Penetration Testing mailing list archives
RE: Pen testing a CVS server
From: "Lluis Mora" <llmora () sentryware com>
Date: Tue, 20 May 2003 21:03:23 +0200
Hi Alexandre, Bugsy: The following applies to (at least) cvs 1.10. Have not tried it on newer/older releases. You can tell wether the CVS setup is using system passwords or a separate CVS password file. If the response is: "no such user xxxx in CVSROOT/passwd" then it is using a separate cvs password file. But if the "cvs login" response is: "xxxx: no such user" then it is using system passwords, e.g. /etc/passwd (or NIS, or LDAP or ...) So, in your case Bugsy it seems the pentested server is using system passwords and you could try a bruteforce attack for user accounts password. You can restrict system passwords usage by setting the option "SystemAuth" to "no" in your CVSROOT/config file. Cheers, Lluis . -----Mensaje original----- De: Alexandre Carmel-Veilleux [mailto:saruman () northernhacking org] Enviado el: domingo, 18 de mayo de 2003 21:20 Para: Bugsy CC: pen-test () securityfocus com Asunto: Re: Pen testing a CVS server On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
Checking passwords cvs -d :pserver:root () host domain com:/wrong/cvs/root login Tells me if i got the root password right or not.
Hmm, I've never been in any environement where CVS didn't have it's own, separate, password and group files. So this should not yield an actual user passwords. Assuming the password is different then the system one. I agree that the error messages should be terser in order to leak less information, possibly with an n seconds timeout after an error. Alex --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test ----------------------------------------------------------------------------
Current thread:
- Pen testing a CVS server Bugsy (May 18)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)
- RE: Pen testing a CVS server Lluis Mora (May 20)
- <Possible follow-ups>
- RE: Pen testing a CVS server Royans Tharakan (May 20)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)