Brute force questions [Archive] - Glock Talk

PDA

View Full Version : Brute force questions


seti870
07-07-2004, 12:01
Hello. I apologize for the subject, I promise this is on the up and up. Honest.

Recently, I've been tasked as my 13 year old cousin's keeper. My relatives have requested that I remove certain personal information from his websites and online journal, primarily home phone number, family name, and the like.

To this end I need to access his freewebs.com account. I have his username, and know his password to be between 5 and 8 characters.

My options, as I see them, are thus.

a) install keystroke logging software on his computer

b) prolonged guessing at the login window

c) some automated form of B, which I understand is called brute force cracking.

I'm new at this.

a) isn't my first choice, becuase it means 5 hours driving. There is also a remote possibility he'll discover the new software.

What are my options as far as C ?

Regardless of how this turns out, he's going to have his computer removed for a good long while.

Appreciate any suggestions.

grantglock
07-07-2004, 12:15
ask him what it is

ronin_asano
07-07-2004, 12:18
asking him is the best option.

you don't want to run an attack against a server you don't own. they wouldn't take that too kindly.

G22Leon
07-07-2004, 12:23
As ronin indicated, it would not be wise to attempt to brute force his account. Personally, it would take to long, without the proper tools to do it. The keylogger is the easiest way, though you mentioned a travel issue. You could instruct the persons parents on how to install the software... How computer savvy is this 13 year old. Wise enough to notice rogue processes? Possible, but unlikely..

-Leon

gudel
07-07-2004, 12:26
any computing-advance 13year old will smell keylogger from a mile away.

i guess it's better if you just ask the kid. if he wouldn't give the information you seek, i guess torture is next. j/k :)

seti870
07-07-2004, 12:26
oh. That's right, it's a brute force attack. Thank you.

Well, that's right out.

He won't tell me the password. Tried the simple route.

I still need to get the personal info off the site, regardless of when he loses computer access.

I'm in this situation because his parents are not computer savvy. They can usually manage to check their e-mail, although they also have tech question on that.

Will look into keylogging.

G22Leon
07-07-2004, 12:28
Originally posted by gudel
any computing-advance 13year old will smell keylogger from a mile away.

i guess it's better if you just ask the kid. if he wouldn't give the information you seek, i guess torture is next. j/k :)

lol come on!!! smell a key logger form a mile away? Only if it's like a start menu program or in the system tray. Even IT people dont check to validate every process running on a system all, unless their cpu or memory are getting whored.

-Leon

seti870
07-07-2004, 12:28
he's not particularly savvy, he's just screwing around with Yahoo/Aim/MSN messenger and free web hosting.

Shoot, his computer is still using win98.

I also suggested the parents begin beating him regularly and thoroughly... Torture, for him, is a visit to his grandma. They'll be ramping up on those, too.

nothingness
07-07-2004, 12:30
seti870
contact the webmasters of the sites and have them remove the acounts and webpages

http://www.astalavista.com/index.php?section=dir&id=39

ronin_asano
07-07-2004, 12:35
Originally posted by seti870
oh. That's right, it's a brute force attack. Thank you.

Well, that's right out.

He won't tell me the password. Tried the simple route.

I still need to get the personal info off the site, regardless of when he loses computer access.

I'm in this situation because his parents are not computer savvy. They can usually manage to check their e-mail, although they also have tech question on that.

Will look into keylogging.

has anyone thought to ask him to remove the personal information? has anyone explained to him why it's not a good idea to have that stuff web accessible?

it sounds to be like he's rebelling because people are treating him like a little kid, rather than trying to treat him more like an adult, and reason with him.

seti870
07-07-2004, 12:39
Yes. When he was over for the 4th, I asked him to pull up his webpage. He pulled up the one he admitted to (not the journal, or others). Showed me a few things. I suggested that he take some things off, then kept BSing, introduced him to counterstrike, etc.

He did alter a few things. For example, he put my home phone number up, instead. ;a

Yes, I have tried the reasonable approach.

ronin_asano
07-07-2004, 12:51
heh.

then it sounds like the next step is to call the isp hosting the site, and work with them, as someone suggested.

David_G17
07-07-2004, 14:04
i'd go the keylogger route. instruct his parents via phone how to install one.

ronin_asano
07-07-2004, 14:07
isn't the keylogger going to treat the symptom, not the disease?

you get his password, and change this stuff, what's to stop him from changing it back?

or you change the pw once you have access, what's to stop him from setting up another account and doing the same thing?

seti870
07-07-2004, 14:13
Right now, my focus is getting things down.

His parents are giving him another lecture on 'why not to put your home address, name, and other info online'

No, this alone isn't a perfect solution. We're working on the rest, including removal of computers, I just didn't think it was all that relevant to the subject of passwords and forced access.

