Hi, Thanks for that but the ever changing realm is as follows..... When a connection is established to the server and you are presented with a login prompt the realm is different everytime. Its almost like the server has / is using /dev/random to assign the realm so its never the same. -----Original Message----- From: Vladimir Parkhaev [mailto:vladimirat_private] Sent: 29 May 2002 23:11 To: John_Leitchat_private Cc: pen-testat_private Subject: Re: PEN Testing a everchanging realm in apache Quoting John_Leitchat_private (John_Leitchat_private): > Using the latest apache / ssl. > > I need to find a way of brute forcing the auth but........ the web server > has an ever changing realm. > > Is this possible or shall I look elsewhere ? > > Regards > I am not sure what do you mean by "ever changing realm", but you can adapt the following perl code to brute force your way in. You need to install Crypt::SSLeay module, dictionary, a loop and ... pretty much it... #!/usr/bin/perl -w use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(POST => 'https://server.domain.com/'); $req->authorization_basic('foo', 'bar'); $res = $ua->request($req); ($res->is_success)? print $res->content, "\n" : print $res->status_line, "\n"; ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 09:55:31 PDT