RE: penetrating web-based authentication if you know one of the usernames

• Previous message: L. Walker: "Re: penetrating web-based authentication if you know one of the usernames"
• Maybe in reply to: Qlstad=2C_Roger?=: "penetrating web-based authentication if you know one of the usernames"
• Next in thread: Ole Martin Dahl: "Re: penetrating web-based authentication if you know one of the usernames"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 18 May 2005 11:43:02 -0400
To: Qlstad=2C_Roger?= <Roger.Olstad@pax.priv.no>, <pen-test@securityfocus.com>

Roger,

Simply knowing a username doesn't necessarily imply a weakness in security. For instance, I can be pretty sure that the e-mail server that you sent this message from has your username (Roger.Olstad, or something similar). Simply knowing that doesn't help much.

Of course, in theory, knowing a username and guessing a password is easier than guessing both a username and password.

Brute-forcing over the web isn't usually a good idea-- it generates too much traffic and takes far too long in most cases. I'm sure there are some good tools to test password strength and to brute-force them yourself.

All in all, I wouldn't worry, just because a username is known. Administrator, root, admin, postmaster, etc are all "known", but the password is the tricky thing. If you want to improve your security, implement a better password policy ( >= 8 characters, no dictionary words, etc).

M

Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: Ĝlstad, Roger [mailto:Roger.Olstad@pax.priv.no]
Sent: Wednesday, May 18, 2005 8:05 AM
To: pen-test@securityfocus.com
Subject: penetrating web-based authentication if you know one of the usernames

Hi!

I have this web-based service/directory which offers users access through a username/password-authentication process. I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other alternatives? Do I really have to consider my whole system as compromised just because a username may be lost?

In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, passwordstrength etc.

I appreciate all relevant answers :-)

Very best

R

-----Original Message-----
From: Erik Kamerling [mailto:ekamerling@snaplen.com]
Sent: 17. mai 2005 16:13
To: pen-test@securityfocus.com
Subject: Re: Cisco VPN Concentrator GUI

My original response never made it so here it is again.

On Sunday 15 May 2005 23:09, kaps lock wrote:
> i cant find any vulenrabilites on the net ....to
> explain to the person....only thing i can think of is
> brute forcing the username pasword field...which is
> again a challenge for web vpn..any ideas??
> thanks

Hi Kaps Lock,

You might want to impart info to your client regarding the common sense
security measure of limiting access to the HTTPS interface on the
concentrator to only trusted management hosts or internal networks.

Enabling uncontrolled public side HTTP(S) management of a VPN concentrator
gives out way more info re: their VPN than most people would want IMHO.

I don't believe HTTP(S) is enabled by default (at least on a public interface)
on a 3000 series concentrator so someone turned it on most likely.

3000 series concentrators are vulnerable to a SSL attack prior to version
4.1.7.A so you might want to point this out to them. The attacker does not
need to authenticate and can effectively reload the device or make it drop
user connections.

Here is the advisory ->
http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml

And a more general view on 3000 vulnerabilities ->
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml

Best Wishes,

Erik Kamerling

• Previous message: L. Walker: "Re: penetrating web-based authentication if you know one of the usernames"
• Maybe in reply to: Qlstad=2C_Roger?=: "penetrating web-based authentication if you know one of the usernames"
• Next in thread: Ole Martin Dahl: "Re: penetrating web-based authentication if you know one of the usernames"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: SecuRemote usernames can be guessed or sniffed using IKE exchange ... Here's my response to Checkpoint's statement on this IKE username ... Regarding the username guessing issue, this is also partly a user awareness ... The fact that the authentication details are encrypted with Hybrid mode ... (Bugtraq) Cisco VPN Concentrator GUI ... their web interface to the vpn concentrator ... available publicly on the internet with the username ... Mail has the best spam protection around ... (Pen-Test) Re: Concentrator 3000 question...client login. ??? ... You must have modified the Xauth settings in the global or user group that this user subscribes to. ... I think you need to navigate to Configuration, User Management, Groups / Users. ... You need to ensure that the option selected is the one you use, for example, Internal if usernames and passwords are stored on the VPN Concentrator, or External if stored on another device. ... Then make sure you have your username and password defined for this user. ... (comp.dcom.sys.cisco) Re: improper email on login screen for user, how do i change it ... Now I am guessing again ... ... account...Double click on your IM (Instant Messenger) and change your ... >>And under username that is not actually an e-mail (but ... >>> on my login screen my user account is displayed, ... (microsoft.public.windowsxp.security_admin) Re: improper email on login screen for user, how do i change it ... I am guessing here but you are in domain? ... change it, but you can ask your domain admin for help (be nice to him, I am ... And under username that is not actually an e-mail. ... > on my login screen my user account is displayed, ... (microsoft.public.windowsxp.security_admin)