Brute Force contents.gifindex.gif

Brute Force

The Brute Force scan tries to find open default accounts by using guessable password pairs. If the scanner finds an open default account, it is important to properly correct the vulnerability. An example default is sync, a common account name for SunOS and other UNIX flavors. Typically, this access will reveal only additional information about the type and version number of the OS system and will display the Message of the Day (MOTD). By itself, this is normally not a severe risk. However, certain FTP packages can allow a user to login as sync and steal the password file.

Other software packages may not do a proper check for account access, opening up security vulnerabilities with non-password-protected accounts such as sync. The sync account with no password can become a security vulnerability: Someone with a regular account on that host can divert the sync account (on systems with runtime linked libraries). The saboteur changes the LD_LIBRARY_PATH variable to a library of his own devising, and runs login or su to gain another user's privileges, and to ultimately becomes root.

All accounts, including the sync account, should have non-trivial passwords. If login access to these accounts is not needed, it should be removed or disabled by placing * (an asterisk) in the password field, and the string /bin/false in the shell field in /etc/passwd. For example, the /etc/passwd entry for a disabled guest account should resemble the following:

guest:*:2311:50:Guest User:/home/guest:/bin/false

The scanner tries to log in to the default accounts through the following services:

ISS_NT00000000.gif POP3

ISS_NT00000000.gif FTP

ISS_NT00000000.gif Telnet

ISS_NT00000000.gif Rsh

ISS_NT00000000.gif Rexec

Risk: High

Note: On some UNIX systems, if there are too many connections within a period of time, inetd turns off a service (such as Telnet) for a period of time. You can modify inetd to allow more connections for a period of time. The scanner can select how many simultaneous connections can happen within a given period to slow down the brute force attack to an acceptable level for inetd.

Fix: If any of these services are running unnecessarily, you should consider disabling them. You can also change passwords.

Brute Force Netware FTP

As the scanner tries to brute force the FTP server by trying to log in as default accounts, Novell Netware's FTP server has a memory leak that will cause the entire machine to run out of memory.

Fix: Contact Novell for a patch.

Brute Force Cisco

Default accounts allow intruders easy access to remote systems and administrative command of the device.

Risk: High

Fix: Disable account or change password.