Another reason not to use sudo?
John
dingo at coco2.arach.net.au
Tue Nov 23 17:56:23 UTC 2004
Hudson Delbert J Contr 61 CS/SCBN wrote:
>
> almost no one will know the root password, if YOU dont tell it.
So you've not heard of a dictionary attack?
Let's say I want to take over some computers. I'm not fussy which.
I compile a list of likely accounts. Maybe
root
admin
guest
john
jason
I compile a list of common passwords.
dog
cat
toor
betty
rover
puss
george
georgew
bush
tony
tonyblair
A few hundred maybe. Doesn't have to be a lot. I might also try some
character changes 'o' to '0' and such, and some capitalisations.
I compile a list of IP addresses.
I rotate over them trying to login to each of the hosts as each of the
users with each of the passwords.
If I have a moderately large list of IP addresses and rotate over those
most quickly, I might not trigger alarms with lots of failed attempts.
I might try ssh logins (as happened to me), imap pop3 and telnet. A mate
reports a brand of ADSL router has telnet open to the Internet by
default. That could be fun.
It happens this list would crack some of my test machines:-)
Getting into an arbitrary computer might be difficult, but find _a_
computer that's not secured well isn't so difficult and if you allow
logins with passwords, your password is in my dictionary and you're
accessible via the Internet then the only further requirement is for me
to test the door.
More information about the ubuntu-users
mailing list