time-Based Attack

Oh your one of the group that's been pounding ports over the last couple months from a block of /28's and /30's ?

Sure do appreciate the kind regard and heads up.

Funny how about a week to two weeks after that ends your report shows up here.

Good going... This is old knowledge and research is still considered unauthorized access to systems not in your control no matter what you call it.


-- 
 Jason Hellenthal
 JJH48-ARIN


On Jul 10, 2013, at 9:38, Curesec Research Team <crt@...esec.com> wrote:

> Hi List,
> 
> today, we will show a bug concerning OpenSSH. OpenSSH is the most used
> remote control software nowadays on *nix like operating systems. Legacy
> claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a
> version at: https://www.openssh.com.
> 
> By testing several OpenSSH installations we figured there is a delay of
> time when it comes to cracking users (not) existing on a system. A
> normal Brute-force-Attack tests for the correct user and password
> combination, usually without knowledge if the user on the system exists.
> 
> For instance, the attacker is interested in the all-mighty “root” aka
> “toor” account. He might go for password combinations like:
> 
> root:root
> root:toor
> root:password
> root:system
> 
> and so on. Permanent attacks against the service normally running on
> Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable.
> If you are an Auditor and want to check for interesting accounts it
> might be worthy to know which ones are available on the system to run a
> more focused attack.
> 
> To assist you in this issue, there is a little trick to find out a User
> name before trying to cracking it. To do this the length of the password
> needs to be increased massively. In our case we go with 39.000
> characters(A’s). Trying those passwords at an existing and a
> non-existing account shows a quite high delay.
> 
> 
> Find the rest of the post + some example code at the blogpost.
> 
> http://cureblog.de/openssh-user-enumeration-time-based-attack/
> 
> Cheers,
> Curesec Research Team
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (2529 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