Penetration Testing mailing list archives
Re: brute force ColdFusion MX7 admin page
From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, 21 Dec 2007 00:45:05 -0500
Sup anon...I've never run into something like this on a test. So I am NOT speaking from experience here. Did some quick googling...ended up here: http://pajhome.org.uk/crypt/md5/ Quick questions... 1. What happens when you browse to that login page with javascript disabled? * http://pajhome.org.uk/crypt/md5/auth.html 2. Can you attack the admin's computer. Is there a "contact webmaster" link on the page? * Possibly attack the site admin via client-side, and then run IEPwdump. 3. Have you been able to do any social engineering/spear phishing that might allow you to attempt to record the admin logging into the page. -------------- Personally, I would try at least the 3 options above before I would resort to brute-forcing the login page knowing that it uses a password salt. If I was absolutely forced to attempt the attack you are talking about I would say to go about it this way. I agree with you that although the salt may be predictable, the amount of time you'd waste trying to determine that is just too great. Wget the login page every 25 seconds, then parse/regex the salt and use the same method the page does to encode your password list with a counter that will pause the login process and change out that $salt variable every 25 seconds. I'm thinking this is less than 30 lines of the pick your poison scripting languages (Perl, Python, Ruby). With perl - I'd go for some sort of nested foreach loop with the counter set for 25 seconds before swapping out the $salt var.<-- Sorry, I'm sure that there is probably a more ELEGANT way to code this up. I'm just not a "Software Engineer". Anon - let us know what you end up doing, and if you come up with some code to attempt these types of logins post it here so the rest of it can play with it and maybe even improve it. From the googling I did just now it looks like there is a slow but steady increase in webmasters doing these types of logins especially with md5 and some sort of salt. A little script like this would definitely be of use to this list. P.S. - thanks for trying to bring the list back <wink> j0e On Wed, 2007-12-19 at 19:44 -0800, Anonymous wrote:
I would send this from my work account but every time I respond to a question I get a bunch of spam. So... on to the real situation. A customer's ColdFusion MX7 admin page is reachable from the Internet. As part of the external pen test I'd like to attempt to brute force this page. It would seem to be easier than normal because there is only a password - no username is needed. However, there is a small problem that I'm not sure how to tackle quickly. I don't have much time left. The form action is this: <form name="loginform" action="/cfide/administrator/enter.cfm" method="POST" onSubmit="cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));" > There is a hidden field in the form with the salt value: <input name="salt" type="hidden" value="1198120613281"> I imagine the salt is predictable but I also imagine that it wouldn't help much to predict it. Maybe I'm wrong. The page has a meta refresh of 50. The password field is: <input name="cfadminPassword" type="Password" size="15" maxlength="100" id="admin_login"> Because of the encoding of the entered password with the salt it doesn't look like I can use Hydra. Am I stuck writing my own script using wget (or something) and a function to hash the password and salt. If so, does anyone know about these functions: hex_hmac_sha1 and hex_sha1? Hopefully this is the type of thing that will bring the old PT List back.... maybe... Thanks for any input! ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- brute force ColdFusion MX7 admin page Anonymous (Dec 19)
- Re: brute force ColdFusion MX7 admin page Joseph McCray (Dec 23)
- RE: brute force ColdFusion MX7 admin page Marc Ouwerkerk (Dec 23)
- <Possible follow-ups>
- Re: brute force ColdFusion MX7 admin page krymson (Dec 27)