Penetration Testing mailing list archives
Re: PEN Testing a everchanging realm in apache
From: "David Litchfield" <david () ngssoftware com>
Date: Thu, 30 May 2002 18:04:08 +0100
The Realm is of use to the client only. It tells the client that, once authenticated, if you request anything within that realm then supply credentials. Here's a bit of code I hacked together to write out a Basic auth string. Hack it around a bit more and plug it into whatever your doing David Litchfield http://www.ngssoftware.com/ #include <stdio.h> char base64up[800]="Authorization: Basic "; int main(int argc, char *argv[]) { char userid[256]=""; char password[256]=""; char string[512]="mne"; char tmp[8]="mne"; int count =0,bc=0; unsigned int holder; unsigned int one=0, two=0, thr=0; int len=0; char ibase64up[800]=""; if(argc !=3) return printf("%s username password\n",argv[0]); strncpy(userid,argv[1],250); strncpy(password,argv[2],250); strcpy(string,userid); strcat(string,":"); strcat(string,password); len = strlen(string); while(bc < len) { tmp[0]=string[bc]; bc++; tmp[1]=string[bc]; bc++; tmp[2]=string[bc]; bc++; one = tmp[0] * 65536; two = tmp[1] * 256; thr = tmp[2]; holder = one + two + thr; tmp[0] = holder >> 18; one = holder << 14; tmp[1] = one >> 26; one = holder << 20; tmp[2] = one >> 26; one = holder << 26; tmp[3]= one >> 26; printf("%d %d %d %d\n",tmp[0],tmp[1],tmp[2],tmp[3]); count = 0; while(count < 4) { if(tmp[count] == 0) tmp[count]='A'; else if(tmp[count] == 1) tmp[count] ='B'; else if(tmp[count] == 2) tmp[count] ='C'; else if(tmp[count] == 3) tmp[count] ='D'; else if(tmp[count] == 4) tmp[count] ='E'; else if(tmp[count] == 5) tmp[count] ='F'; else if(tmp[count] == 6) tmp[count] ='G'; else if(tmp[count] == 7) tmp[count] ='H'; else if(tmp[count] == 8) tmp[count] ='I'; else if(tmp[count] == 9) tmp[count] ='J'; else if(tmp[count] == 10) tmp[count] ='K'; else if(tmp[count] == 11) tmp[count] ='L'; else if(tmp[count] == 12) tmp[count] ='M'; else if(tmp[count] == 13) tmp[count] ='N'; else if(tmp[count] == 14) tmp[count] ='O'; else if(tmp[count] == 15) tmp[count] ='P'; else if(tmp[count] == 16) tmp[count] ='Q'; else if(tmp[count] == 17) tmp[count] ='R'; else if(tmp[count] == 18) tmp[count] ='S'; else if(tmp[count] == 19) tmp[count] ='T'; else if(tmp[count] == 20) tmp[count] ='U'; else if(tmp[count] == 21) tmp[count] ='V'; else if(tmp[count] == 22) tmp[count] ='W'; else if(tmp[count] == 23) tmp[count] ='X'; else if(tmp[count] == 24) tmp[count] ='Y'; else if(tmp[count] == 25) tmp[count] ='Z'; else if(tmp[count] == 26) tmp[count] ='a'; else if(tmp[count] == 27) tmp[count] ='b'; else if(tmp[count] == 28) tmp[count] ='c'; else if(tmp[count] == 29) tmp[count] ='d'; else if(tmp[count] == 30) tmp[count] ='e'; else if(tmp[count] == 31) tmp[count] ='f'; else if(tmp[count] == 32) tmp[count] ='g'; else if(tmp[count] == 33) tmp[count] ='h'; else if(tmp[count] == 34) tmp[count] ='i'; else if(tmp[count] == 35) tmp[count] ='j'; else if(tmp[count] == 36) tmp[count] ='k'; else if(tmp[count] == 37) tmp[count] ='l'; else if(tmp[count] == 38) tmp[count] ='m'; else if(tmp[count] == 39) tmp[count] ='n'; else if(tmp[count] == 40) tmp[count] ='o'; else if(tmp[count] == 41) tmp[count] ='p'; else if(tmp[count] == 42) tmp[count] ='q'; else if(tmp[count] == 43) tmp[count] ='r'; else if(tmp[count] == 44) tmp[count] ='s'; else if(tmp[count] == 45) tmp[count] ='t'; else if(tmp[count] == 46) tmp[count] ='u'; else if(tmp[count] == 47) tmp[count] ='v'; else if(tmp[count] == 48) tmp[count] ='w'; else if(tmp[count] == 49) tmp[count] ='x'; else if(tmp[count] == 50) tmp[count] ='y'; else if(tmp[count] == 51) tmp[count] ='z'; else if(tmp[count] == 52) tmp[count] ='0'; else if(tmp[count] == 53) tmp[count] ='1'; else if(tmp[count] == 54) tmp[count] ='2'; else if(tmp[count] == 55) tmp[count] ='3'; else if(tmp[count] == 56) tmp[count] ='4'; else if(tmp[count] == 57) tmp[count] ='5'; else if(tmp[count] == 58) tmp[count] ='6'; else if(tmp[count] == 59) tmp[count] ='7'; else if(tmp[count] == 60) tmp[count] ='8'; else if(tmp[count] == 61) tmp[count] ='9'; else if(tmp[count] == 62) tmp[count] ='+'; else if(tmp[count] == 63) tmp[count] ='/'; else printf("ERROR"); count ++; } printf("%s\n",tmp); tmp[4]=0x00; strcat(ibase64up,tmp); } strncat(base64up,ibase64up,796); printf("\n%s",base64up); return 0; } ----- Original Message ----- From: <John_Leitch () NAI com> To: <vladimir () arobas net>; <John_Leitch () NAI com> Cc: <pen-test () securityfocus com> Sent: Thursday, May 30, 2002 9:53 AM Subject: RE: PEN Testing a everchanging realm in apache
Hi, Thanks for that but the ever changing realm is as follows..... When a connection is established to the server and you are presented with
a
login prompt the realm is different everytime. Its almost like the server has / is using /dev/random to assign the realm so its never the same. -----Original Message----- From: Vladimir Parkhaev [mailto:vladimir () arobas net] Sent: 29 May 2002 23:11 To: John_Leitch () NAI com Cc: pen-test () securityfocus com Subject: Re: PEN Testing a everchanging realm in apache Quoting John_Leitch () NAI com (John_Leitch () NAI com):Using the latest apache / ssl. I need to find a way of brute forcing the auth but........the web serverhas an ever changing realm. Is this possible or shall I look elsewhere ? RegardsI am not sure what do you mean by "ever changing realm", but you can adapt the following perl code to brute force your way in. You need to install Crypt::SSLeay module, dictionary, a loop and ... pretty much it... #!/usr/bin/perl -w use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(POST => 'https://server.domain.com/'); $req->authorization_basic('foo', 'bar'); $res = $ua->request($req); ($res->is_success)? print $res->content, "\n" : print $res->status_line, "\n"; --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- PEN Testing a everchanging realm in apache John_Leitch (May 29)
- Re: PEN Testing a everchanging realm in apache Vladimir Parkhaev (May 30)
- <Possible follow-ups>
- RE: PEN Testing a everchanging realm in apache John_Leitch (May 30)
- Re: PEN Testing a everchanging realm in apache David Litchfield (May 30)
- Re: PEN Testing a everchanging realm in apache J. J. Horner (May 30)