Penetration Testing mailing list archives
Re: penetrating web-based authentication if you know one of the usernames
From: "L. Walker" <lwalker () magi net au>
Date: Thu, 19 May 2005 01:10:40 +1000
On Wed, 2005-05-18 at 14:05 +0200, Ølstad, Roger wrote:
Hi! I have this web-based service/directory which offers users access through a username/password-authentication process. I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other alternatives? Do I really have to consider my whole system as compromised just because a username may be lost? In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, passwordstrength etc. I appreciate all relevant answers :-) Very best R
There are a couple of HTTP Basic auth bruteforce products out there, THC's Hydra being one of my favourites. You can find this product @ http://www.thc.org Brutus is another product off the top of my head, but I tend to be biased and say Hydra :) -- L. Walker Administrator / Consultant -- Security-focused Linux and Windows based administration services http://magi.net.au - Development blog for *nix users and hosting groups --
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- penetrating web-based authentication if you know one of the usernames Ølstad , Roger (May 18)
- Re: penetrating web-based authentication if you know one of the usernames L. Walker (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Ole Martin Dahl (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Pablo Fernández (May 18)
- <Possible follow-ups>
- RE: penetrating web-based authentication if you know one of the usernames Scovetta, Michael V (May 18)