Penetration Testing mailing list archives
Re: Pentesting a Web Applicaton
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Fri, 1 Jun 2007 18:10:49 +0100
On 01/06/07, Stong, Ian C CTR DISA GIG-CS <Ian.Stong.ctr () disa mil> wrote:
Because I have years of configuration and tweaks on it and various services would be down while reconfiguring it. Looking for little to no downtime. As an example I run VOIP through it with specific source destination pairs and specific port/protocol filters. Multiply that by 30 and you have the configuration that I would have to redo on the device. Meanwhile downtime while configuring and sniffing each application to determine exact ports to allow through, VPN peers to establish, applications to NAT, port remappings for public to private ports.....
Hi Ian, Are we talking about a strong password here? Because there is no feasible way to guess an 8 character password with upper and lower case and digits, such as 'FhsfaS2!'. There are more than 62**8 such passwords which is far too many to brute force. Otherwise, here's two tools I've seen - been a while though so I can't offer an opinion: http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/ http://www.darknet.org.uk/2006/12/wwwhack-19-download-wwwhack19zip-web-hacking-tool/ Barnaby Jack has done some interesting stuff recently with JTAG, exploits and ARM-based stuff, but this is probably further than you want to go: https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf http://cansecwest.com/slides07/Vector-Rewrite-Attack.pdf http://cansecwest.com/slides07/csw07-jack.pdf cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: Pentesting a Web Applicaton Haroon Meer (Jun 01)
- <Possible follow-ups>
- RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Message not available
- RE: Pentesting a Web Applicaton Peter Wood (Jun 01)
- Message not available
- Re: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- Re: RE: Pentesting a Web Applicaton ebk_lists (Jun 01)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: RE: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: RE: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- RE: RE: Pentesting a Web Applicaton Alex Balayan (Jun 11)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: Pentesting a Web Applicaton Hylton Conacher (ZR1HPC) (Jun 04)