Saturday, August 10, 2013

OpenSSH Time Brute Force

In 2006, there is a bug report about OpenSSH time brute forcing. However, the developers of the OpenSSH stated that it is not a bug and they would not fix it.

When an attacker try to brute force OpenSSH account, s/he will issue a very long password (such as 39,000 in length). When the account name exists, the response time will be in very high delay comparing with the non-existing one.

TurboBorland developed a Proof-of-Concept (PoC) code for the purpose.

He stated that he cannot test it successfully in the local network but it work perfectly in internet. However, I did not test it myself. If you are interested in it, you can try.

If the target is implemented Fail2ban, you can try to delay the attack timing in order to avoid from being blocked or banned.

That's all! See you.