ISS Internet Scanner Brute Force Bug alexander tampermeier (alex_tampermeier@HOTMAIL.COM) Wed, 17 Feb 1999 23:54:11 PST The Internet Scanner lets you brute force by using username/password pairs specified in the file default.login. I specified a known username/password pair but the scanner could not login. The reason is that the Internet Scanner needs a carriage return after the last username/password pair. If it finds just an EOF marker then the password gets modified by adding an additional character. For example the password test is modified to testo. Alexander alex_tampermeier@hotmail.com -------------------------------------------------------------------------- Re: ISS Internet Scanner Brute Force Bug David LeBlanc (dleblanc@MINDSPRING.COM) Thu, 18 Feb 1999 17:26:49 -0500 At 11:54 PM 2/17/99 PST, alexander tampermeier wrote: >The Internet Scanner lets you brute force by using username/password >pairs specified in the file default.login. I specified a known >username/password pair but the scanner could not login. >The reason is that the Internet Scanner needs a carriage return after >the last username/password pair. If it finds just an EOF marker then the >password gets modified by adding an additional character. >For example the password test is modified to testo. I believe I fixed this several revisions ago. Although this may be _BUG_TRAQ, the best place to report bugs in the scanner is to support@iss.net. I'd suggest that you use vi, notepad, or some reasonable text editor in the meantime. Just what text editor are you using? In fact, I know I fixed this quite a while back, because I remember clearly having to use VC++'s editor in binary mode to be able to produce a file which would cause this problem. If you're running a recent version of the scanner, please report which version to support@iss.net, and I'm sure we'll get it fixed. David LeBlanc dleblanc@mindspring.com -------------------------------------------------------------------------- Re: ISS Internet Scanner Brute Force Bug David LeBlanc (dleblanc@MINDSPRING.COM) Fri, 19 Feb 1999 09:52:20 -0500 At 10:18 AM 2/19/99 -0000, Stephen Bishop wrote: >David, >> I'd suggest that you use vi, notepad, or some reasonable >> text editor in the meantime. Just what text editor are you using? >At the risk of getting off the subject, I've come across many situations where >having the last line in a file without a line terminator has caused problems, >so I think software should always be written to handle this situation. And >even Emacs (which, otherwise, solves all life's problems) allows me to create >a file with no line terminator at the end. I agree. I thought the same thing when I fixed this a long time ago. I looked at the code last night, and it looks like it is handling this situation just fine. Since the bug does appear to be in recent builds (somehow), the work-around would be to place either a blank line or a comment (start the line with #) as the last line. Or simply hit the enter key at the end of each line. My version of vi does not allow this, hmmm - checking a few others... Here's what I've found: Terminates all lines: vi (Congruent GNU port from ftp.cc.utexas - actually elvis) Word Wordpad edit edlin (and adds a ^Z) Does NOT terminate: notepad copy con [file] VC++ text editor Moral of story - always use vi, and life is good 8-) BTW, as a pre-emptive strike against this one, there _is_ a bug in the NT scanner where we're not handling LF-delimited files properly. If you happen to have created your user-password pairs under UNIX, run tr on the file before using it in the scanner. Alternately, open it in Word and save it back out. Notepad will NOT help - it doesn't deal with LF-delimited files correctly either. NT's version of perl also makes this easy - running the following script does it: while(<>){print;} David LeBlanc dleblanc@mindspring.com