[lug] Attacks Intensifying

Dean Brissinger Dean.Brissinger at vexcel.com
Wed Nov 3 11:48:08 MST 2004

On my home page http://www.kaidok.com/~brissing/ is an article I wrote on
making passwords hard for crackers like John to break.  You may be

ssh's big vulnerability is not in password strength but from a man in
the middle attack.  Any desktop machine on the same LAN as either the
client or the server can promote itself to route all traffic through
itself to your SSH server.  While it routes traffic it can steal keys,
plain text passwords, etc.  It can later be removed usually without a
trace.  Nothing shows up in your server logs either.  You would only
discover it by a) not ignoring the warnings from SSH client about the
host id changing or b) running a trace on your connections.

It wouldn't be a bad idea for an attacker to fill the target server's
logs with bogus attack information.  Get the sys admins to look in the
wrong direction at what appears to be a brute-force attack.  Meanwhile
stealing passwords and logging in with them.

Paranoid?  Nah.  Just paranoid.


On Thu, 2004-10-28 at 12:27, Matt Thompson wrote:
> On Thu, 2004-10-28 at 11:05, Bill Thoen wrote:
> > On Thu, 28 Oct 2004, Matt Thompson wrote:
> > 
> > > Well, the older root specific version was like this:
> > > 
> > > http://www.k-otik.com/exploits/08202004.brutessh2.c.php
> > 
> > Intersting... Looks like they aren't even looking at mixed-case ones, and 
> > few (if any) over 8 characters.
> > 
> > Do people really use passwords for root that are as simple 
> > as these? Even the "clever" ones are sort of stupid. (e.g. q1w2e3, a 
> > keyboard pattern, and ib6ub9, a sounds-like-real-words etc.) Maybe P.T. 
> > Barnum was right when he said, "You won't go broke underestimating the 
> > intelligence of the public."
> > 
> > > So, you could take that as a baseline.  By now I'm sure some kiddie has
> > > expanded the dictionary.  I'm guessing there isn't a john-like
> > > number/capital type search since I've only ever gotten around 2000 or so
> > > attempts a day at its peak.  A john-type attack should generate a lot
> > > more.
> > 
> > What's a john-like attack?
> Well, I just mean how john (the ripper) uses some of those mangling
> rules to its wordlist.  Things like pluralizing, ing-ing, appending
> digits, shift left/right on keyboard, etc.
> In fact, john once cracked one of my passwords pretty easily.  It was at
> that point I decided it was time to make my passwords more complex.  Of
> course, these 10-15 near-linenoise passwords are so fun to remember.
> Matt


   Dean J. Brissinger              303-583-0278 (Direct)
   Senior Systems Administrator    303-583-0200 (Main)
                                   303-583-0246 (Fax)

        Dean.Brissinger at vexcel.com * www.vexcel.com
       1690 38th Street * Boulder,  CO * 80301 * USA

More information about the LUG mailing list