Penetration Testing mailing list archives
RE: penetrating web-based authentication if you know one of theusernames
From: "David Corn" <david () covetrix com>
Date: Fri, 20 May 2005 13:10:01 -0500
I have played with AccessDiver on many occasions; it is a very nice tool. It is very capable at brute forcing web based authentication systems. I do recommend trying it out. But if a system is not performing login accounting they need to rethink there security for online authentication. There are a couple PAM modules for strength assessment, that test for upper and lower case length, Look at pam_passwd+. David Corn Security Consultant Covetrix, IT Consulting Group http://www.covetrix.com Phone: 214-575-9583 x116 Fax: 214-575-9584 -----Original Message----- From: Pablo Fernández [mailto:newsclient () teamq info] Sent: Wednesday, May 18, 2005 11:13 AM To: Ølstad, Roger Cc: pen-test () securityfocus com Subject: Re: penetrating web-based authentication if you know one of theusernames First things first, on the disclosed username thing, as you say the only attack that pops up to my head is a bruteforce attack (assuming that your web isn't vulnerable to SQL injection). You can easily prevent a bruteforce attack counting the number of login failures on a particular user. Paypal does it, Hotmail does it, VNC >= 3.1 does it and many more too, all you have to do is record the number of login failures since last proper authentication, if that number reaches to 15 (or 90, crackers should be reaaaly lucky to get in the first 100 tries) the account should be blocked and manually reactivated once the user is validated. Anyway, don't think your system has been compromised just because a username has been disclosed, I can also assume you have a username Roger.Olstad in the host pax.priv.no, but there's not much to with that (other than a bruteforce attack...). Now, on the "web-server audit", yes, there's some software capable of bruteforcing using thread modes, I just read a bit about it, but never really tested it, it's called AccessDriver. Anyway an script in perl, bash, php or whatever you want is reaaaally easy to make... And on the password strength checking there're many ways to do it, you could try to crack them with john the ripper and a basic dictionary (or with the -incremental flag). I know PAM has some module for checking strength too, you could do some research on that as well. Well, that's it, I think I cover all the topics, just hope this helps a bit. Bye! Pablo Fernández
Current thread:
- RE: penetrating web-based authentication if you know one of theusernames David Corn (May 23)