Re: IIS 5.0 with Integrated Window Authentication

From: Dave Aitel (dave@immunitysec.com)
Date: 11/07/02


Date: Thu, 7 Nov 2002 11:58:33 -0500
From: Dave Aitel <dave@immunitysec.com>
To: pen-test@securityfocus.com, webappsec@securityfocus.com

No base language's class libraries are a match for the rich programing
API that the GPL code base provides in this area, be it libwhisker,
WHArsenal, SPIKE Proxy, or any of the many other tools.

You probably could use the C#'s WebClient.Credentials Property to set
your credentials, then do some basic Whisker 1.0-style effort to build a
tiny scanner. However, I think that to do a professional job, you're
going to want to have a bit more control and a bit more stick behind
your spearhead, in the form of advanced features. The ability to write
custom checks with VulnXML, for example.

So I suggest one of three things:

1. Use APS with SPIKE Proxy (or some other application assessment tool
that can itself bounce through another proxy) APS is pure python and
GPL, so if I get a lot more requests for this functionality (feel free
to bug me at dave@immunitysec.com), I'll merge his code with SPIKE
Proxy's core. (To bounce SPIKE Proxy though another proxy, download
version 1.4.4, and use the -h and -H parameters to spkproxy.py)

2. Check out SPIKE 2.7, which includes NTLM buffer overflow tools and
brute forcers. (E.G, you can sniff a request that you want to fuzz, then
use SPIKE's much more fast and powerful fuzzing framework to find
overflows, format string bugs, SQL injection and the like - all through
NTLM authenticated requests). It also includes a transparent HTTP[S]
proxy (webmitm).

3. You can e-mail me and I'll send you the current SP 1.4.5 Beta, which
includes an ordering fix (so GET /a?a=b&c=d always is a=b&c=d and not
c=d&a=b) and a mod I whipped up this morning that lets you browse NTLM
pages through the proxy by passing the authentication back and forth a
bit. However, rewrite request and scanning functionality still don't
know about NTLM, and so that functionality won't be effective against
NTLM servers. For the record, the bug was not in SPIKE Proxy's handling
of Connection: Keep-Alive, but actually IE doesn't bother to respond to
WWW-Authenticate when it is set up to use a Proxy. So I changed
WWW-Authenticate to Proxy-Authenticate: and Proxy-Authorization to
Authorization and it worked. Integrating APS would have been a more
final solution, but that's slightly more than a few minutes' work.

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/

On Wed, 6 Nov 2002 12:21:46 -1000
"Jason Coombs" <jasonc@science.org> wrote:

> it might be easier for you to code your own scanner real quick using
> Microsoft .NET -- the class library provides several very simple
> network communications classes that do what you want.
>
> Jason Coombs
> jasonc@science.org
>
> -----Original Message-----
> From: Haroon Meer [mailto:haroon@sensepost.com]
> Sent: Wednesday, November 06, 2002 10:44 AM
> To: cc_mofo@hushmail.com
> Cc: pen-test@securityfocus.com; webappsec@securityfocus.com
> Subject: Re: IIS 5.0 with Integrated Window Authentication
>
>
> hi.
>
> use APS (NTLM Authorization Proxy Server)
> (http://freshmeat.net/projects/ntlmaps/?topic_id=20%2C87%2C250%2C43%2
> C151) to handle the auth, and ur scanner of choice behind it..
>
> ======================================================================
> Haroon Meer MH
> SensePost Information Security +27 83786 6637
> PGP : http://www.sensepost.com/pgp/haroon.txt haroon@sensepost.com
> ======================================================================
>
> On Wed, 6 Nov 2002 cc_mofo@hushmail.com wrote:
>
> >
> > I'm doing a security review and penetration test of a site running
> > on IIS
> with Integrated Windows Authentication. Anyone know of an IIS Scanner
> that can do an IWA exchange before scanning?
> >
> > The SPIKE proxy looks promising, but it appears the NTLM support is
> > not
> quite "there" yet for this purpose. The goofy three-message exchange
> that sets up the NTLM security doesn't seem to make it through the
> proxy, which leads me to believe that any tool that will work for this
> must have intentionally added support for IWA.
> >
> >
> >
> >
> >
> > Get your free encrypted email at https://www.hushmail.com
> > ------------ Output from gpg ------------
> > gpg: Signature made Wed Nov 6 22:15:16 2002 SAST using DSA key ID
> 21BE2B65
> > gpg: Can't check signature: public key not found
> >
> >
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • RE: IIS 5.0 with Integrated Window Authentication
    ... use APS (NTLM Authorization Proxy Server) ... and ur scanner of choice behind it.. ... > I'm doing a security review and penetration test of a site running on IIS ...
    (Pen-Test)
  • Re: Error: HTTP/1.1 407 Proxy Authentication Required
    ... It appears that the tool supports server auth, ... Scan through their FAQ and see what they say about proxy authentication. ... It has some built in http tests that supports NTLM ...
    (microsoft.public.isa)
  • Re: technetID KB321728: NO kerberos support for proxy servers
    ... microsoft is still incorperating NTLM ... NTLMv2 contains the password in a hash form. ... connections with NT4 servers, SAMBA shares on UNIX and - ... here it is- our PROXY server using NTLM won't work as ...
    (microsoft.public.isa)
  • Re: Why unable to proxy NTLM?
    ... Windows authentication mechanisms on a web server. ... The reason I want to be able to pass through NTLM is a bit different. ... I want to enable a customised local proxy that checks whether a GET ... not attempt to send the credentials it just gives up on the request ...
    (microsoft.public.isa)
  • SPIKE Proxy 1.0 Released
    ... SPIKE Proxy is a full featured HTTP and HTTPS proxy built with Python. ... in that it has no user interface beyond ... Likely some features will hook into SPIKE's generic C ...
    (Pen-Test)