Penetration Testing mailing list archives
Re: Pentesting a Web Applicaton
From: Haroon Meer <haroon () sensepost com>
Date: Fri, 01 Jun 2007 08:11:44 +0200
Hiya.. Brutus is so 90's :> Seriously, if you on windows, and need to web brute-force, check out SensePost CrowBar: http://www.sensepost.com/research/crowbar/ Its a little dated, but is outstanding for web brute-forcing primarily because its able to work without you knowing what a successful login should look like (cause sometimes you don't know till you get there). It makes use of the same page signature logic employed by tools like Wikto and Suru to determine that the last response was different to the 99999999 that preceded it. Give it a spin, and drop me an email if you have any questions.. /mh Erin Carroll wrote:
List members, To head off the already trickling in flood of emails on how to reset the device.... Yes, I know we could all tell him how to do a manual reset of the device with a paperclip but let's try to view this as a learning opportunity for playing with windows brute-force tools for web-based authentication like Ian asked and recommend some ways to tackle this without the reset shall we? :) Ian, if you're *really* bored you could run an HTTP proxy and play with Expect scripting and a password dictionary... Or try THC-Hydra (http://www.thc.org/releases.php) if Brutus is giving you issues and you don't want to reinvent the wheel. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stong, Ian C CTR DISA GIG-CS Sent: Thursday, May 31, 2007 9:30 AM To: PenTest Subject: Pentesting a Web Applicaton Hi, I have a DLINK router/wireless device that has a web interface for managing it via the inside interface. I know the username but the password was cached and due to some Winblows issues the info is gone. Would like some advice for tools I can run (on Windows) to attempt to find the password. I tried brutus but wasn't able to get it to work properly (or I misconfigured). When you access the router via web interface a popup comes up asking for username/pwd. It says "Enter username and password for "DI-514" at y.y.y.y - Then it has fields for User Name: and Password: - and then OK or Cancel. You help is appreciated, Ian Stong -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 -------------------------------------------------------------- ---------------------------------------------------------------------------------- This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ** CRM114 Whitelisted by: From pen-test-return-1078484301-haroon=sensepost.com () securityfocus com **
-- Haroon Meer, SensePost Information Security PGP: http://www.sensepost.com/pgp/haroon.txt Tel: +27 83786 6637 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: Pentesting a Web Applicaton Haroon Meer (Jun 01)
- <Possible follow-ups>
- RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Message not available
- RE: Pentesting a Web Applicaton Peter Wood (Jun 01)
- Message not available
- Re: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- Re: RE: Pentesting a Web Applicaton ebk_lists (Jun 01)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: RE: Pentesting a Web Applicaton Jamie Riden (Jun 01)
- Re: RE: Pentesting a Web Applicaton sherwyn . williams (Jun 01)
- RE: RE: Pentesting a Web Applicaton Alex Balayan (Jun 11)
- RE: RE: Pentesting a Web Applicaton Stong, Ian C CTR DISA GIG-CS (Jun 01)
- Re: Pentesting a Web Applicaton Hylton Conacher (ZR1HPC) (Jun 04)