Penetration Testing mailing list archives

Re: PEN Testing a everchanging realm in apache

From: "David Litchfield" <david () ngssoftware com>
Date: Thu, 30 May 2002 18:04:08 +0100

The Realm is of use to the client only. It tells the client that, once
authenticated, if you request anything within that realm then supply
credentials.

Here's a bit of code I hacked together to write out a Basic auth string.
Hack it around a bit more and plug it into whatever your doing

David Litchfield
http://www.ngssoftware.com/

#include <stdio.h>

char base64up[800]="Authorization: Basic ";
int main(int argc, char *argv[])
{
char userid[256]="";
char password[256]="";

char string[512]="mne";
char tmp[8]="mne";

int count =0,bc=0;
unsigned int holder;

unsigned int one=0, two=0, thr=0;
int len=0;

char ibase64up[800]="";

if(argc !=3)
    return printf("%s username password\n",argv[0]);


strncpy(userid,argv[1],250);

strncpy(password,argv[2],250);

strcpy(string,userid);
strcat(string,":");
strcat(string,password);


len = strlen(string);

while(bc < len)
{

tmp[0]=string[bc];
bc++;
tmp[1]=string[bc];
bc++;
tmp[2]=string[bc];
bc++;

one = tmp[0] * 65536;
two = tmp[1] * 256;
thr = tmp[2];

holder = one + two + thr;
tmp[0] = holder >> 18;
one = holder << 14;
tmp[1] = one >> 26;
one = holder << 20;
tmp[2] = one >> 26;
one = holder << 26;
tmp[3]= one >> 26;

printf("%d %d %d %d\n",tmp[0],tmp[1],tmp[2],tmp[3]);

count = 0;
while(count < 4)
{
 if(tmp[count] == 0)
  tmp[count]='A';
 else if(tmp[count] == 1)
  tmp[count] ='B';
 else if(tmp[count] == 2)
  tmp[count] ='C';
 else if(tmp[count] == 3)
  tmp[count] ='D';
 else if(tmp[count] == 4)
  tmp[count] ='E';
 else if(tmp[count] == 5)
  tmp[count] ='F';
 else if(tmp[count] == 6)
  tmp[count] ='G';
 else if(tmp[count] == 7)
  tmp[count] ='H';
 else if(tmp[count] == 8)
  tmp[count] ='I';
 else if(tmp[count] == 9)
  tmp[count] ='J';
 else if(tmp[count] == 10)
  tmp[count] ='K';
 else if(tmp[count] == 11)
  tmp[count] ='L';
 else if(tmp[count] == 12)
  tmp[count] ='M';
 else if(tmp[count] == 13)
  tmp[count] ='N';
 else if(tmp[count] == 14)
  tmp[count] ='O';
 else if(tmp[count] == 15)
  tmp[count] ='P';
 else if(tmp[count] == 16)
  tmp[count] ='Q';
 else if(tmp[count] == 17)
  tmp[count] ='R';
 else if(tmp[count] == 18)
  tmp[count] ='S';
 else if(tmp[count] == 19)
  tmp[count] ='T';
 else if(tmp[count] == 20)
  tmp[count] ='U';
 else if(tmp[count] == 21)
  tmp[count] ='V';
 else if(tmp[count] == 22)
  tmp[count] ='W';
 else if(tmp[count] == 23)
  tmp[count] ='X';
 else if(tmp[count] == 24)
  tmp[count] ='Y';
 else if(tmp[count] == 25)
  tmp[count] ='Z';
 else if(tmp[count] == 26)
  tmp[count] ='a';
 else if(tmp[count] == 27)
  tmp[count] ='b';
 else if(tmp[count] == 28)
  tmp[count] ='c';
 else if(tmp[count] == 29)
  tmp[count] ='d';
 else if(tmp[count] == 30)
  tmp[count] ='e';
 else if(tmp[count] == 31)
  tmp[count] ='f';
 else if(tmp[count] == 32)
  tmp[count] ='g';
 else if(tmp[count] == 33)
  tmp[count] ='h';
 else if(tmp[count] == 34)
  tmp[count] ='i';
 else if(tmp[count] == 35)
  tmp[count] ='j';
 else if(tmp[count] == 36)
  tmp[count] ='k';
 else if(tmp[count] == 37)
  tmp[count] ='l';
 else if(tmp[count] == 38)
  tmp[count] ='m';
 else if(tmp[count] == 39)
  tmp[count] ='n';
 else if(tmp[count] == 40)
  tmp[count] ='o';
 else if(tmp[count] == 41)
  tmp[count] ='p';
 else if(tmp[count] == 42)
  tmp[count] ='q';
 else if(tmp[count] == 43)
  tmp[count] ='r';
 else if(tmp[count] == 44)
  tmp[count] ='s';
 else if(tmp[count] == 45)
  tmp[count] ='t';
 else if(tmp[count] == 46)
  tmp[count] ='u';
 else if(tmp[count] == 47)
  tmp[count] ='v';
 else if(tmp[count] == 48)
  tmp[count] ='w';
 else if(tmp[count] == 49)
  tmp[count] ='x';
 else if(tmp[count] == 50)
  tmp[count] ='y';
 else if(tmp[count] == 51)
  tmp[count] ='z';
 else if(tmp[count] == 52)
  tmp[count] ='0';
 else if(tmp[count] == 53)
  tmp[count] ='1';
 else if(tmp[count] == 54)
  tmp[count] ='2';
 else if(tmp[count] == 55)
  tmp[count] ='3';
 else if(tmp[count] == 56)
  tmp[count] ='4';
 else if(tmp[count] == 57)
  tmp[count] ='5';
 else if(tmp[count] == 58)
  tmp[count] ='6';
 else if(tmp[count] == 59)
  tmp[count] ='7';
 else if(tmp[count] == 60)
  tmp[count] ='8';
 else if(tmp[count] == 61)
  tmp[count] ='9';
 else if(tmp[count] == 62)
  tmp[count] ='+';
 else if(tmp[count] == 63)
  tmp[count] ='/';
 else
  printf("ERROR");
 count ++;
 }

