Re: Pentesting a Web Applicaton

[Haroon Meer <haroon () sensepost com>]

Hiya..

Brutus is so 90's :>

Seriously, if you on windows, and need to web brute-force, check out
SensePost CrowBar: http://www.sensepost.com/research/crowbar/

Its a little dated, but is outstanding for web brute-forcing primarily
because its able to work without you knowing what a successful login
should look like (cause sometimes you don't know till you get there). It
makes use of the same page signature logic employed by tools like Wikto
and Suru to determine that the last response was different to the
99999999 that preceded it.

Give it a spin, and drop me an email if  you have any questions..

/mh

Erin Carroll wrote:
> List members,
>
> To head off the already trickling in flood of emails on how to reset the
> device.... Yes, I know we could all tell him how to do a manual reset of the
> device with a paperclip but let's try to view this as a learning opportunity
> for playing with windows brute-force tools for web-based authentication like
> Ian asked and recommend some ways to tackle this without the reset shall we?
> :)
>
> Ian, if you're *really* bored you could run an HTTP proxy and play with
> Expect scripting and a password dictionary... Or try THC-Hydra
> (http://www.thc.org/releases.php) if Brutus is giving you issues and you
> don't want to reinvent the wheel.
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball" 
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com 
> > [mailto:listbounce () securityfocus com] On Behalf Of Stong, Ian 
> > C CTR DISA GIG-CS
> > Sent: Thursday, May 31, 2007 9:30 AM
> > To: PenTest
> > Subject: Pentesting a Web Applicaton
> >
> > Hi,
> >
> > I have a DLINK router/wireless device that has a web 
> > interface for managing it via the inside interface. I know 
> > the username but the password was cached and due to some 
> > Winblows issues the info is gone. 
> >
> > Would like some advice for tools I can run (on Windows) to 
> > attempt to find the password. I tried brutus but wasn't able 
> > to get it to work properly (or I misconfigured).  
> >
> > When you access the router via web interface a popup comes up 
> > asking for username/pwd. It says "Enter username and password 
> > for "DI-514" at y.y.y.y - Then it has fields for User Name: 
> > and Password: - and then OK or Cancel.
> >
> >
> > You help is appreciated,
> >
> > Ian Stong
> >
> > --------------------------------------------------------------
> > ----------
> > This List Sponsored by: Cenzic
> >
> > Are you using SPI, Watchfire or WhiteHat?
> > Consider getting clear vision with Cenzic See HOW Now with 
> > our 20/20 program!
> >
> > http://www.cenzic.com/c/2020
> > --------------------------------------------------------------
> > ----------
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
>
>  ** CRM114 Whitelisted by: From pen-test-return-1078484301-haroon=sensepost.com () securityfocus com **

-- 
Haroon Meer, SensePost Information Security
PGP: http://www.sensepost.com/pgp/haroon.txt
Tel: +27 83786 6637


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------