Re: PEN Testing a everchanging realm in apache

From: David Litchfield (davidat_private)
Date: Thu May 30 2002 - 10:04:08 PDT

Next message: hellNbak: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"

Previous message: Philippe De ARAUJO: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
In reply to: John_Leitchat_private: "RE: PEN Testing a everchanging realm in apache"
Next in thread: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Realm is of use to the client only. It tells the client that, once
authenticated, if you request anything within that realm then supply
credentials.

Here's a bit of code I hacked together to write out a Basic auth string.
Hack it around a bit more and plug it into whatever your doing

David Litchfield
http://www.ngssoftware.com/

#include <stdio.h>

char base64up[800]="Authorization: Basic ";
int main(int argc, char *argv[])
{
char userid[256]="";
char password[256]="";

char string[512]="mne";
char tmp[8]="mne";

int count =0,bc=0;
unsigned int holder;

unsigned int one=0, two=0, thr=0;
int len=0;

char ibase64up[800]="";

if(argc !=3)
    return printf("%s username password\n",argv[0]);


strncpy(userid,argv[1],250);

strncpy(password,argv[2],250);

strcpy(string,userid);
strcat(string,":");
strcat(string,password);


len = strlen(string);

while(bc < len)
{

tmp[0]=string[bc];
bc++;
tmp[1]=string[bc];
bc++;
tmp[2]=string[bc];
bc++;

one = tmp[0] * 65536;
two = tmp[1] * 256;
thr = tmp[2];

holder = one + two + thr;
tmp[0] = holder >> 18;
one = holder << 14;
tmp[1] = one >> 26;
one = holder << 20;
tmp[2] = one >> 26;
one = holder << 26;
tmp[3]= one >> 26;

printf("%d %d %d %d\n",tmp[0],tmp[1],tmp[2],tmp[3]);

count = 0;
while(count < 4)
{
 if(tmp[count] == 0)
  tmp[count]='A';
 else if(tmp[count] == 1)
  tmp[count] ='B';
 else if(tmp[count] == 2)
  tmp[count] ='C';
 else if(tmp[count] == 3)
  tmp[count] ='D';
 else if(tmp[count] == 4)
  tmp[count] ='E';
 else if(tmp[count] == 5)
  tmp[count] ='F';
 else if(tmp[count] == 6)
  tmp[count] ='G';
 else if(tmp[count] == 7)
  tmp[count] ='H';
 else if(tmp[count] == 8)
  tmp[count] ='I';
 else if(tmp[count] == 9)
  tmp[count] ='J';
 else if(tmp[count] == 10)
  tmp[count] ='K';
 else if(tmp[count] == 11)
  tmp[count] ='L';
 else if(tmp[count] == 12)
  tmp[count] ='M';
 else if(tmp[count] == 13)
  tmp[count] ='N';
 else if(tmp[count] == 14)
  tmp[count] ='O';
 else if(tmp[count] == 15)
  tmp[count] ='P';
 else if(tmp[count] == 16)
  tmp[count] ='Q';
 else if(tmp[count] == 17)
  tmp[count] ='R';
 else if(tmp[count] == 18)
  tmp[count] ='S';
 else if(tmp[count] == 19)
  tmp[count] ='T';
 else if(tmp[count] == 20)
  tmp[count] ='U';
 else if(tmp[count] == 21)
  tmp[count] ='V';
 else if(tmp[count] == 22)
  tmp[count] ='W';
 else if(tmp[count] == 23)
  tmp[count] ='X';
 else if(tmp[count] == 24)
  tmp[count] ='Y';
 else if(tmp[count] == 25)
  tmp[count] ='Z';
 else if(tmp[count] == 26)
  tmp[count] ='a';
 else if(tmp[count] == 27)
  tmp[count] ='b';
 else if(tmp[count] == 28)
  tmp[count] ='c';
 else if(tmp[count] == 29)
  tmp[count] ='d';
 else if(tmp[count] == 30)
  tmp[count] ='e';
 else if(tmp[count] == 31)
  tmp[count] ='f';
 else if(tmp[count] == 32)
  tmp[count] ='g';
 else if(tmp[count] == 33)
  tmp[count] ='h';
 else if(tmp[count] == 34)
  tmp[count] ='i';
 else if(tmp[count] == 35)
  tmp[count] ='j';
 else if(tmp[count] == 36)
  tmp[count] ='k';
 else if(tmp[count] == 37)
  tmp[count] ='l';
 else if(tmp[count] == 38)
  tmp[count] ='m';
 else if(tmp[count] == 39)
  tmp[count] ='n';
 else if(tmp[count] == 40)
  tmp[count] ='o';
 else if(tmp[count] == 41)
  tmp[count] ='p';
 else if(tmp[count] == 42)
  tmp[count] ='q';
 else if(tmp[count] == 43)
  tmp[count] ='r';
 else if(tmp[count] == 44)
  tmp[count] ='s';
 else if(tmp[count] == 45)
  tmp[count] ='t';
 else if(tmp[count] == 46)
  tmp[count] ='u';
 else if(tmp[count] == 47)
  tmp[count] ='v';
 else if(tmp[count] == 48)
  tmp[count] ='w';
 else if(tmp[count] == 49)
  tmp[count] ='x';
 else if(tmp[count] == 50)
  tmp[count] ='y';
 else if(tmp[count] == 51)
  tmp[count] ='z';
 else if(tmp[count] == 52)
  tmp[count] ='0';
 else if(tmp[count] == 53)
  tmp[count] ='1';
 else if(tmp[count] == 54)
  tmp[count] ='2';
 else if(tmp[count] == 55)
  tmp[count] ='3';
 else if(tmp[count] == 56)
  tmp[count] ='4';
 else if(tmp[count] == 57)
  tmp[count] ='5';
 else if(tmp[count] == 58)
  tmp[count] ='6';
 else if(tmp[count] == 59)
  tmp[count] ='7';
 else if(tmp[count] == 60)
  tmp[count] ='8';
 else if(tmp[count] == 61)
  tmp[count] ='9';
 else if(tmp[count] == 62)
  tmp[count] ='+';
 else if(tmp[count] == 63)
  tmp[count] ='/';
 else
  printf("ERROR");
 count ++;
 }

 printf("%s\n",tmp);
 tmp[4]=0x00;
 strcat(ibase64up,tmp);
 }

strncat(base64up,ibase64up,796);
printf("\n%s",base64up);



return 0;
}




----- Original Message -----
From: <John_Leitchat_private>
To: <vladimirat_private>; <John_Leitchat_private>
Cc: <pen-testat_private>
Sent: Thursday, May 30, 2002 9:53 AM
Subject: RE: PEN Testing a everchanging realm in apache


> Hi,
>
> Thanks for that but the ever changing realm is as follows.....
>
> When a connection is established to the server and you are presented with
a
> login prompt the realm is different everytime.  Its almost like the server
> has / is using /dev/random to assign the realm so its never the same.
>
> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimirat_private]
> Sent: 29 May 2002 23:11
> To: John_Leitchat_private
> Cc: pen-testat_private
> Subject: Re: PEN Testing a everchanging realm in
> apache
>
> Quoting John_Leitchat_private (John_Leitchat_private):
> > Using the latest apache / ssl.
> >
> > I need to find a way of brute forcing the auth but........
> the web server
> > has an ever changing realm.
> >
> > Is this possible or shall I look elsewhere ?
> >
> > Regards
> >
>
> I am not sure what do you mean by "ever changing realm", but
> you can adapt the following
> perl code to brute force your way in. You need to install
> Crypt::SSLeay module,
> dictionary, a loop and ... pretty much it...
>
>
>
> #!/usr/bin/perl -w
> use LWP::UserAgent;
>
> my $ua  = LWP::UserAgent->new;
> my $req = HTTP::Request->new(POST =>
> 'https://server.domain.com/');
> $req->authorization_basic('foo', 'bar');
> $res = $ua->request($req);
> ($res->is_success)?  print $res->content, "\n" : print
> $res->status_line, "\n";
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: hellNbak: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
Previous message: Philippe De ARAUJO: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
In reply to: John_Leitchat_private: "RE: PEN Testing a everchanging realm in apache"
Next in thread: J. J. Horner: "Re: PEN Testing a everchanging realm in apache"
Next in thread: Vladimir Parkhaev: "Re: PEN Testing a everchanging realm in apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 30 2002 - 10:48:53 PDT