Penetration Testing mailing list archives

Re: IIS 5.0 with Integrated Window Authentication

From: cc_mofo () hushmail com
Date: Tue, 12 Nov 2002 15:34:02 -0800


One last followup to this.

Using APS, I was able to detect and exploit a web app authentication design flaw (don't trust those cookies, kids, 
especially ones named something like "userid") in the target app.

I discovered some interesting behavior with IIS and IWA/NTLM.  IIS *sometimes* closes the connection after telling the 
browser to use NTLM.  It appears that several of the web proxy tools out there assume that the connection will stay 
open.  Whisker has NTLM support, but I was unable to get it to work.

I worked with Dave Aitel to get SPIKE Proxy to support this behavior as well.  SPIKE Proxy now works with NTLM at my 
site.  Using SPIKE's UI I can now demo this exploit to developers and management more effectively (whereas with APS I 
had to manually insert Python code).

On Thu, 07 Nov 2002 13:25:56 -0800 cc_mofo () hushmail com wrote:

Thanks to everyone for the responses.  I've gotten APS up and running 
and it works as advertised, i.e. perfectly.  It does of course require 
that any tool that I use have proxy support (whisker just got proxy 
support with 2.0, and even then I don't have it working against 
APS yet).

I understand WebInspect might work, so I will try it once their 
license squad finishes working me over.

I'll take another look at SPIKE proxy for this at some point---last 
time I wound up in the weeds (code weeds, that is) trying to track 
down why/where it didn't work.

On Thu, 07 Nov 2002 11:35:23 -0800 Dave Aitel <dave () immunitysec com> 
wrote:

Hmm. My basterdized SPIKE Proxy NTLM auth does, in fact, work through
the proxy though.

Client->SPIKE Proxy->Server

Where Client is sending Proxy-Authorization, and SPIKE Proxy is
translating that into Authorization: and sending it to the server
and so
on. I get access on IIS 5.0, at least.


-dave

On Wed, 6 Nov 2002 23:27:54 +0100
Sebastian Flothow <sebastian () flothow de> wrote:

The goofy three-message exchange that sets up the NTLM security
doesn't seem to make it through the proxy,


AFAIK, NTLM _can_ _not_ work through proxies, by design. It seems

it

includes the client's IP address, which then doesn't match that

of the


proxy (which is the client from the server's point of view),

or

something similar.


Sebastian

--
Sebastian Flothow
sebastian () flothow de
#include <stddisclaimer.h>




Get your free encrypted email at https://www.hushmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: IIS 5.0 with Integrated Window Authentication, (continued)
- Re: IIS 5.0 with Integrated Window Authentication Kevin Spett (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Sebastian Flothow (Nov 08)
  - Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
  - Re: IIS 5.0 with Integrated Window Authentication sunzi (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Haroon Meer (Nov 08)
  - RE: IIS 5.0 with Integrated Window Authentication Jason Coombs (Nov 08)
    - Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
    - Re: [Spike] Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 09)
- RE: IIS 5.0 with Integrated Window Authentication Michael Howard (Nov 09)
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 12)