Penetration Testing mailing list archives

Re: penetrating web-based authentication if you know one of the usernames

From: Ole Martin Dahl <ole.dahl () gmail com>
Date: Wed, 18 May 2005 18:04:53 +0200

Ølstad wrote:

Hi!

I have this web-based service/directory which offers users access through a username/password-authentication process. 
I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are 
there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other 
alternatives? Do I really have to consider my whole system as compromised just because a username may be lost?

In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, 
passwordstrength etc.

I appreciate all relevant answers :-)

Very best

R


Many tools, including vulnerability scanners [1], can do such
brute-force tests. Dedicated brute-force tools also exist, e.g. [2].

Why are you afraid if the usernames are compromised, usernames should
not be considered secret. The confideniality of the password are the
secret part, maybe you also meant this.

For å full web application audit I recommend OWASP as a methodoical
approach.

Regards

Ole Martin Dahl

[1] http://www.nessus.org
[2] http://www.hoobie.net/brutus/
[3] http://www.owasp.org/

Current thread:

penetrating web-based authentication if you know one of the usernames Ølstad , Roger (May 18)
- Re: penetrating web-based authentication if you know one of the usernames L. Walker (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Ole Martin Dahl (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Pablo Fernández (May 18)
- <Possible follow-ups>
- RE: penetrating web-based authentication if you know one of the usernames Scovetta, Michael V (May 18)