Penetration Testing mailing list archives
Re: penetrating web-based authentication if you know one of the usernames
From: Ole Martin Dahl <ole.dahl () gmail com>
Date: Wed, 18 May 2005 18:04:53 +0200
Ølstad wrote:
Hi! I have this web-based service/directory which offers users access through a username/password-authentication process. I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other alternatives? Do I really have to consider my whole system as compromised just because a username may be lost? In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, passwordstrength etc. I appreciate all relevant answers :-) Very best R
Many tools, including vulnerability scanners [1], can do such brute-force tests. Dedicated brute-force tools also exist, e.g. [2]. Why are you afraid if the usernames are compromised, usernames should not be considered secret. The confideniality of the password are the secret part, maybe you also meant this. For å full web application audit I recommend OWASP as a methodoical approach. Regards Ole Martin Dahl [1] http://www.nessus.org [2] http://www.hoobie.net/brutus/ [3] http://www.owasp.org/
Current thread:
- penetrating web-based authentication if you know one of the usernames Ølstad , Roger (May 18)
- Re: penetrating web-based authentication if you know one of the usernames L. Walker (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Ole Martin Dahl (May 18)
- Re: penetrating web-based authentication if you know one of the usernames Pablo Fernández (May 18)
- <Possible follow-ups>
- RE: penetrating web-based authentication if you know one of the usernames Scovetta, Michael V (May 18)