[WEB SECURITY] Brute Force authentication attack

Joseph Peloquin jpelo1 at jcpenney.com
Wed Jul 5 13:41:46 EDT 2006


Ahh, I see.  Judging by the FAQ, I reckon it's never been available for download, and s/he may be holding out for someone to pay them for the "code";

Note, also, their test domain has expired (this is supposed to be where you can see it  _in action_):
mailto:info at whois-help.info?Subject=Inquiring about the domain 'pwntcha.net', with status: Expired

Intrigued by this thread, I waded through the few results on Google, and although many people are talking about it like gospel, I don't see anyone else actually using the tool.

Cheers,
Joey

|-----Original Message-----
|From: skarvin [mailto:skarvin at gmail.com] 
|Sent: Wednesday, July 05, 2006 10:29 AM
|To: Joseph Peloquin
|Cc: Mark Mcdonald; websecurity at webappsec.org
|Subject: Re: [WEB SECURITY] Brute Force authentication attack
|
|I see the link, but in this page i can't see any link to 
|download the project and test it.
|
|See you!
|
|
|On 7/5/06, Joseph Peloquin < jpelo1 at jcpenney.com 
|<mailto:jpelo1 at jcpenney.com> > wrote:
|
|	I see the link fine .. Maybe it was the slashdotting 
|the author speaks of on his homepage *shrug*. 
|	
|	Try: http://sam.zoy.org/pwntcha/
|	
|	Joey
|	
|	|-----Original Message-----
|	|From: skarvin [mailto:skarvin at gmail.com]
|	|Sent: Wednesday, July 05, 2006 9:35 AM 
|	|To: Mark Mcdonald
|	|Cc: websecurity at webappsec.org
|	|Subject: Re: [WEB SECURITY] Brute Force authentication attack
|	|
|	|Hi,
|	|
|	|I' cant see any download link, are you sure that this project 
|	|isn't a hoax? Are you tested it, piltrafilla?
|	|
|	|
|	|
|	|
|	|On 7/3/06, Mark Mcdonald < mmcdonald at staff.iinet.net.au> wrote:
|	|
|	|
|	|
|	|       You'd be surprised how easy it is to defeat 
|most captchas... 
|	|
|	|
|	|
|	|       PWNtcha can defeat heaps of common systems 
|found on the net.
|	|
|	|       http://sam.zoy.org/pwntcha/
|	|
|	|
|	|
|	|
|	|
|	|
|	|________________________________ 
|	|
|	|
|	|       From: skarvin [mailto:skarvin at gmail.com]
|	|       Sent: Saturday, July 01, 2006 3:39 PM
|	|       To: Chris Weber
|	|       Cc: Jeremiah Grossman; Web Security 
|	|       Subject: Re: [WEB SECURITY] Brute Force 
|authentication attack
|	|
|	|
|	|
|	|       Hi,
|	|
|	|       If you use a very simple captcha, maybe you'll be
|	|vulnerable to brute force attacks by OCR techniques. 
|	|
|	|
|	|       On 6/30/06, Chris Weber <chris at lookout.net> wrote:
|	|       > True is that.  Also "Human Interactive Proof" or HIP,
|	|CAPTCHA being more
|	|       > common, I think.
|	|       >
|	|       > -----Original Message-----
|	|       > From: Jeremiah Grossman [mailto:
|	|jeremiah at whitehatsec.com <mailto: 
|jeremiah at whitehatsec.com <mailto:jeremiah at whitehatsec.com> > ]
|	|       > Sent: Friday, June 30, 2006 1:33 PM
|	|       > To: Web Security
|	|       > Subject: Re: [WEB SECURITY] Brute Force 
|authentication attack
|	|       >
|	|       > We all get those from time to time. :) 
|	|       >
|	|       > CAPTCHA
|	|       > "completely automated public Turing test to tell
|	|computers and humans apart"
|	|       >
|	|       > On Jun 30, 2006, at 10:41 AM, Schmidt, Albert 
|E wrote: 
|	|       >
|	|       > > I am definitely having a senior moment.  Can
|	|anybody please tell me
|	|       > > what it is called when you have to enter a code
|	|displayed in a picture
|	|       > > when authenticating?  I know this is a control 
|	|against brute force
|	|       > > hacking, but for the life of me I cannot remember
|	|what it is called.
|	|       > >
|	|       > >
|	
||--------------------------------------------------------------
|-------- 
|	|       > > ------
|	|       > > The Web Security Mailing List:
|	|       > > http://www.webappsec.org/lists/websecurity/
|	|       > > 
|	|       > > The Web Security Mailing List Archives:
|	|       > > http://www.webappsec.org/lists/websecurity/archive/
|	|       > > 
|http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
|	|       > >
|	|       >
|	|       >
|	|       >
|	
||--------------------------------------------------------------- 
|	|-------------
|	|       > The Web Security Mailing List:
|	|       > http://www.webappsec.org/lists/websecurity/
|	|       >
|	|       > The Web Security Mailing List Archives: 
|	|       > http://www.webappsec.org/lists/websecurity/archive/
|	|       > http://www.webappsec.org/rss/websecurity.rss 
|[RSS Feed]
|	|       >
|	|       >
|	|       >
|	|---------------------------------------------------------------
|	|-------------
|	|       > The Web Security Mailing List:
|	|       > http://www.webappsec.org/lists/websecurity/ 
|<http://www.webappsec.org/lists/websecurity/> 
|	|       >
|	|       > The Web Security Mailing List Archives:
|	|       > http://www.webappsec.org/lists/websecurity/archive/ 
|	|       > http://www.webappsec.org/rss/websecurity.rss 
|[RSS Feed]
|	|       >
|	|       >
|	|
|	|
|	|
|	|       --
|	|       Un saludo,
|	|
|	|       skarvin
|	|       skarvin.blogspot <http://skarvin.blogspot.com>  .com
|	|<http://skarvin.blogspot.com>
|	|
|	|
|	|
|	|
|	|--
|	|Un saludo,
|	|
|	|Isidro Catalán
|	|<a href=skarvin.blogspot.com>skarvin.blogspot.com </a>
|	|
|	
|	
|	The information transmitted is intended only for the 
|person or entity to
|	which it is addressed and may contain confidential 
|and/or privileged
|	material.  If the reader of this message is not the 
|intended recipient, 
|	you are hereby notified that your access is 
|unauthorized, and any review,
|	dissemination, distribution or copying of this message 
|including any
|	attachments is strictly prohibited.   If you are not 
|the intended
|	recipient, please contact the sender and delete the 
|material from any
|	computer.
|	
|	
|	
|
|
|
|
|--
|Un saludo,
|
|Isidro Catalán
|<a href= skarvin.blogspot.com <http://skarvin.blogspot.com> 
|>skarvin.blogspot.com</a> 
|
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060705/9d938a65/attachment.pl>
-------------- next part --------------
----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


More information about the websecurity mailing list