Jazajay
Active Member
O dear lord I had this corka across my desk today. Under no circumstances do the following, normally I am totally against explaining why this is bad, but this is too scary.
Message on my desk:
New client due to recent hacks on sites hosted not on our servers, do a full site backup now.
Lets say this site is example-gots.co.uk
Here is the ftp details:
ftp://example-gots:[email protected]
username:
password:
servername:
These where given as well but who wants to fill them in anyway?
Well Server name is going to be:
example-gots.co.uk
So whas the username and password?
Any one?
Well thats the username:
example-gots
Clearly. So password is what?
1 of 2:
95% chance its
aa32asdf
5% chance it may possible be:
:aa32asdf
Right who can see how that can be exploited? Anyone?
Because you are not going to need to understand why giving this:
ftp://example-gots:[email protected]
Was a moronic thing to do.
Lets say we are interested in hacking example-purple.com and we know they host it.
Who wants to fill in most of the details by a pure guess?
What do you reckon most of them are:
ftp://example-purple: [email protected]
Now what is the server name and username to example-purple.com?
Yeah thats right:
example-purple and example-purple.com
Okay now lets examine the password as thats the only thing I have to work out for example-purple.com
What do we know?
Well we know our password was:
aa32asdf
So first off:
1) All lowercase characters
2) No special charactes
3) High chance its exactly 8 characters long
4) Possibility that their password could start with aa
5) Possibility that thier 3 and 4th character of their password is also a number
6) If 5 is correct a posibility that the others are all characters and bring in one, lowercase.
But what else?
Now if I am going to run an automated attack lets try narrowing this down first.
What if we try the first pattern to test for
as
[a][a][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]
Lets face it far less possbilities if all their passwords start with
the letter a twice then 2 numbers followed by 4 random lower case characters and if it does we have just narrowed it down from 8 to 6 characters.
Okay what if we then ran a second automated attack for
[lowercase letter][lowercase letter][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]
If that fails we then just run a test for all 8 characters with possible lower case characters and numbers but miss out any we have already tested.
That could be confirmed further if we registered a second account at the company and got a second set of password details.
By the time I get up in the morning I would put money on that I would have access to example-purple.com entire FTP area to do with what I pleased.
Morons, utterly. :blink:
And yet another reason I never went to university, dear lord, why do people think university degrees are worth the paper they are written on? :down:
Message on my desk:
New client due to recent hacks on sites hosted not on our servers, do a full site backup now.
Lets say this site is example-gots.co.uk
Here is the ftp details:
ftp://example-gots:[email protected]
username:
password:
servername:
These where given as well but who wants to fill them in anyway?
Well Server name is going to be:
example-gots.co.uk
So whas the username and password?
Any one?
Well thats the username:
example-gots
Clearly. So password is what?
1 of 2:
95% chance its
aa32asdf
5% chance it may possible be:
:aa32asdf
Right who can see how that can be exploited? Anyone?
Because you are not going to need to understand why giving this:
ftp://example-gots:[email protected]
Was a moronic thing to do.
Lets say we are interested in hacking example-purple.com and we know they host it.
Who wants to fill in most of the details by a pure guess?
What do you reckon most of them are:
ftp://example-purple: [email protected]
Now what is the server name and username to example-purple.com?
Yeah thats right:
example-purple and example-purple.com
Okay now lets examine the password as thats the only thing I have to work out for example-purple.com
What do we know?
Well we know our password was:
aa32asdf
So first off:
1) All lowercase characters
2) No special charactes
3) High chance its exactly 8 characters long
4) Possibility that their password could start with aa
5) Possibility that thier 3 and 4th character of their password is also a number
6) If 5 is correct a posibility that the others are all characters and bring in one, lowercase.
But what else?
Now if I am going to run an automated attack lets try narrowing this down first.
What if we try the first pattern to test for
as
[a][a][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]
Lets face it far less possbilities if all their passwords start with
the letter a twice then 2 numbers followed by 4 random lower case characters and if it does we have just narrowed it down from 8 to 6 characters.
Okay what if we then ran a second automated attack for
[lowercase letter][lowercase letter][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]
If that fails we then just run a test for all 8 characters with possible lower case characters and numbers but miss out any we have already tested.
That could be confirmed further if we registered a second account at the company and got a second set of password details.
By the time I get up in the morning I would put money on that I would have access to example-purple.com entire FTP area to do with what I pleased.
Morons, utterly. :blink:
And yet another reason I never went to university, dear lord, why do people think university degrees are worth the paper they are written on? :down: