Penetration Testing mailing list archives
Re: brute-forcing NTLM HTTP Authentication
From: freehold () erols com
Date: Sat, 29 Sep 2001 16:49:29 -0400
Lanman's challenge/response-based and it can cave when bruteforced. There was a patch released some time ago because of a potential Lophtcrack brute-force between IIs & clients w/ WEC (ME & anything with Office2000). WEC didn't play nice with IE zone settings. Ditto a 2k telnet client/ntlm problem (the client is 'optional' but enabled by default I think). Ditto Netbios/ntlm. Windows sends the auths without telling users, another example of 'transparency' I guess? ;) My favorite ntlm-for-dummies: http://www.innovation.ch/java/ntlm.html Missy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- brute-forcing NTLM HTTP Authentication Jason binger (Sep 29)
- Re: brute-forcing NTLM HTTP Authentication Dave Aitel (Sep 30)
- Re: brute-forcing NTLM HTTP Authentication Vanja Hrustic (Sep 30)
- Re: brute-forcing NTLM HTTP Authentication Denis Ducamp (Sep 30)
- Re: brute-forcing NTLM HTTP Authentication freehold (Sep 30)