Re: Pentesting a Web Applicaton

Stong, Ian C CTR DISA GIG-CS wrote:
Just for clarification - I have backups of the configs and could reset
the device and reload the config but as soon as you do that it also
restores the password. In addition you can't change the password without
knowing the old password.
I would suggest looking at the backup files, after making a copy of
them, and seeing if you can obtain a clear text password or even
password hash.
With the password hash I am almost sure you could run it through a set
of rainbow tables and also through another method to obtain the real
password, which in this case should be both the same obtained from the
rainbow tables and other app.

Take an evening, reset the device, try the cracked password. If it works
you have lost nothing and can reset the password. If it doesn't work you
have also lost nothing but you have gained the knowledge that the
cracked password is one that doesn't work.

Another thing to try is accessing the device from the cmd line via the
IP I am sure you have. Try and see if there is anything in the cmd line
help regarding lost passwords ie C;\> 'commandtoconnecttodevice -h'
sans quotes. Try the 1st cracked password too as maybe the web interface
has a different passwd.


And it's not actually the model listed and it's not a work device.
Didn't want to give away the actual model number, IP address and code
version, etc in case someone got bored and tried to hack away at it
externally :)
Now who would do something like that? :)

Let us know the outcome.
Hylton

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Relevant Pages

  • Re: File -> Page Setup
    ... Tools - Customize - Toolbars tab. ... Click on Menu Bar, then click Reset. ... I have lost the 'Page Setup' option from the standard toolbar. ...
    (microsoft.public.word.pagelayout)
  • Re: Freeview boxes non-volatile memory?
    ... the Setpal boxes kept 2 copies of upgrades plus the ... On a reset (holding down the reset ... > newer updatewill be lost forever. ...
    (uk.tech.digital-tv)
  • Re: Fringe - One Night in October
    ... Broyles would not have died at that time. ... He and his team hit the reset button on ALIAS. ... Alias after the second season, and Lost after the first. ...
    (rec.arts.sf.tv)
  • Re: What happens if I break the connection during activesync in WM5 ?
    ... it is never a good idea to reset your device. ... Flash (this doesn't affect the EDB database). ... parts of the uncommitted data will be lost. ... there is no automatic sync. ...
    (microsoft.public.pocketpc.activesync)
  • Re: multi-line command output to single Var?
    ... but vars in the new cmd will be lost upon return. ... Maybe the trick with set /p =%a will do: ...
    (microsoft.public.win2000.cmdprompt.admin)