Solved

Password Hacking question

Posted on 2004-03-25
13
4,594 Views
Last Modified: 2010-04-11
Hello,

Early this morning, someone(s) gained unauthorized entry into our web application using valid login information.

We're trying to determine how they got the login information.

Are there any applications which hackers can use which will make repeated login attempts to an application's login page?
0
Comment
Question by:skbohler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 50 total points
ID: 10678198
there are plenty of tools like that. But why would you need to know what tool ?
It is also very easy to write a script in perl that does it for you.
If I understand they did a password guessing attack and if this is true it means that you have very weak passwords and very easy to guess usernames.
I do not know any of those names for these kind of tools but http://packetstormsecurity.org has plenty.

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 75 total points
ID: 10678205
Yes, plenty. I'd scan yourself with a few of the favorites, and see if you can see how they got in.
GFI languard - 30day trial
http://www.gfi.com/lannetscan/
Nessus - Free
http://www.nessus.org/  (nessus has a BF capibility)

Run MSBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx on the box and see what it recommends

Use those two to determine if you are vulnerable to some of the common and easily exploited flaws in IIS or SQL. Hacker's (actually crackers) can get in numerous ways.
1) they crack into a legitimate user of your system, and get their creditials off their pc
2) they exploit iis or sql and get in via 2000+ different ways
3) they "brute-force" usernames or passwords until they get a legit one
4) disgruntled former employee- or an insider in your company gives them access
5) your source code reveals or contains an "easy in" for the intruders

Get yourself an IDS system such as SNORT or a firewall that can export it's log's so that you may be able to corrilate an IP with the time of the login better. Firewall and AV are must for M$ products (I am assuming you are using iis, not apache)
GL!
-rich



0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678214
webcracker is the most popular
http://www.securityfocus.com/tools/706
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678351
http://www.packetstormsecurity.org/Crackers/indexdate.shtml
Here there are many tools which could help you out.
0
 

Author Comment

by:skbohler
ID: 10678492
Thanks for the initial responses.

Wouldn't the initial invalid attempts show up in both our IIS log files as hits to the login page?

-Steve
0
 

Author Comment

by:skbohler
ID: 10678514
It looks like your responses are addressing attempts to hack into a server, not an application with an HTML login page. No?

-Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678592
They should- log such things. Like I said, many many ways to get a legit username and password. If they do scan your your server, and find it exploitable- then it's very likely this was their way in- then the gathered a few usernames and passwords... perhaps.
What has been listed are some tools that can look for expolits for your application (gfi nessus) and nessus also has a brute force capability. Social engineering is a fabulous way to get such information. With-out better forensic's there is no real way to tell how this info was obtained... too many variables at work here.
Hacking a person's computer- that uses your site, could contain a cached logon cred..
they could of worked for you previously, or they have someone on the inside... perhaps your application was written out-of-house, and a devloper used and account or back door to get in.. your imagination is the limit...
-rich
0
 

Author Comment

by:skbohler
ID: 10686530
Since the log file shows only one attempt before gaining access through a valid login, it seems that they weren't using any software which keeps trying different things.

Other than learning of login information from a person, piece of paper, etc., are there other ways of obtaining login information? Can they "tap into" communication over the internet and filter out usernames and password strings?

Thanks again,
Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10687809
Not typically, they can't sniff the wire... they can get into a server with an exploit to IIS or Apache, even you app may reveal what it's looking for. Once you've gained access to a server (from being unpatched, or exploited), you can look around for valid usernames and passes in SQL or what ever data-base (the windows SAM) they may be stored in. In order to sniff (tap into) they need to be on the same subnet, and or in the same broadcast domain. You can sniff traffic while it's in transit to different places, if an employee of an ISP were to sniff his own traffic, he could easily gain such information if he/she were a "hop" that the info passed through. If you do a tracert to microsoft.com you "hop" through quite a few routers on different isp's and service providers, any one of those points (hops), any where in the world, could in theory "sniff" a communication such as username and password.

Encrypted communications are the best ways of thwarting such "sniffing". Https (http secure) SSL are the best ways to prevent this from happening-easily. Again, there are trojan's that install keyloggers, as well as URL monitoring- both with timestamps, so that the key strokes can be associated or  with a particular log-in to a url. This get's around the https solution. The possibilities are truly endless. For each cure or fix, there are other ways of obtaining the info.
So a user infected with a trojan, could unwittingly be giving a hacker this information, there is no real way to track down what has happened to you- again too many variables...
Your not Paranoid if everyone is really out to get you :) If you don't have a firewall, your asking to be hacked, if you don't run AV your bound to get infected (with M$ that is)

-rich
0
 

Author Comment

by:skbohler
ID: 10687979
Thanks for your reply.

The username they used wasn't stored on our web server. Our SQL server database is on another database (on a shared server). Unfortunately I have no way of telling if they hacked into that.

We do have a firewall and have shut off their IP address for now.

Thanks!
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10688046
anyhow I do not agree on your decision as richrumble proposed portscanners not tools that make web logins
sadly that you took that as a good answer!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10688258
Nessus indeed can make web login's- GFI can check for easy passwords if configured correctly. I think the split was fair, there are again too many variables to know for certain. Thanks.
-rich
0
 

Expert Comment

by:mgbyrne2004
ID: 11497508
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What does GoogleTagMgr javascripts below do 5 53
disable USB on Dell Printers 14 35
Exchange2013 MAPI 6 63
Best in class privacy policy 6 50
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question