On Fri, 2002-06-07 at 13:49, Nathan Vack wrote: > Chris wrote: > > - Assume a username is known > - Assume the attacker knows the password to be contained in a 10,000 > word dictionary > - Assume a dial-up and password try takes 5 seconds on average > - Assume dialing up is free (not true in many parts of the US, at least) > </snip lots of good math here that equate to it taking a long time to brute force> Or, you assume that the account's password is the same as the password used to retrieve POP mail from the user. You go to the ISP's web page to get the name of the mail server, and use brutus to brute-force against the POP server instead, which saves a lot of time compared to dialing in repeatedly. Furthermore, the brute force is less likely to be logged, as every ISP I've ever known logs phone numbers religiously. ################################################################# ################################################################# ################################################################# ##### ##### ##### ################################################################# ################################################################# ################################################################# ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 11:58:37 PDT