WebApp Sec mailing list archives
Re: Dictionary and brute forcing web authentication?
From: "Chris Varenhorst" <hiyachris86 () hotmail com>
Date: Sat, 13 Sep 2003 15:47:27 -0500
Is it possible to just specify the failure string as a string from the login page? The <title> tag works well especially since its likely that the login page, says something about how this is the login page in the title. And as far as the password "popups" you mentioning happening in IE, you're right those most likely are NOT http application web authentication but http 401 authentications which are part of the HTTP protocol. I'm sure the query string "http authentication 401 brute force" in a Google and a little bit of time will find something to brute force those...
From: "Mark G. Spencer" <mspencer () evidentdata com> To: <webappsec () securityfocus com> Subject: Dictionary and brute forcing web authentication? Date: Fri, 12 Sep 2003 12:55:41 -0700 MIME-Version: 1.0Received: from outgoing2.securityfocus.com ([205.206.231.26]) by mc2-f28.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 12 Sep 2003 16:52:24 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid 527E68F69D; Fri, 12 Sep 2003 09:23:33 -0600 (MDT)Received: (qmail 15276 invoked from network); 12 Sep 2003 13:46:49 -0000 X-Message-Info: JGTYoYF78jG7o8ez+s5QPGrLBkNiZwpc Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com> Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Message-ID: <007101c37967$d88df440$800101df () edi evidentdata com> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: NormalReturn-Path: webappsec-return-3106-hiyachris86=hotmail.com () securityfocus com X-OriginalArrivalTime: 12 Sep 2003 23:52:24.0696 (UTC) FILETIME=[EA1F9F80:01C37988]I'm looking for advice on dictionary and brute forcing web authentication. Most of the websites I have access to at work have various kinds of forms based authentication. I've been playing with a plugin for Sleuth (httpbrute_plugin.zip) and am having difficulty.At a minimum I need to give the plugin the user and password fields from the source of the webpage so it knows where to perform the dictionary attack. I also need a failure string so the plugin knows when it has failed (and if ithasn't failed, theoretically succeeded), but herein lies the problem. I'm looking at a page called "securedefault.asp" .. When I enter a bogus username and password, the login screen just displays again .. No special failure message. Any ideas how to handle this? Also .. I noticed on some websites that as soon as you go to them, a user and password box pops up. I am not able to view source on these, either in IE or Sleuth. In IE the user and password box opens immediately, and in Sleuth I get a Windows username and password box. I'm assuming these are *not* basic http authentication? Any advice on how to dictionary attack these things? Thanks! Mark
_________________________________________________________________Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage. http://join.msn.com/?PAGE=features/es
Current thread:
- Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
- Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
- RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)