 printf("%s\n",tmp);
 tmp[4]=0x00;
 strcat(ibase64up,tmp);
 }

strncat(base64up,ibase64up,796);
printf("\n%s",base64up);



return 0;
}




----- Original Message -----
From: <John_Leitch () NAI com>
To: <vladimir () arobas net>; <John_Leitch () NAI com>
Cc: <pen-test () securityfocus com>
Sent: Thursday, May 30, 2002 9:53 AM
Subject: RE: PEN Testing a everchanging realm in apache

Hi,

Thanks for that but the ever changing realm is as follows.....

When a connection is established to the server and you are presented with

login prompt the realm is different everytime.  Its almost like the server
has / is using /dev/random to assign the realm so its never the same.

-----Original Message-----
From: Vladimir Parkhaev [mailto:vladimir () arobas net]
Sent: 29 May 2002 23:11
To: John_Leitch () NAI com
Cc: pen-test () securityfocus com
Subject: Re: PEN Testing a everchanging realm in
apache

Quoting John_Leitch () NAI com (John_Leitch () NAI com):

Using the latest apache / ssl.

I need to find a way of brute forcing the auth but........

the web server

has an ever changing realm.

Is this possible or shall I look elsewhere ?

Regards


I am not sure what do you mean by "ever changing realm", but
you can adapt the following
perl code to brute force your way in. You need to install
Crypt::SSLeay module,
dictionary, a loop and ... pretty much it...



#!/usr/bin/perl -w
use LWP::UserAgent;

my $ua  = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST =>
'https://server.domain.com/&apos;);
$req->authorization_basic('foo', 'bar');
$res = $ua->request($req);
($res->is_success)?  print $res->content, "\n" : print
$res->status_line, "\n";

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

PEN Testing a everchanging realm in apache John_Leitch (May 29)
- Re: PEN Testing a everchanging realm in apache Vladimir Parkhaev (May 30)
- <Possible follow-ups>
- RE: PEN Testing a everchanging realm in apache John_Leitch (May 30)
  - Re: PEN Testing a everchanging realm in apache David Litchfield (May 30)
  - Re: PEN Testing a everchanging realm in apache J. J. Horner (May 30)