The ISS Internet Scanner lets you brute force by using username/password pairs specified in the file default.login.
699af6caa49e79fc9dae77eebf6a0ad59b3ec4f49adf4332551300050354acee
ISS Internet Scanner Brute Force Bug
alexander tampermeier (alex_tampermeier@HOTMAIL.COM)
Wed, 17 Feb 1999 23:54:11 PST
The Internet Scanner lets you brute force by using username/password
pairs specified in the file default.login. I specified a known
username/password pair but the scanner could not login.
The reason is that the Internet Scanner needs a carriage return after
the last username/password pair. If it finds just an EOF marker then the
password gets modified by adding an additional character.
For example the password test is modified to testo.
Alexander
alex_tampermeier@hotmail.com
--------------------------------------------------------------------------
Re: ISS Internet Scanner Brute Force Bug
David LeBlanc (dleblanc@MINDSPRING.COM)
Thu, 18 Feb 1999 17:26:49 -0500
At 11:54 PM 2/17/99 PST, alexander tampermeier wrote:
>The Internet Scanner lets you brute force by using username/password
>pairs specified in the file default.login. I specified a known
>username/password pair but the scanner could not login.
>The reason is that the Internet Scanner needs a carriage return after
>the last username/password pair. If it finds just an EOF marker then the
>password gets modified by adding an additional character.
>For example the password test is modified to testo.
I believe I fixed this several revisions ago. Although this may be
_BUG_TRAQ, the best place to report bugs in the scanner is to
support@iss.net. I'd suggest that you use vi, notepad, or some reasonable
text editor in the meantime. Just what text editor are you using?
In fact, I know I fixed this quite a while back, because I remember clearly
having to use VC++'s editor in binary mode to be able to produce a file
which would cause this problem. If you're running a recent version of the
scanner, please report which version to support@iss.net, and I'm sure we'll
get it fixed.
David LeBlanc
dleblanc@mindspring.com
--------------------------------------------------------------------------
Re: ISS Internet Scanner Brute Force Bug
David LeBlanc (dleblanc@MINDSPRING.COM)
Fri, 19 Feb 1999 09:52:20 -0500
At 10:18 AM 2/19/99 -0000, Stephen Bishop wrote:
>David,
>> I'd suggest that you use vi, notepad, or some reasonable
>> text editor in the meantime. Just what text editor are you using?
>At the risk of getting off the subject, I've come across many situations
where
>having the last line in a file without a line terminator has caused problems,
>so I think software should always be written to handle this situation. And
>even Emacs (which, otherwise, solves all life's problems) allows me to create
>a file with no line terminator at the end.
I agree. I thought the same thing when I fixed this a long time ago. I
looked at the code last night, and it looks like it is handling this
situation just fine. Since the bug does appear to be in recent builds
(somehow), the work-around would be to place either a blank line or a
comment (start the line with #) as the last line. Or simply hit the enter
key at the end of each line.
My version of vi does not allow this, hmmm - checking a few others...
Here's what I've found:
Terminates all lines:
vi (Congruent GNU port from ftp.cc.utexas - actually elvis)
Word
Wordpad
edit
edlin (and adds a ^Z)
Does NOT terminate:
notepad
copy con [file]
VC++ text editor
<joke> Moral of story - always use vi, and life is good 8-)
BTW, as a pre-emptive strike against this one, there _is_ a bug in the NT
scanner where we're not handling LF-delimited files properly. If you
happen to have created your user-password pairs under UNIX, run tr on the
file before using it in the scanner. Alternately, open it in Word and save
it back out. Notepad will NOT help - it doesn't deal with LF-delimited
files correctly either. NT's version of perl also makes this easy -
running the following script does it:
while(<>){print;}
David LeBlanc
dleblanc@mindspring.com