Date   : Wed, 16 Nov 2011 22:08:01 +0000
From   : jgh@... (jgh@...)
Subject: Security Project - Update 1

Martyn Ruks wrote:
> > It looks like you (Martyn) are attempting to log on with a
> > predefined list of usernames to try and using the difference
> > between "user not known" and "wrong password" to determine if a
> > user exists.
>
> Yes, you would be suprised how many systems and applications still
> let you do this today

Most will retreat and lock you out after a certain number of failed
logons, and increase the length of time of the lockout each time
it does so.

Eg, three failed logins, retreat for 30 seconds
Three more failed logins, retreat for 60 seconds
Three more failed logins, retreat for 120 seconds
etc.

Makes a brute-force attack very time worthless.

> (snip code)
> Awesome, I'll have a play as I get time to learn a bit more - thanks

Of course, you'll need the FNrd() function from the StringIO 
library[1]:

  
DEFFNrd(i%):LOCALA%,B%,A$:REPEAT:A%=BGET#i%:IFA%<>10ANDA%<>13:A$=A$+CHR$A%
  UNTILA%=10ORA%=13OREOF#i%:IFEOF#i%:=A$
  B%=BGET#i%:IFA%=B%OR(B%<>13ANDB%<>10):PTR#i%=PTR#i%-1
  =A$

[1]http://mdfs.net/blib

> Yes and not an elegant attack by any means. This leads to an
> interesting question, as a gut feel how many admins used to keep the
> monitor turned on to watch what was going on like a hawk and how many
> would have flicked it off?

When I was sysadmin, not constantly, it would tie up a station. But
any noticable network slowdown would result in running SJMon to
see what was happening, and a constant stream of

  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'
  10->254 *I AM
254-> 10 Error 'User not known'

makes clear what is happening.

JGH