Results 1 to 4 of 4

Thread: Mysterious Username Bruteforcing/Injection

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Location
    Santa Cruz, CA
    Posts
    2

    Default Mysterious Username Bruteforcing/Injection

    Hello all,

    I administrate the computer network at a local highschool. We have a wireless network that users log on to with their windows accounts--it is encrypted with WPA2-Enterprise and authenticates users with Active Directory. This is all managed by a brand new server running Windows Server 2008 R2. Recently, we appear to have experienced an attack of some sort, and what it left in the logs does not make any sense to me. The usernames of attempted logins are recorded, and some very unusual things were tried. First of all, the attack seemed to target the account of another administrator, whose username is "jsmith" (changed to protect privacy). The following attempts were logged:

    w3gkjs
    w3gkjsmi
    w3gkjsmit
    w3gkjsmith
    3gkjsmith
    gkjsmith
    kjsmith
    jsmith <--when it got here, it successfully authenticated.

    Furthermore, more logins were attempted with the following "usernames":

    random
    generate_random
    timestamp+router / access / alter / =>= + 03:00:00
    <windowsvista> /delete/ path / type / records / delete

    Those look like attempts at command injection to me, but I've never heard of any sort of injection vulnerabilities with wireless authentication.

    Has anybody heard of an attack that would make these usernames make sense? Could passwords somehow be determined by trying mutations of a username? If you have any ideas about a pattern that could connect these logins, please let me know.

    Thank you very much!

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Mysterious Username Bruteforcing/Injection

    Yes passwords can sometimes be construed from a user name. As an example I have a username of JSmith , and since I am human and forgetful and the admin said to make my password complex using numbers and special characters, I chose JSmith123! < That is a common occurrence.
    For more on this look at:
    Passwords - Skull Security < loads of lists with bad choices.
    What’s My Pass? » The Top 500 Worst Passwords of All Time < The top 500

    As for your situation, it appears as if someone is trying to bruteforce their way (or may have already done so) into your network.
    My advice if you don't know what you are doing, in regards to penetration testing and digital forensics, it would be best to find a consultant in your area to help you out.
    You would probably want to take your network down in order to isolate the issue, fix, patch, update and or remove it.
    Having said that though there are many variables that come into play, such as what did happen, (an actual breech or only attempted ones, full network compromise) Costs both perceived and real, in terms of account info, productivity time lost etc.
    Also understand that if you are wanting to do some sort of investigation for potential criminal proceedings, then you or anyone else (that are not qualified forensics experts) messing around on the network at this point could invalidate any evidence in a court of law.
    I could go on, but some of our other experts will likely chime in to offer more information.
    Last edited by Archangel-Amael; 09-10-2010 at 10:16 AM.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default Re: Mysterious Username Bruteforcing/Injection

    It sounds like one of the kids at your school discovered some tools on the internet and wanted to impress their friends. It looks like they tried to use a tool and did not configure it properly, which explains why you see that weird username combination.

    Archangel-Amael covered most of it (that's why he's a supermod). If you haven't already done it, change that password.

    From an investigative/law enforcement point of view, you need to make sure you keep logs intact. Don't mess around too much, like Archangel-Amael said, you or your employees messing around with things too much can destroy the integrity of evidence. The more people that touch it, the more likely it is in a court of law that the validity of the evidence will be called into question. If you just want to find out who did it, you can either hire a consultant if you feel it's over your head, or just do it yourselves. If you want to pursue criminal charges against the individual, you are going to have to get in touch with your local law enforcement, if they don't have a computer crimes division, they can escalate as needed to either California Department of Law Enforcement or the FBI.

    Can't think of much else at the moment because work distracted me, but if I think of anything I'll pipe up.
    Last edited by g3ksan; 09-10-2010 at 02:46 PM. Reason: cleaned up

  4. #4
    Just burned his ISO
    Join Date
    Apr 2010
    Location
    Santa Cruz, CA
    Posts
    2

    Default Re: Mysterious Username Bruteforcing/Injection

    Thanks for your input, guys. Fortunately, I'm not going to have to pursue criminal charges or anything--I know who did it and we have talked. I have some background in infosec circles, so I think I can handle the situation competently, I just wanted to see if anyone could tell which tool they (tried to) use. I know for a fact that the perpetrator is most definitely in the script kiddie category.

Similar Threads

  1. Help about bruteforcing url
    By alkado in forum Beginners Forum
    Replies: 0
    Last Post: 06-29-2010, 04:45 AM
  2. world list generating with wyd and bruteforcing with hydra
    By batbout in forum BackTrack Videos
    Replies: 0
    Last Post: 03-06-2010, 02:36 AM
  3. ssh bruteforcing
    By tijstijs in forum OLD Newbie Area
    Replies: 3
    Last Post: 09-30-2009, 10:06 AM
  4. bruteforcing wpa
    By impulse in forum OLD Newbie Area
    Replies: 2
    Last Post: 05-15-2008, 08:38 AM
  5. Mysterious DHCP and netbios packets on my wireless lan
    By sergeikolomov in forum OLD Newbie Area
    Replies: 0
    Last Post: 01-15-2008, 12:55 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •