WebApp Sec mailing list archives

RE: Dictionary and brute forcing web authentication?

From: "Calderon, Juan C (EM, DDEMESIS)" <Juan.Calderon () ge com>
Date: Sun, 14 Sep 2003 12:07:22 -0400

Those popup windows appear when *basic*, *windows integrated* or
*Digest* authentication is used. Perhaps, you are getting a *Integrated
windows* or *Digest* authentication popup (which only works on IE
clients accessing IIS servers) watch the HTTP headers using a proxy like
Exodus or Paros to identify witch authentication are you dealing with.
Some of the possible values for *WWW-Authenticate* header are *basic*
for basic authentication (here you can use something like DownBload
suggestion), *NTLM* for windows authentication and *Digest* for digest
authentication.

I dont know a tool for brute forcing windows or digest authentication.
In fact, given those are challenge digests instead of  *direct*
authentication type, I doubt a tool like that exist.

cheers :)

-----Original Message-----
From: Mark G. Spencer [mailto:mspencer () evidentdata com]
Sent: Friday, September 12, 2003 2:56 PM
To: webappsec () securityfocus com
Subject: Dictionary and brute forcing web authentication?


I'm looking for advice on dictionary and brute forcing web
authentication.
Most of the websites I have access to at work have various kinds of
forms
based authentication.  I've been playing with a plugin for Sleuth
(httpbrute_plugin.zip) and am having difficulty.

At a minimum I need to give the plugin the user and password fields from
the
source of the webpage so it knows where to perform the dictionary
attack.  I
also need a failure string so the plugin knows when it has failed (and
if it
hasn't failed, theoretically succeeded), but herein lies the problem.
I'm
looking at a page called "securedefault.asp" .. When I enter a bogus
username and password, the login screen just displays again .. No
special
failure message.

Any ideas how to handle this?

Also .. I noticed on some websites that as soon as you go to them, a
user
and password box pops up.  I am not able to view source on these, either
in
IE or Sleuth.  In IE the user and password box opens immediately, and in
Sleuth I get a Windows username and password box.  I'm assuming these
are
*not* basic http authentication?  Any advice on how to dictionary attack
these things?

Thanks!

Mark

Attachment: smime.p7s
Description:

Current thread:

Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
  - Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
  - Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
  - RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)