Password Hacking question

Hello,

Early this morning, someone(s) gained unauthorized entry into our web application using valid login information.

We're trying to determine how they got the login information.

Are there any applications which hackers can use which will make repeated login attempts to an application's login page?
skbohlerAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Yes, plenty. I'd scan yourself with a few of the favorites, and see if you can see how they got in.
GFI languard - 30day trial
http://www.gfi.com/lannetscan/
Nessus - Free
http://www.nessus.org/  (nessus has a BF capibility)

Run MSBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx on the box and see what it recommends

Use those two to determine if you are vulnerable to some of the common and easily exploited flaws in IIS or SQL. Hacker's (actually crackers) can get in numerous ways.
1) they crack into a legitimate user of your system, and get their creditials off their pc
2) they exploit iis or sql and get in via 2000+ different ways
3) they "brute-force" usernames or passwords until they get a legit one
4) disgruntled former employee- or an insider in your company gives them access
5) your source code reveals or contains an "easy in" for the intruders

Get yourself an IDS system such as SNORT or a firewall that can export it's log's so that you may be able to corrilate an IP with the time of the login better. Firewall and AV are must for M$ products (I am assuming you are using iis, not apache)
GL!
-rich



0
 
bloemkool1980Connect With a Mentor Commented:
there are plenty of tools like that. But why would you need to know what tool ?
It is also very easy to write a script in perl that does it for you.
If I understand they did a password guessing attack and if this is true it means that you have very weak passwords and very easy to guess usernames.
I do not know any of those names for these kind of tools but http://packetstormsecurity.org has plenty.

0
 
bloemkool1980Commented:
webcracker is the most popular
http://www.securityfocus.com/tools/706
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
bloemkool1980Commented:
http://www.packetstormsecurity.org/Crackers/indexdate.shtml
Here there are many tools which could help you out.
0
 
skbohlerAuthor Commented:
Thanks for the initial responses.

Wouldn't the initial invalid attempts show up in both our IIS log files as hits to the login page?

-Steve
0
 
skbohlerAuthor Commented:
It looks like your responses are addressing attempts to hack into a server, not an application with an HTML login page. No?

-Steve
0
 
Rich RumbleSecurity SamuraiCommented:
They should- log such things. Like I said, many many ways to get a legit username and password. If they do scan your your server, and find it exploitable- then it's very likely this was their way in- then the gathered a few usernames and passwords... perhaps.
What has been listed are some tools that can look for expolits for your application (gfi nessus) and nessus also has a brute force capability. Social engineering is a fabulous way to get such information. With-out better forensic's there is no real way to tell how this info was obtained... too many variables at work here.
Hacking a person's computer- that uses your site, could contain a cached logon cred..
they could of worked for you previously, or they have someone on the inside... perhaps your application was written out-of-house, and a devloper used and account or back door to get in.. your imagination is the limit...
-rich
0
 
skbohlerAuthor Commented:
Since the log file shows only one attempt before gaining access through a valid login, it seems that they weren't using any software which keeps trying different things.

Other than learning of login information from a person, piece of paper, etc., are there other ways of obtaining login information? Can they "tap into" communication over the internet and filter out usernames and password strings?

Thanks again,
Steve
0
 
Rich RumbleSecurity SamuraiCommented:
Not typically, they can't sniff the wire... they can get into a server with an exploit to IIS or Apache, even you app may reveal what it's looking for. Once you've gained access to a server (from being unpatched, or exploited), you can look around for valid usernames and passes in SQL or what ever data-base (the windows SAM) they may be stored in. In order to sniff (tap into) they need to be on the same subnet, and or in the same broadcast domain. You can sniff traffic while it's in transit to different places, if an employee of an ISP were to sniff his own traffic, he could easily gain such information if he/she were a "hop" that the info passed through. If you do a tracert to microsoft.com you "hop" through quite a few routers on different isp's and service providers, any one of those points (hops), any where in the world, could in theory "sniff" a communication such as username and password.

Encrypted communications are the best ways of thwarting such "sniffing". Https (http secure) SSL are the best ways to prevent this from happening-easily. Again, there are trojan's that install keyloggers, as well as URL monitoring- both with timestamps, so that the key strokes can be associated or  with a particular log-in to a url. This get's around the https solution. The possibilities are truly endless. For each cure or fix, there are other ways of obtaining the info.
So a user infected with a trojan, could unwittingly be giving a hacker this information, there is no real way to track down what has happened to you- again too many variables...
Your not Paranoid if everyone is really out to get you :) If you don't have a firewall, your asking to be hacked, if you don't run AV your bound to get infected (with M$ that is)

-rich
0
 
skbohlerAuthor Commented:
Thanks for your reply.

The username they used wasn't stored on our web server. Our SQL server database is on another database (on a shared server). Unfortunately I have no way of telling if they hacked into that.

We do have a firewall and have shut off their IP address for now.

Thanks!
0
 
bloemkool1980Commented:
anyhow I do not agree on your decision as richrumble proposed portscanners not tools that make web logins
sadly that you took that as a good answer!
0
 
Rich RumbleSecurity SamuraiCommented:
Nessus indeed can make web login's- GFI can check for easy passwords if configured correctly. I think the split was fair, there are again too many variables to know for certain. Thanks.
-rich
0
 
mgbyrne2004Commented:
*** advertising removed by Netminder, Site Admin ***
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.