Solved

Password Hacking question

Posted on 2004-03-25
13
4,592 Views
Last Modified: 2010-04-11
Hello,

Early this morning, someone(s) gained unauthorized entry into our web application using valid login information.

We're trying to determine how they got the login information.

Are there any applications which hackers can use which will make repeated login attempts to an application's login page?
0
Comment
Question by:skbohler
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 50 total points
ID: 10678198
there are plenty of tools like that. But why would you need to know what tool ?
It is also very easy to write a script in perl that does it for you.
If I understand they did a password guessing attack and if this is true it means that you have very weak passwords and very easy to guess usernames.
I do not know any of those names for these kind of tools but http://packetstormsecurity.org has plenty.

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 75 total points
ID: 10678205
Yes, plenty. I'd scan yourself with a few of the favorites, and see if you can see how they got in.
GFI languard - 30day trial
http://www.gfi.com/lannetscan/
Nessus - Free
http://www.nessus.org/  (nessus has a BF capibility)

Run MSBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx on the box and see what it recommends

Use those two to determine if you are vulnerable to some of the common and easily exploited flaws in IIS or SQL. Hacker's (actually crackers) can get in numerous ways.
1) they crack into a legitimate user of your system, and get their creditials off their pc
2) they exploit iis or sql and get in via 2000+ different ways
3) they "brute-force" usernames or passwords until they get a legit one
4) disgruntled former employee- or an insider in your company gives them access
5) your source code reveals or contains an "easy in" for the intruders

Get yourself an IDS system such as SNORT or a firewall that can export it's log's so that you may be able to corrilate an IP with the time of the login better. Firewall and AV are must for M$ products (I am assuming you are using iis, not apache)
GL!
-rich



0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678214
webcracker is the most popular
http://www.securityfocus.com/tools/706
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10678351
http://www.packetstormsecurity.org/Crackers/indexdate.shtml
Here there are many tools which could help you out.
0
 

Author Comment

by:skbohler
ID: 10678492
Thanks for the initial responses.

Wouldn't the initial invalid attempts show up in both our IIS log files as hits to the login page?

-Steve
0
 

Author Comment

by:skbohler
ID: 10678514
It looks like your responses are addressing attempts to hack into a server, not an application with an HTML login page. No?

-Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678592
They should- log such things. Like I said, many many ways to get a legit username and password. If they do scan your your server, and find it exploitable- then it's very likely this was their way in- then the gathered a few usernames and passwords... perhaps.
What has been listed are some tools that can look for expolits for your application (gfi nessus) and nessus also has a brute force capability. Social engineering is a fabulous way to get such information. With-out better forensic's there is no real way to tell how this info was obtained... too many variables at work here.
Hacking a person's computer- that uses your site, could contain a cached logon cred..
they could of worked for you previously, or they have someone on the inside... perhaps your application was written out-of-house, and a devloper used and account or back door to get in.. your imagination is the limit...
-rich
0
 

Author Comment

by:skbohler
ID: 10686530
Since the log file shows only one attempt before gaining access through a valid login, it seems that they weren't using any software which keeps trying different things.

Other than learning of login information from a person, piece of paper, etc., are there other ways of obtaining login information? Can they "tap into" communication over the internet and filter out usernames and password strings?

Thanks again,
Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10687809
Not typically, they can't sniff the wire... they can get into a server with an exploit to IIS or Apache, even you app may reveal what it's looking for. Once you've gained access to a server (from being unpatched, or exploited), you can look around for valid usernames and passes in SQL or what ever data-base (the windows SAM) they may be stored in. In order to sniff (tap into) they need to be on the same subnet, and or in the same broadcast domain. You can sniff traffic while it's in transit to different places, if an employee of an ISP were to sniff his own traffic, he could easily gain such information if he/she were a "hop" that the info passed through. If you do a tracert to microsoft.com you "hop" through quite a few routers on different isp's and service providers, any one of those points (hops), any where in the world, could in theory "sniff" a communication such as username and password.

Encrypted communications are the best ways of thwarting such "sniffing". Https (http secure) SSL are the best ways to prevent this from happening-easily. Again, there are trojan's that install keyloggers, as well as URL monitoring- both with timestamps, so that the key strokes can be associated or  with a particular log-in to a url. This get's around the https solution. The possibilities are truly endless. For each cure or fix, there are other ways of obtaining the info.
So a user infected with a trojan, could unwittingly be giving a hacker this information, there is no real way to track down what has happened to you- again too many variables...
Your not Paranoid if everyone is really out to get you :) If you don't have a firewall, your asking to be hacked, if you don't run AV your bound to get infected (with M$ that is)

-rich
0
 

Author Comment

by:skbohler
ID: 10687979
Thanks for your reply.

The username they used wasn't stored on our web server. Our SQL server database is on another database (on a shared server). Unfortunately I have no way of telling if they hacked into that.

We do have a firewall and have shut off their IP address for now.

Thanks!
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10688046
anyhow I do not agree on your decision as richrumble proposed portscanners not tools that make web logins
sadly that you took that as a good answer!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10688258
Nessus indeed can make web login's- GFI can check for easy passwords if configured correctly. I think the split was fair, there are again too many variables to know for certain. Thanks.
-rich
0
 

Expert Comment

by:mgbyrne2004
ID: 11497508
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unauthorized Network Devices Appearing on Home Network 20 109
reverse email lookup 8 55
sql server service accounts 4 25
exchange, activesync 2 5
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question