Quote:
Originally posted by kÿ®ëë
and with most of the programs running brute force...you can adjust what server replies are hits and what are not...making them adaptable for the site
Kyree
|
Quite true. Thus, only someone with a successful login can know exactly the HTML that will be returned by a successful login. With some creative scripting, I can make sure that each valid account gets a unique yet perfectly valid looking "main" page after login. Since each account thus has it's own unique "main" page that is created with a credit card, testing crack attempts by returning those rotated unique looking pages (but non-functional since I'm tracking a bogus login behind the scenes), I can track the crack attempt by credit card number (any bogus name/pass that is used in that attempt is in my database... if it's used again, we have a hit by a cracker who thought it was valid). How many links deep do you want to test for? Depends on how long you want your proxy to stay up, and how big my database is
BTW, why did you think that the original post's solution, returning HTML, would only fool a browser and not a script? Same thing to both of them (bogus login is an error and is obvious to both).
BTW2, It sounded like you mainly exploited security flaws to gain root, not cracking to get user/pass. Personally, I'm more worried about those security flaws than massive proxy crack attacks.