RE: Brute force VNC crack

From: Walden H. Leverich ()
Date: Thu Aug 17 2000 - 09:28:38 EDT

Next message: Erdely, Michael: "Re: Easy encryption?"

Previous message: Andreas Jakobs: "Server Side Scaling ?"
Maybe in reply to: Ernie Oporto: "Brute force VNC crack"
Next in thread: Luis.F.Correia@seg-social.pt: "RE: Brute force VNC crack"
Next in thread: Kenneth Foster: "changing VNC password. Windows specific."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ken,

I'm not sure changing the encryption key would prevent brute-force attempts.
Think of it this way:

Using the "modified" version of VNC I tell VNC that my password is 'george'
and this gets encrypted to 'gracie' (I know it would be a mess of hex, but
this is easier) Your argument says that when I attempt to encrypt 'george'
on the standard VNC viewer I won't get 'gracie' and as such I won't be able
to issue the correct response to the challenge, and you are correct.
However, this is a brute force attempt and at some point I am going to
encrypt 'oldtimer' and that will be encrypted to 'gracie' and then I will be
able to answer the server's challenge.

Now I think your password is 'oldtimer' and your password is 'george' but it
doesn't really matter because I have access to your machine anyway.

-Walden

-----Original Message-----
From: Kenneth Foster [mailto:]
Sent: Tuesday, August 15, 2000 5:27 PM
To:
Subject: RE: Brute force VNC crack

brute forcing of passwords will always work. There are two ways to do stop
this.

1: Use passwords that don't show up in dictionaries. This may be more
difficult to remember, but it makes it less likely to be cracked. The code,
as written, uses a dictionary attack. Not quite what it says in the title
of the crack.

2: The other way to stop this is to change the encryption key used by
your
company and recompile your server and client tools. By changing the key no
password, even the correct one, from a non-company VNCviewer will work. At
least from my testing.

Ken Foster

-----Original Message-----
From:
[mailto:]On Behalf Of Ernie Oporto
Sent: Tuesday, August 15, 2000 4:59 PM
To:
Subject: Brute force VNC crack

Has anyone seen this before? Is this still true?

---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to
See also:
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to
See also:
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to
See also:
---------------------------------------------------------------------

-----------------------------------------
TridiaVNC - http://www.tridiavnc.com/

Next message: Erdely, Michael: "Re: Easy encryption?"
Previous message: Andreas Jakobs: "Server Side Scaling ?"
Maybe in reply to: Ernie Oporto: "Brute force VNC crack"
Next in thread: Luis.F.Correia@seg-social.pt: "RE: Brute force VNC crack"
Next in thread: Kenneth Foster: "changing VNC password. Windows specific."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by : Thu Aug 17 2000 - 09:37:55 EDT