Re: [RFC] Changes to HTTPAuth, addition of HTTPbrute

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Buchanan wrote:
> > From: Kris Katterjohn [mailto:katterjohn () gmail com] 
> >
> > I've attached a patch against your HTTPAuth that fixes the warning:
> >
> > SCRIPT ENGINE: ./scripts/HTTPAuth.nse:48: bad argument #1 to 'len'
> > (string expected, got nil)
> >
> > If a server didn't send a 401 message, string.len() was called on
> > nil.  I just made it return if it wasn't a 401, instead of having
> > all of the "real" code inside a conditional block.
>
> The patch looks good.  Thanks.

No problem.

> > I've also attached a patch to fix some false positives in
> > HTTPbrute.  I ran it several times, and one time it gave me 7
> > false positives.  Now that I've fixed that, I'm having the
> > problem of getting my valid username/password pair to
> > succeed: all of the requests are getting 401 responses back.  
> > Maybe this is a problem with the base64 library?  Or maybe I've
> > done something wrong and will feel stupid after sending this
> > email :)
>
> I applied your patch for HTTPbrute here, and all of my valid user/pass
> combinations are still working.  Not exactly sure what might be the
> issue, but three possibilities come to mind:
>
> 1. Any chance you may have locked out the user account, so that it's
> returning Unauthorized no matter what?

*sigh* That's indeed what it looks like today.  I was logging in through
Firefox while testing to avoid this, but I must've just missed it.  Sorry!

I set up a lighttpd server with basic authorization, and your HTTPbrute script
works fine against it with some slightly-larger 25-entry username and password
lists.

> You can verify that the base64 library is working correctly by using an
> online encoders, such as this one:
> http://www.motobit.com/util/base64-decoder-encoder.asp

Yes, your base64 library does indeed seem to work fine.

> Let me know if there's anything else I can do to help.
>
> Thanks,
>
> Thomas

Thanks!,
Kris Katterjohn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSGKB9v9K37xXYl36AQK+pw//T3kYX74He3JJzr29UsYmJMb70hXN45R2
mInmv097mvCSiHMTivHcwQOzuz/gtp1gw9NMvMWFifZtMTWSXp9aA+TUgWGGhyh2
cvCMlGtOa7QDptRgqB3HwddQKbyraNTuJ8qRnp1DSUWfk8QDO8FxL7bLp3gbSfBW
jl4JawnRdn0Za/7k6wRS76ZufIpFphneUsdne6jUmQ7RRVjds/1cUfHxT5xpp/e7
+fQkFobG88W28u1IrZqjMed8+brUIvcFohLnD1hnZ/CTpApFa575ofH0o5fnldbL
D55a8jnC+5JPPD6cmhK2qXfySllh5a8Bto+jc3gJIwbwf+8VWmSF1jh5XfGrWuPK
cLu/a3aUZ8BjGmqylM3pwSO1xEjQgpNMK1cC5eC0okdRghO5P3BBvIm3WIdsehhi
CMLzvWtM2aNgYXhrpXBKUya2n3VPF3uts/NuPO+WGFoSTu0iHGTxb0Dl/EXLFcpR
smR8Yi/D+C4aUeqHb8MBzVNPFJUWzGFuyLVoV/RVbvUqHk3EAk5lV+QAKfs35+a4
GFuReESacdJZRwIfDJckDc+FSUhwvWzRk0CEAqnDdA0QswE2alRlX0zN0/ZmqbME
FNq6yZcM/2nKBNf46SpGiGj6u5tBYVulPNel1v+VuavvwfdU0B83phk6lxJs8ghx
41fFG5W0ic0=
=k1hg
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org