Penetration Testing mailing list archives
Re: IIS 5.0 with Integrated Window Authentication
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 7 Nov 2002 11:58:33 -0500
No base language's class libraries are a match for the rich programing API that the GPL code base provides in this area, be it libwhisker, WHArsenal, SPIKE Proxy, or any of the many other tools. You probably could use the C#'s WebClient.Credentials Property to set your credentials, then do some basic Whisker 1.0-style effort to build a tiny scanner. However, I think that to do a professional job, you're going to want to have a bit more control and a bit more stick behind your spearhead, in the form of advanced features. The ability to write custom checks with VulnXML, for example. So I suggest one of three things: 1. Use APS with SPIKE Proxy (or some other application assessment tool that can itself bounce through another proxy) APS is pure python and GPL, so if I get a lot more requests for this functionality (feel free to bug me at dave () immunitysec com), I'll merge his code with SPIKE Proxy's core. (To bounce SPIKE Proxy though another proxy, download version 1.4.4, and use the -h and -H parameters to spkproxy.py) 2. Check out SPIKE 2.7, which includes NTLM buffer overflow tools and brute forcers. (E.G, you can sniff a request that you want to fuzz, then use SPIKE's much more fast and powerful fuzzing framework to find overflows, format string bugs, SQL injection and the like - all through NTLM authenticated requests). It also includes a transparent HTTP[S] proxy (webmitm). 3. You can e-mail me and I'll send you the current SP 1.4.5 Beta, which includes an ordering fix (so GET /a?a=b&c=d always is a=b&c=d and not c=d&a=b) and a mod I whipped up this morning that lets you browse NTLM pages through the proxy by passing the authentication back and forth a bit. However, rewrite request and scanning functionality still don't know about NTLM, and so that functionality won't be effective against NTLM servers. For the record, the bug was not in SPIKE Proxy's handling of Connection: Keep-Alive, but actually IE doesn't bother to respond to WWW-Authenticate when it is set up to use a Proxy. So I changed WWW-Authenticate to Proxy-Authenticate: and Proxy-Authorization to Authorization and it worked. Integrating APS would have been a more final solution, but that's slightly more than a few minutes' work. Dave Aitel Immunity, Inc. http://www.immunitysec.com/ On Wed, 6 Nov 2002 12:21:46 -1000 "Jason Coombs" <jasonc () science org> wrote:
it might be easier for you to code your own scanner real quick using Microsoft .NET -- the class library provides several very simple network communications classes that do what you want. Jason Coombs jasonc () science org -----Original Message----- From: Haroon Meer [mailto:haroon () sensepost com] Sent: Wednesday, November 06, 2002 10:44 AM To: cc_mofo () hushmail com Cc: pen-test () securityfocus com; webappsec () securityfocus com Subject: Re: IIS 5.0 with Integrated Window Authentication hi. use APS (NTLM Authorization Proxy Server) (http://freshmeat.net/projects/ntlmaps/?topic_id=20%2C87%2C250%2C43%2 C151) to handle the auth, and ur scanner of choice behind it.. ====================================================================== Haroon Meer MH SensePost Information Security +27 83786 6637 PGP : http://www.sensepost.com/pgp/haroon.txt haroon () sensepost com ====================================================================== On Wed, 6 Nov 2002 cc_mofo () hushmail com wrote:I'm doing a security review and penetration test of a site running on IISwith Integrated Windows Authentication. Anyone know of an IIS Scanner that can do an IWA exchange before scanning?The SPIKE proxy looks promising, but it appears the NTLM support is notquite "there" yet for this purpose. The goofy three-message exchange that sets up the NTLM security doesn't seem to make it through the proxy, which leads me to believe that any tool that will work for this must have intentionally added support for IWA.Get your free encrypted email at https://www.hushmail.com ------------ Output from gpg ------------ gpg: Signature made Wed Nov 6 22:15:16 2002 SAST using DSA key ID21BE2B65gpg: Can't check signature: public key not found
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Kevin Spett (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Sebastian Flothow (Nov 08)
- Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication sunzi (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Haroon Meer (Nov 08)
- RE: IIS 5.0 with Integrated Window Authentication Jason Coombs (Nov 08)
- Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- Re: [Spike] Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- RE: IIS 5.0 with Integrated Window Authentication Jason Coombs (Nov 08)
- <Possible follow-ups>
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 09)
- RE: IIS 5.0 with Integrated Window Authentication Michael Howard (Nov 09)
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 12)