Penetration Testing mailing list archives
RE: PEN Testing a everchanging realm in apache
From: John_Leitch () NAI com
Date: Thu, 30 May 2002 10:53:00 +0200
Hi,
Thanks for that but the ever changing realm is as follows.....
When a connection is established to the server and you are presented with a
login prompt the realm is different everytime. Its almost like the server
has / is using /dev/random to assign the realm so its never the same.
-----Original Message-----
From: Vladimir Parkhaev [mailto:vladimir () arobas net]
Sent: 29 May 2002 23:11
To: John_Leitch () NAI com
Cc: pen-test () securityfocus com
Subject: Re: PEN Testing a everchanging realm in
apache
Quoting John_Leitch () NAI com (John_Leitch () NAI com):
> Using the latest apache / ssl.
>
> I need to find a way of brute forcing the auth but........
the web server
> has an ever changing realm.
>
> Is this possible or shall I look elsewhere ?
>
> Regards
>
I am not sure what do you mean by "ever changing realm", but
you can adapt the following
perl code to brute force your way in. You need to install
Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...
#!/usr/bin/perl -w
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST =>
'https://server.domain.com/');
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)? print $res->content, "\n" : print
$res->status_line, "\n";
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:
- PEN Testing a everchanging realm in apache John_Leitch (May 29)
- Re: PEN Testing a everchanging realm in apache Vladimir Parkhaev (May 30)
- <Possible follow-ups>
- RE: PEN Testing a everchanging realm in apache John_Leitch (May 30)
- Re: PEN Testing a everchanging realm in apache David Litchfield (May 30)
- Re: PEN Testing a everchanging realm in apache J. J. Horner (May 30)