OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rob Shein (shotenstarpower.net)
Date: Fri Jun 07 2002 - 13:33:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, 2002-06-07 at 13:49, Nathan Vack wrote:
    > Chris wrote:
    >
     
    > - Assume a username is known
    > - Assume the attacker knows the password to be contained in a 10,000
    > word dictionary
    > - Assume a dial-up and password try takes 5 seconds on average
    > - Assume dialing up is free (not true in many parts of the US, at least)
    >
    </snip lots of good math here that equate to it taking a long time to
    brute force>

    Or, you assume that the account's password is the same as the password
    used to retrieve POP mail from the user. You go to the ISP's web page
    to get the name of the mail server, and use brutus to brute-force
    against the POP server instead, which saves a lot of time compared to
    dialing in repeatedly. Furthermore, the brute force is less likely to
    be logged, as every ISP I've ever known logs phone numbers religiously.

    #################################################################
    #################################################################
    #################################################################
    #####
    #####
    #####
    #################################################################
    #################################################################
    #################################################################

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com