Penetration Testing mailing list archives

Re: penetrating web-based authentication if you know one of the usernames

From: "L. Walker" <lwalker () magi net au>
Date: Thu, 19 May 2005 01:10:40 +1000

On Wed, 2005-05-18 at 14:05 +0200, Ølstad, Roger wrote:

Hi!

I have this web-based service/directory which offers users access through a username/password-authentication process. 
I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are 
there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other 
alternatives? Do I really have to consider my whole system as compromised just because a username may be lost?

In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, 
passwordstrength etc.

I appreciate all relevant answers :-)

Very best

R


There are a couple of HTTP Basic auth bruteforce products out there,
THC's Hydra being one of my favourites.  You can find this product @
http://www.thc.org

Brutus is another product off the top of my head, but I tend to be
biased and say Hydra :)

-- 
L. Walker
Administrator / Consultant
--
Security-focused Linux and Windows based administration services
http://magi.net.au - Development blog for *nix users and hosting groups
--

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

penetrating web-based authentication if you know one of the usernames Ølstad , Roger (May 18)
- Re: penetrating web-based authentication if you know one of the usernames L. Walker (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Ole Martin Dahl (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Pablo Fernández (May 18)
- <Possible follow-ups>
- RE: penetrating web-based authentication if you know one of the usernames Scovetta, Michael V (May 18)