• 17
  • Sep

If you haven’t noticed, I have been writing some custom snort rules lately. You might also be interested in the POP3 brute force and HTTP brute force rules.
 
 
 
 

SMTP Brute Force Block Rule:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:”Rapid SMTP Auth Failures - Possible Brute Force Attack”; content: “Authentication failed”; nocase; threshold: type both, track by_dst, count 20, seconds 10; classtype: misc-activity; rev:4; sid:1234567895; fwsam: dst, 240 minutes;)

The above rule will block hosts with packets destined with the content of “Authentication failed”.

This may vary based on your mail server software. You can test this by doing a telnet to your mail server:

telnet mail.host.net 25
EHLO
AUTH LOGIN
334 VXN1cm5hbWU6
type some jibberish
334 UGFzc3dvcmQ6
type some more jibberish
500 5.7.0 Authentication Failed

The last line - “500 5.7.0 Authentication Failed” - will tell you what you need to specify for the content rule option based on your server response to the failed login. You may also need to modify other parts of the rules based on your environment, e.x. sid to avoid conflicts with other rules.

NOTE: Snort will not block the offending host unless you have the SnortSam plugin installed.

This rule has been tried and tested by THC Hydra.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 16
  • Sep

Some black hat script kiddie was trying to brute force one of the bulk mail servers on port 110 (POP3) all night long.

So I did a port scan and found that TCP port 3389 (RDP) was open on the offending machine. I was too curious at this point not to indulge.

I hit the IP with RDP session and it shot me right into the server without authentication. Whoo!

SO I RAN A FORK BOMB:

DOS [Show Plain Code]:
  1. :s
  2. START %0
  3. GOTO :s

That was all she wrote….

P.S. - Moral of this story is, “Don’t try to hack someone when your machine is 10 times more vulnerable than the victim’s.”

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 03
  • Sep

In response to Snort: Simple Rule To Block HTTP Brute Force, here is a similar rule, only for POP3 brute forcing:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:”POP3 Brute Force Attack”; flags: S,12; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; rev:1; sid:1234567890; fwsam: src, 10 minutes;)

HINT: You may have to adjust the threshold by modifying the ‘count 20, seconds 10′ part to meet your needs. Some brute forcing programs can generate up to 80 logins per second, so it is possible to set the threshold much higher if you are getting false positives.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 29
  • Aug

I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.

They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.

I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 20 times within 10 seconds (I believe it is a ratio - average of 2 times per second).

alert tcp any any -> X.X.X.X 80 ( content: “POST”; depth: 4; nocase; msg: “Webmail Brute Force Attempt or Spam Attack”; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; sid:123456789; rev:1; fwsam: src, 10 minutes;)

HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.

Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 12
  • Jan

Everything2.com explains how to crack a key less entry pad on a vehicle.

Keyless Vehicle Entry
image via link

Usually key less entry pads have 5 buttons, each with 2 numbers. With a combination of 3,129 pushes you can, and will crack the vehicle code within 20 minutes.

On top of that, you can also use a telecoil from a cellphone to unlock car doors.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 22
  • Nov

Firefox Logo SecureI hear a lot of people that are whole heartedly against saving passwords in their browser. I would agree if these were not encrypted in any way, but by implementing a master password in Firefox, we can encrypt our saved passwords. Beware that any passwords saved before you set your master password are NOT encrypted and it is still possible for malicious code to steal your passwords through a web site.

Just for giggles, I will to try to crack my Firefox master password. I will do this by using Nagareshwar Talekar’s FireMaster Firefox master password recovery tool.

Firemaster is a Windows only tool so I am going to load it up in my VMware and see how long it takes to crack my Firefox master password.

Download Firemaster.

Extract the Firemaster.exe to a folder, like your desktop.

I am going to use the brute force method. If you like, run firemaster without options to see the syntax switches. The most important switches are the -n for number of characters and the -a to specify which characters to use when brute forcing. Now run FireMaster as so:

firemaster -q -b -n 15 -a “qwertyuiopasdfghjklzxcvbnm1234567890!@#$%^&*()” “C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\XXXXXX.default”

Crack Firefox 1
Read the rest of this entry …