Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Session ID Analysis

From: "M.D.Mufambisi" <mufambisi () gmail com>
Date: Thu, 12 Aug 2010 10:36:31 +1000
Hi,

I have been analysing session IDs generated by a test site (for
security practice) using burp. Burp reports that the randomnes of the
sessionids is extremely poor. having a look at the session Ids, i can
tell the first 50 or so bytes are about the same on all sessionIDs.
And the other 10 appear to change. I bet burp got to this conclusion
based on the first 50 bytes or so. Suppose the developer came and said
yes, the first 50bytes are based on a calculation by date (hence they
are all teh same) but the last 10 bytes are extremely random...how
would i be able to confirm or deny this? I will paste a couple of the
sessionIds here and I would be most grateful if I got ideas of what
the changing bytes could be. Ultimately i want to see if i will be
able to predict sessionIDs.

May i also kindly have suggestions of software that i can use to find
solutions to the above or to analyse sessionIds. thanks. I will paste
a sample of the session Ids here for your perusal.

tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+9vjLLL9unOPaw=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: