RE: PEN Testing a everchanging realm in apache
From: John_Leitch@NAI.comDate: 05/30/02
- Previous message: Greg: "RE: Training Lab Question"
- Maybe in reply to: John_Leitch@NAI.com: "PEN Testing a everchanging realm in apache"
- Next in thread: David Litchfield: "Re: PEN Testing a everchanging realm in apache"
- Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
- Reply: David Litchfield: "Re: PEN Testing a everchanging realm in apache"
- Reply: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John_Leitch@NAI.com To: vladimir@arobas.net, John_Leitch@NAI.com Date: Thu, 30 May 2002 10:53:00 +0200
Hi,
Thanks for that but the ever changing realm is as follows.....
When a connection is established to the server and you are presented with a
login prompt the realm is different everytime. Its almost like the server
has / is using /dev/random to assign the realm so its never the same.
-----Original Message-----
From: Vladimir Parkhaev [mailto:vladimir@arobas.net]
Sent: 29 May 2002 23:11
To: John_Leitch@NAI.com
Cc: pen-test@securityfocus.com
Subject: Re: PEN Testing a everchanging realm in
apache
Quoting John_Leitch@NAI.com (John_Leitch@NAI.com):
> Using the latest apache / ssl.
>
> I need to find a way of brute forcing the auth but........
the web server
> has an ever changing realm.
>
> Is this possible or shall I look elsewhere ?
>
> Regards
>
I am not sure what do you mean by "ever changing realm", but
you can adapt the following
perl code to brute force your way in. You need to install
Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...
#!/usr/bin/perl -w
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST =>
'https://server.domain.com/');
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)? print $res->content, "\n" : print
$res->status_line, "\n";
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Greg: "RE: Training Lab Question"
- Maybe in reply to: John_Leitch@NAI.com: "PEN Testing a everchanging realm in apache"
- Next in thread: David Litchfield: "Re: PEN Testing a everchanging realm in apache"
- Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
- Reply: David Litchfield: "Re: PEN Testing a everchanging realm in apache"
- Reply: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
