Solved

Password Hacking question

Posted on 2004-03-25
13
4,595 Views
Last Modified: 2010-04-11
Hello,

Early this morning, someone(s) gained unauthorized entry into our web application using valid login information.

We're trying to determine how they got the login information.

Are there any applications which hackers can use which will make repeated login attempts to an application's login page?
0
Comment
Question by:skbohler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 50 total points
ID: 10678198
there are plenty of tools like that. But why would you need to know what tool ?
It is also very easy to write a script in perl that does it for you.
If I understand they did a password guessing attack and if this is true it means that you have very weak passwords and very easy to guess usernames.
I do not know any of those names for these kind of tools but http://packetstormsecurity.org has plenty.

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 75 total points
ID: 10678205
Yes, plenty. I'd scan yourself with a few of the favorites, and see if you can see how they got in.
GFI languard - 30day trial
http://www.gfi.com/lannetscan/
Nessus - Free
http://www.nessus.org/  (nessus has a BF capibility)

Run MSBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx on the box and see what it recommends

Use those two to determine if you are vulnerable to some of the common and easily exploited flaws in IIS or SQL. Hacker's (actually crackers) can get in numerous ways.
1) they crack into a legitimate user of your system, and get their creditials off their pc
2) they exploit iis or sql and get in via 2000+ different ways
3) they "brute-force" usernames or passwords until they get a legit one
4) disgruntled former employee- or an insider in your company gives them access
5) your source code reveals or contains an "easy in" for the intruders

Get yourself an IDS system such as SNORT or a firewall that can export it's log's so that you may be able to corrilate an IP with the time of the login better. Firewall and AV are must for M$ products (I am assuming you are using iis, not apache)
GL!
-rich



0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678214
webcracker is the most popular
http://www.securityfocus.com/tools/706
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678351
http://www.packetstormsecurity.org/Crackers/indexdate.shtml
Here there are many tools which could help you out.
0
 

Author Comment

by:skbohler
ID: 10678492
Thanks for the initial responses.

Wouldn't the initial invalid attempts show up in both our IIS log files as hits to the login page?

-Steve
0
 

Author Comment

by:skbohler
ID: 10678514
It looks like your responses are addressing attempts to hack into a server, not an application with an HTML login page. No?

-Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678592
They should- log such things. Like I said, many many ways to get a legit username and password. If they do scan your your server, and find it exploitable- then it's very likely this was their way in- then the gathered a few usernames and passwords... perhaps.
What has been listed are some tools that can look for expolits for your application (gfi nessus) and nessus also has a brute force capability. Social engineering is a fabulous way to get such information. With-out better forensic's there is no real way to tell how this info was obtained... too many variables at work here.
Hacking a person's computer- that uses your site, could contain a cached logon cred..
they could of worked for you previously, or they have someone on the inside... perhaps your application was written out-of-house, and a devloper used and account or back door to get in.. your imagination is the limit...
-rich
0
 

Author Comment

by:skbohler
ID: 10686530
Since the log file shows only one attempt before gaining access through a valid login, it seems that they weren't using any software which keeps trying different things.

Other than learning of login information from a person, piece of paper, etc., are there other ways of obtaining login information? Can they "tap into" communication over the internet and filter out usernames and password strings?

Thanks again,
Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10687809
Not typically, they can't sniff the wire... they can get into a server with an exploit to IIS or Apache, even you app may reveal what it's looking for. Once you've gained access to a server (from being unpatched, or exploited), you can look around for valid usernames and passes in SQL or what ever data-base (the windows SAM) they may be stored in. In order to sniff (tap into) they need to be on the same subnet, and or in the same broadcast domain. You can sniff traffic while it's in transit to different places, if an employee of an ISP were to sniff his own traffic, he could easily gain such information if he/she were a "hop" that the info passed through. If you do a tracert to microsoft.com you "hop" through quite a few routers on different isp's and service providers, any one of those points (hops), any where in the world, could in theory "sniff" a communication such as username and password.

Encrypted communications are the best ways of thwarting such "sniffing". Https (http secure) SSL are the best ways to prevent this from happening-easily. Again, there are trojan's that install keyloggers, as well as URL monitoring- both with timestamps, so that the key strokes can be associated or  with a particular log-in to a url. This get's around the https solution. The possibilities are truly endless. For each cure or fix, there are other ways of obtaining the info.
So a user infected with a trojan, could unwittingly be giving a hacker this information, there is no real way to track down what has happened to you- again too many variables...
Your not Paranoid if everyone is really out to get you :) If you don't have a firewall, your asking to be hacked, if you don't run AV your bound to get infected (with M$ that is)

-rich
0
 

Author Comment

by:skbohler
ID: 10687979
Thanks for your reply.

The username they used wasn't stored on our web server. Our SQL server database is on another database (on a shared server). Unfortunately I have no way of telling if they hacked into that.

We do have a firewall and have shut off their IP address for now.

Thanks!
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10688046
anyhow I do not agree on your decision as richrumble proposed portscanners not tools that make web logins
sadly that you took that as a good answer!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10688258
Nessus indeed can make web login's- GFI can check for easy passwords if configured correctly. I think the split was fair, there are again too many variables to know for certain. Thanks.
-rich
0
 

Expert Comment

by:mgbyrne2004
ID: 11497508
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question