David_G17
07-07-2004, 14:22
Originally posted by ronin_asano
isn't the keylogger going to treat the symptom, not the disease?

you get his password, and change this stuff, what's to stop him from changing it back?

or you change the pw once you have access, what's to stop him from setting up another account and doing the same thing?

it allows you to get a list of sites which he puts information on, not just the password to one site.

SamBuca
07-07-2004, 14:43
This is illegal. You cannot "brute force" a password legally, regardless if you're a legal guardian.

Yes, there are easier ways. No, keyloggers are old technology.

Hint for you: passwords are usually stored in cookies.

Hint for you: ethereal or tcpdump.

Hint for you: kismet (for a wireless net).

ronin_asano
07-07-2004, 15:00
Originally posted by David_G17
it allows you to get a list of sites which he puts information on, not just the password to one site.

i understand what a key logger does, that wasn't the reason for my comment.

i'm saying if the site gets changed, and the kid didn't change it, then he will know someone else did, ie seti870 or the kid's parents.

so what's to prevent him from doing it again?

seti870
07-07-2004, 15:16
Ronin

In the short term, he won't have net access. He be in a position to change things.

After whatever period his parents decide upon, and he has access again, it is hoped he'll have learned his lesson, or at least confine his activities to other avenues.

Do you have any suggestion of a more effective solution?

ronin_asano
07-07-2004, 15:22
Originally posted by seti870
Ronin

In the short term, he won't have net access. He be in a position to change things.

After whatever period his parents decide upon, and he has access again, it is hoped he'll have learned his lesson, or at least confine his activities to other avenues.

Do you have any suggestion of a more effective solution?

short term:

if he refuses to give up the password, then i would try calling the freewebs people (or have the parents do it), explaining the situation and see if they will disable the account and the page. that way, the information is not displayed, and he has no way to do anything withit.

or check the cookies stored on the box as someone above suggested. the pw might be in clear text, and if so, you can get and make the necessary changes.

why is he being such an ass? but that's another thread.

seti870
07-07-2004, 15:27
Originally posted by ronin_asano

why is he being such an ass? but that's another thread.


Best as I can tell, he's 13 and thinks his life sucks; on top of that, he's bored. One section was essentially "so I'm on summer vacation from [schoolname] [static re: school]. Summer break is really boring. If you're out there, give me a call @ [home phone]"

He's a teenager. He'll grow out of it.

gudel
07-07-2004, 17:09
Summer break is really boring. If you're out there, give me a call @ [home phone]"

heh.. i was a teenager once, but i never done that! ;P
it must be the gun people blood in me that makes me paranoid.

seti870
07-07-2004, 17:14
You see why it's dumb, I see why it's dumb, his parents see why it's dumb.... now for the missing link. ;Q

nothingness
07-07-2004, 17:51
perhaps have a friend make several prank calls TO HIM in the middle of the night, early in the morning force it to be a real issue.


it is best if he just voluntarily assents, the steps below will create hostility

ethereal or tcpdump will only work if the password is sent plaintext

Make sure hes not reading THIS

so
A: install keyloger to track where hes going, passwords (keep this information, he may do it again) dont tell him you ever did this!
B: REMOVE the keyloger
C: call ISP's have accounts canceled, IP / mac address blocked...
D: remove computers from his possession
E: change your phone number
F: you could always install a hidden camera
G: make sure he doesn't have public library access
H: call his friends parents and tell them hes not allowed to use the computers

DeadMansLife
07-09-2004, 16:24
This is real easy.

Get a few of your friends together with ski masks and (with his parents permission) kidnap and scare the hell outta him. Don't forget to thank him for the address and other personal info he provided online.

Ised8u
07-11-2004, 08:25
Originally posted by seti870
he's not particularly savvy, he's just screwing around with Yahoo/Aim/MSN messenger and free web hosting.

Shoot, his computer is still using win98.

I also suggested the parents begin beating him regularly and thoroughly... Torture, for him, is a visit to his grandma. They'll be ramping up on those, too.

The keylogger, while being "old tech", would be perfect for the 13 y/o who is only using the net for IM type functions. (2spy) is a pretty good keylogger and can be setup so that it does not show up in Start Menu and you can check it as a hidden file under its properties tab. Then goto (View>Folder OPtions>View)"Do Not Show Hidden Files"....of course this is with the antiquaited version of Win 98SE that I have.
"SHOOT, I STILL USE WIN 98"

0100010
07-11-2004, 16:43
You could email the parents a copy of "Password Recovery Toolbox", have them run it and see if it sees the kids password (under Network and Dial Up). All you would need is the shareware version, available for download @ http://www.rixler.com/