Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Saturday, August 10, 2013

OpenSSH Time Brute Force

In 2006, there is a bug report about OpenSSH time brute forcing. However, the developers of the OpenSSH stated that it is not a bug and they would not fix it.

When an attacker try to brute force OpenSSH account, s/he will issue a very long password (such as 39,000 in length). When the account name exists, the response time will be in very high delay comparing with the non-existing one.

TurboBorland developed a Proof-of-Concept (PoC) code for the purpose.

He stated that he cannot test it successfully in the local network but it work perfectly in internet. However, I did not test it myself. If you are interested in it, you can try.

If the target is implemented Fail2ban, you can try to delay the attack timing in order to avoid from being blocked or banned.

That's all! See you.