Re: PEN Testing a everchanging realm in apache
From: David Litchfield (david@ngssoftware.com)Date: 05/30/02
- Previous message: Philippe De ARAUJO: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
- In reply to: John_Leitch@NAI.com: "RE: PEN Testing a everchanging realm in apache"
- Next in thread: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
- Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Litchfield" <david@ngssoftware.com> To: <pen-test@securityfocus.com>, <John_Leitch@NAI.com> Date: Thu, 30 May 2002 18:04:08 +0100
The Realm is of use to the client only. It tells the client that, once
authenticated, if you request anything within that realm then supply
credentials.
Here's a bit of code I hacked together to write out a Basic auth string.
Hack it around a bit more and plug it into whatever your doing
David Litchfield
http://www.ngssoftware.com/
#include <stdio.h>
char base64up[800]="Authorization: Basic ";
int main(int argc, char *argv[])
{
char userid[256]="";
char password[256]="";
char string[512]="mne";
char tmp[8]="mne";
int count =0,bc=0;
unsigned int holder;
unsigned int one=0, two=0, thr=0;
int len=0;
char ibase64up[800]="";
if(argc !=3)
return printf("%s username password\n",argv[0]);
strncpy(userid,argv[1],250);
strncpy(password,argv[2],250);
strcpy(string,userid);
strcat(string,":");
strcat(string,password);
len = strlen(string);
while(bc < len)
{
tmp[0]=string[bc];
bc++;
tmp[1]=string[bc];
bc++;
tmp[2]=string[bc];
bc++;
one = tmp[0] * 65536;
two = tmp[1] * 256;
thr = tmp[2];
holder = one + two + thr;
tmp[0] = holder >> 18;
one = holder << 14;
tmp[1] = one >> 26;
one = holder << 20;
tmp[2] = one >> 26;
one = holder << 26;
tmp[3]= one >> 26;
printf("%d %d %d %d\n",tmp[0],tmp[1],tmp[2],tmp[3]);
count = 0;
while(count < 4)
{
if(tmp[count] == 0)
tmp[count]='A';
else if(tmp[count] == 1)
tmp[count] ='B';
else if(tmp[count] == 2)
tmp[count] ='C';
else if(tmp[count] == 3)
tmp[count] ='D';
else if(tmp[count] == 4)
tmp[count] ='E';
else if(tmp[count] == 5)
tmp[count] ='F';
else if(tmp[count] == 6)
tmp[count] ='G';
else if(tmp[count] == 7)
tmp[count] ='H';
else if(tmp[count] == 8)
tmp[count] ='I';
else if(tmp[count] == 9)
tmp[count] ='J';
else if(tmp[count] == 10)
tmp[count] ='K';
else if(tmp[count] == 11)
tmp[count] ='L';
else if(tmp[count] == 12)
tmp[count] ='M';
else if(tmp[count] == 13)
tmp[count] ='N';
else if(tmp[count] == 14)
tmp[count] ='O';
else if(tmp[count] == 15)
tmp[count] ='P';
else if(tmp[count] == 16)
tmp[count] ='Q';
else if(tmp[count] == 17)
tmp[count] ='R';
else if(tmp[count] == 18)
tmp[count] ='S';
else if(tmp[count] == 19)
tmp[count] ='T';
else if(tmp[count] == 20)
tmp[count] ='U';
else if(tmp[count] == 21)
tmp[count] ='V';
else if(tmp[count] == 22)
tmp[count] ='W';
else if(tmp[count] == 23)
tmp[count] ='X';
else if(tmp[count] == 24)
tmp[count] ='Y';
else if(tmp[count] == 25)
tmp[count] ='Z';
else if(tmp[count] == 26)
tmp[count] ='a';
else if(tmp[count] == 27)
tmp[count] ='b';
else if(tmp[count] == 28)
tmp[count] ='c';
else if(tmp[count] == 29)
tmp[count] ='d';
else if(tmp[count] == 30)
tmp[count] ='e';
else if(tmp[count] == 31)
tmp[count] ='f';
else if(tmp[count] == 32)
tmp[count] ='g';
else if(tmp[count] == 33)
tmp[count] ='h';
else if(tmp[count] == 34)
tmp[count] ='i';
else if(tmp[count] == 35)
tmp[count] ='j';
