Re: bruteforce attacks to GUI applications

[ascii <ascii () katamail com>]

m_r_welch () tiscali co uk wrote:
> It doesn't look like that would be possible. See here:
> http://expect.nist.gov/FAQ.html#q23

it's not possible with expect but you can use other techniques

i'm thinking about all my friends that lost their time playing
RPG games like ultima etc (IMHO of course)

when protocol hacking is not possible they use macro programs
that move the mouse and simulate keyboard input

some of these programs uses 'complex' scripting languages (or at
last you can write your own using your os apis) and support
external bin output as value of vars

the point is the cpu time required to perform an attack like this

you can accomplish some trick like jump the pointer to x,y instead
move it

when you try to brute force the shadow file you use john et similia:
tools written in well-coded c that read the file, explode fields,
use the right buffer len, use optimized algs etc

think about brute forcing the same using passwd, isn't this silly?
you have to exec an external bin, load shared libs, let expect
input the password, parse the result

i can assure you the process will take 100x time, and now think about
the overhead of gui applications: you have to start the application,
jump the cursor, click/focus, simulate keyboard input (user name), jump
the cursor, click/focus again, input the passwd acquired from the
external bin, jump over the ok button and click

i think this process will take forever and is suitable only for
(not huge) dictionary attacks