Re: IIS 5.0 with Integrated Window Authentication

[Dave Aitel <dave () immunitysec com>]

No base language's class libraries are a match for the rich programing
API that the GPL code base provides in this area, be it libwhisker,
WHArsenal, SPIKE Proxy, or any of the many other tools.

You probably could use the C#'s WebClient.Credentials Property to set
your credentials, then do some basic Whisker 1.0-style effort to build a
tiny scanner. However, I think that to do a professional job, you're
going to want to have a bit more control and a bit more stick behind
your spearhead, in the form of advanced features. The ability to write
custom checks with VulnXML, for example.

So I suggest one of three things: 

1. Use APS with SPIKE Proxy (or some other application assessment tool
that can itself bounce through another proxy) APS is pure python and
GPL, so if I get a lot more requests for this functionality (feel free
to bug me at dave () immunitysec com), I'll merge his code with SPIKE
Proxy's core. (To bounce SPIKE Proxy though another proxy, download
version 1.4.4, and use the -h and -H parameters to spkproxy.py)

2. Check out SPIKE 2.7, which includes NTLM buffer overflow tools and
brute forcers. (E.G, you can sniff a request that you want to fuzz, then
use SPIKE's much more fast and powerful fuzzing framework to find
overflows, format string bugs, SQL injection and the like - all through
NTLM authenticated requests). It also includes a transparent HTTP[S]
proxy (webmitm).

3. You can e-mail me and I'll send you the current SP 1.4.5 Beta, which
includes an ordering fix (so GET /a?a=b&c=d always is a=b&c=d and not
c=d&a=b) and a mod I whipped up this morning that lets you browse NTLM
pages through the proxy by passing the authentication back and forth a
bit. However, rewrite request and scanning functionality still don't
know about NTLM, and so that functionality won't be effective against
NTLM servers. For the record, the bug was not in SPIKE Proxy's handling
of Connection: Keep-Alive, but actually IE doesn't bother to respond to
WWW-Authenticate when it is set up to use a Proxy. So I changed
WWW-Authenticate to Proxy-Authenticate: and Proxy-Authorization to
Authorization and it worked. Integrating APS would have been a more
final solution, but that's slightly more than a few minutes' work.

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/


On Wed, 6 Nov 2002 12:21:46 -1000
"Jason Coombs" <jasonc () science org> wrote:

> it might be easier for you to code your own scanner real quick using
> Microsoft .NET -- the class library provides several very simple
> network communications classes that do what you want.
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: Haroon Meer [mailto:haroon () sensepost com]
> Sent: Wednesday, November 06, 2002 10:44 AM
> To: cc_mofo () hushmail com
> Cc: pen-test () securityfocus com; webappsec () securityfocus com
> Subject: Re: IIS 5.0 with Integrated Window Authentication
>
>
> hi.
>
> use APS (NTLM Authorization Proxy Server)
> (http://freshmeat.net/projects/ntlmaps/?topic_id=20%2C87%2C250%2C43%2
> C151) to handle the auth, and ur scanner of choice behind it..
>
> ======================================================================
> Haroon Meer                                                         MH
> SensePost Information Security                          +27 83786 6637
> PGP : http://www.sensepost.com/pgp/haroon.txt     haroon () sensepost com
> ======================================================================
>
> On Wed, 6 Nov 2002 cc_mofo () hushmail com wrote:
>
> > I'm doing a security review and penetration test of a site running
> > on IIS
> with Integrated Windows Authentication.  Anyone know of an IIS Scanner
> that can do an IWA exchange before scanning?
> > The SPIKE proxy looks promising, but it appears the NTLM support is
> > not
> quite "there" yet for this purpose.  The goofy three-message exchange
> that sets up the NTLM security doesn't seem to make it through the
> proxy, which leads me to believe that any tool that will work for this
> must have intentionally added support for IWA.
> > Get your free encrypted email at https://www.hushmail.com
> > ------------ Output from gpg ------------
> > gpg: Signature made Wed Nov  6 22:15:16 2002 SAST using DSA key ID
> 21BE2B65
> > gpg: Can't check signature: public key not found

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/