else if(tmp[count] == 36)
tmp[count] ='k';
else if(tmp[count] == 37)
tmp[count] ='l';
else if(tmp[count] == 38)
tmp[count] ='m';
else if(tmp[count] == 39)
tmp[count] ='n';
else if(tmp[count] == 40)
tmp[count] ='o';
else if(tmp[count] == 41)
tmp[count] ='p';
else if(tmp[count] == 42)
tmp[count] ='q';
else if(tmp[count] == 43)
tmp[count] ='r';
else if(tmp[count] == 44)
tmp[count] ='s';
else if(tmp[count] == 45)
tmp[count] ='t';
else if(tmp[count] == 46)
tmp[count] ='u';
else if(tmp[count] == 47)
tmp[count] ='v';
else if(tmp[count] == 48)
tmp[count] ='w';
else if(tmp[count] == 49)
tmp[count] ='x';
else if(tmp[count] == 50)
tmp[count] ='y';
else if(tmp[count] == 51)
tmp[count] ='z';
else if(tmp[count] == 52)
tmp[count] ='0';
else if(tmp[count] == 53)
tmp[count] ='1';
else if(tmp[count] == 54)
tmp[count] ='2';
else if(tmp[count] == 55)
tmp[count] ='3';
else if(tmp[count] == 56)
tmp[count] ='4';
else if(tmp[count] == 57)
tmp[count] ='5';
else if(tmp[count] == 58)
tmp[count] ='6';
else if(tmp[count] == 59)
tmp[count] ='7';
else if(tmp[count] == 60)
tmp[count] ='8';
else if(tmp[count] == 61)
tmp[count] ='9';
else if(tmp[count] == 62)
tmp[count] ='+';
else if(tmp[count] == 63)
tmp[count] ='/';
else
printf("ERROR");
count ++;
}
printf("%s\n",tmp);
tmp[4]=0x00;
strcat(ibase64up,tmp);
}
strncat(base64up,ibase64up,796);
printf("\n%s",base64up);
return 0;
}
----- Original Message -----
From: <John_Leitch@NAI.com>
To: <vladimir@arobas.net>; <John_Leitch@NAI.com>
Cc: <pen-test@securityfocus.com>
Sent: Thursday, May 30, 2002 9:53 AM
Subject: RE: PEN Testing a everchanging realm in apache
> Hi,
>
> Thanks for that but the ever changing realm is as follows.....
>
> When a connection is established to the server and you are presented with
a
> login prompt the realm is different everytime. Its almost like the server
> has / is using /dev/random to assign the realm so its never the same.
>
> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimir@arobas.net]
> Sent: 29 May 2002 23:11
> To: John_Leitch@NAI.com
> Cc: pen-test@securityfocus.com
> Subject: Re: PEN Testing a everchanging realm in
> apache
>
> Quoting John_Leitch@NAI.com (John_Leitch@NAI.com):
> > Using the latest apache / ssl.
> >
> > I need to find a way of brute forcing the auth but........
> the web server
> > has an ever changing realm.
> >
> > Is this possible or shall I look elsewhere ?
> >
> > Regards
> >
>
> I am not sure what do you mean by "ever changing realm", but
> you can adapt the following
> perl code to brute force your way in. You need to install
> Crypt::SSLeay module,
> dictionary, a loop and ... pretty much it...
>
>
>
> #!/usr/bin/perl -w
> use LWP::UserAgent;
>
> my $ua = LWP::UserAgent->new;
> my $req = HTTP::Request->new(POST =>
> 'https://server.domain.com/');
> $req->authorization_basic('foo', 'bar');
> $res = $ua->request($req);
> ($res->is_success)? print $res->content, "\n" : print
> $res->status_line, "\n";
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > >---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Philippe De ARAUJO: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
- In reply to: John_Leitch@NAI.com: "RE: PEN Testing a everchanging realm in apache"
- Next in thread: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
- Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
