iss.brute.force.txt

`ISS Internet Scanner Brute Force Bug  
  
alexander tampermeier ([email protected])  
Wed, 17 Feb 1999 23:54:11 PST   
  
The Internet Scanner lets you brute force by using username/password  
pairs specified in the file default.login. I specified a known  
username/password pair but the scanner could not login.  
The reason is that the Internet Scanner needs a carriage return after  
the last username/password pair. If it finds just an EOF marker then the  
password gets modified by adding an additional character.  
For example the password test is modified to testo.  
  
Alexander  
  
[email protected]  
  
--------------------------------------------------------------------------  
  
Re: ISS Internet Scanner Brute Force Bug  
  
David LeBlanc ([email protected])  
Thu, 18 Feb 1999 17:26:49 -0500   
  
At 11:54 PM 2/17/99 PST, alexander tampermeier wrote:  
>The Internet Scanner lets you brute force by using username/password  
>pairs specified in the file default.login. I specified a known  
>username/password pair but the scanner could not login.  
>The reason is that the Internet Scanner needs a carriage return after  
>the last username/password pair. If it finds just an EOF marker then the  
>password gets modified by adding an additional character.  
>For example the password test is modified to testo.  
  
I believe I fixed this several revisions ago. Although this may be  
_BUG_TRAQ, the best place to report bugs in the scanner is to  
[email protected]. I'd suggest that you use vi, notepad, or some reasonable  
text editor in the meantime. Just what text editor are you using?  
  
In fact, I know I fixed this quite a while back, because I remember clearly  
having to use VC++'s editor in binary mode to be able to produce a file  
which would cause this problem. If you're running a recent version of the  
scanner, please report which version to [email protected], and I'm sure we'll  
get it fixed.  
  
  
David LeBlanc  
[email protected]  
  
--------------------------------------------------------------------------  
  
Re: ISS Internet Scanner Brute Force Bug  
  
David LeBlanc ([email protected])  
Fri, 19 Feb 1999 09:52:20 -0500   
  
At 10:18 AM 2/19/99 -0000, Stephen Bishop wrote:  
>David,  
  
>> I'd suggest that you use vi, notepad, or some reasonable  
>> text editor in the meantime. Just what text editor are you using?  
  
>At the risk of getting off the subject, I've come across many situations  
where  
>having the last line in a file without a line terminator has caused problems,  
>so I think software should always be written to handle this situation. And  
>even Emacs (which, otherwise, solves all life's problems) allows me to create  
>a file with no line terminator at the end.  
  
I agree. I thought the same thing when I fixed this a long time ago. I  
looked at the code last night, and it looks like it is handling this  
situation just fine. Since the bug does appear to be in recent builds  
(somehow), the work-around would be to place either a blank line or a  
comment (start the line with #) as the last line. Or simply hit the enter  
key at the end of each line.  
  
My version of vi does not allow this, hmmm - checking a few others...  
  
Here's what I've found:  
Terminates all lines:  
vi (Congruent GNU port from ftp.cc.utexas - actually elvis)  
Word  
Wordpad  
edit  
edlin (and adds a ^Z)  
  
Does NOT terminate:  
notepad  
copy con [file]  
VC++ text editor  
  
<joke> Moral of story - always use vi, and life is good 8-)  
  
BTW, as a pre-emptive strike against this one, there _is_ a bug in the NT  
scanner where we're not handling LF-delimited files properly. If you  
happen to have created your user-password pairs under UNIX, run tr on the  
file before using it in the scanner. Alternately, open it in Word and save  
it back out. Notepad will NOT help - it doesn't deal with LF-delimited  
files correctly either. NT's version of perl also makes this easy -  
running the following script does it:  
  
while(<>){print;}  
  
  
David LeBlanc  
[email protected]  
`