WebApp Sec mailing list archives
RE: Dictionary and brute forcing web authentication?
From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com>
Date: Mon, 15 Sep 2003 22:56:13 +0800
Greetings, If I am not mistaken, Windows Intergated does not have a popup. IE merely takes your currently logged on crediantials and passes them to the IIS server. Only BASIC and DIGEST would have pop up from the IIS server. Please advice if I am wrong ? Gill -----Original Message----- From: Calderon, Juan C (EM, DDEMESIS) [mailto:Juan.Calderon () ge com] Sent: Monday, September 15, 2003 12:07 AM To: webappsec () securityfocus com Subject: RE: Dictionary and brute forcing web authentication? Those popup windows appear when *basic*, *windows integrated* or *Digest* authentication is used. Perhaps, you are getting a *Integrated windows* or *Digest* authentication popup (which only works on IE clients accessing IIS servers) watch the HTTP headers using a proxy like Exodus or Paros to identify witch authentication are you dealing with. Some of the possible values for *WWW-Authenticate* header are *basic* for basic authentication (here you can use something like DownBload suggestion), *NTLM* for windows authentication and *Digest* for digest authentication. I dont know a tool for brute forcing windows or digest authentication. In fact, given those are challenge digests instead of *direct* authentication type, I doubt a tool like that exist. cheers :) -----Original Message----- From: Mark G. Spencer [mailto:mspencer () evidentdata com] Sent: Friday, September 12, 2003 2:56 PM To: webappsec () securityfocus com Subject: Dictionary and brute forcing web authentication? I'm looking for advice on dictionary and brute forcing web authentication. Most of the websites I have access to at work have various kinds of forms based authentication. I've been playing with a plugin for Sleuth (httpbrute_plugin.zip) and am having difficulty. At a minimum I need to give the plugin the user and password fields from the source of the webpage so it knows where to perform the dictionary attack. I also need a failure string so the plugin knows when it has failed (and if it hasn't failed, theoretically succeeded), but herein lies the problem. I'm looking at a page called "securedefault.asp" .. When I enter a bogus username and password, the login screen just displays again .. No special failure message. Any ideas how to handle this? Also .. I noticed on some websites that as soon as you go to them, a user and password box pops up. I am not able to view source on these, either in IE or Sleuth. In IE the user and password box opens immediately, and in Sleuth I get a Windows username and password box. I'm assuming these are *not* basic http authentication? Any advice on how to dictionary attack these things? Thanks! Mark
Current thread:
- Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
- Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
- RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)