[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] booting password crackers...
- Subject: Re: [cobalt-security] booting password crackers...
- From: ChaosIndustries <chaosindustries@xxxxxx>
- Date: Sun, 28 May 2000 18:53:26 +0200
Sure you can have some files and discriptions.
Ill will upload that stuff an mail the url after that, cause im not supposed
to nerv a hole list while sending attachments to the list ;)
> You are certainly creative. I do not want your secrets,
No secrets, keep the information free. Im missing that time where the internet
was used for information instead of "give me 10$ and i give you help".
> but I am impressed
> with how you setting up security.
Think to call that "setting up security" is wrong ;) "Nerv them back" or
"active instead of passive against some "ultra leet" subjects" will describe that
better.
Greets Sven
Mike Vanecek schrieb:
> On Sun, 28 May 2000 00:52:18 +0200, ChaosIndustries <chaosindustries@xxxxxx>
> wrote:
>
> :>Think hosts.deny will work, but is not efficient, cause they after redial
> :>on isp
> :>they will get a new ip. Otherwise you will deny all users using this ISP.
> :>
> :>Im using "nerv them up method" in that cases ;)
> :>Use httpd.conf to give out a "fake .htaccess" using a cgi. The same cgi
> :>can check the pass and send a dummy page. So the bruteforcer will
> :>result after each try the pass was found --> This cracker isnt usefull any
> :>more now.
>
> Would you mind posting or sending me off list more detail on exactly how you
> implement the changes to your httpd.conf file and use the cgi script please?
> I'd like to see what you put in the httpd.conf file and what is in the cgi
> script. I'd be interested in trying the same approach.
>
> :>Combined with some WarScripts in Javascript that crackers will have a lot
> :>of
> :>fun ;)
>
> I would like to see a copy of this too please.
>
> :>When someone using the write login:pass combination at that cgi redir
> :>then to the new path where the real .htaccess file is.
>
> I am not sure I follow, but maybe looking at the cgi script will help.
>
> :>You can also generate an unshadowed passwd file and store that on anonymous
> :>
> :>ftp in /etc with some other files (free composed ;) ). For the passwords in
> :>that
> :>passwd file use some that passwords: do you think im so stupid
>
> I would like to see that file too please.
>
> :>When they have checked that their cracker is no longer usefull maybe they
> :>think they can brute the passwd file from that anonymous ftp <hehe>.
> :>
> :>Just have fun with them, they will give up when this subjects checking out
> :>that you're playing with them.
> :>
> :>You can also use a cgi instead of .htaccess for auth, and send some
> :>tear or syncdrops after the 3rd try, or just flood them.
>
> Do you have an example of such a script I could have?
>
> :>Be creative ;)
> :>
> :>Greetz Sven
>
> You are certainly creative. I do not want your secrets, but I am impressed
> with how you setting up security. Anything you can share with me that does not
> compromise your approach would be really appreciated. I like your approach!
>
> Thanks, Mike.
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security